Windows Analysis Report
dK0SRzWoPq

Overview

General Information

Sample Name: dK0SRzWoPq (renamed file extension from none to exe)
Analysis ID: 620777
MD5: 6f111b596da1ac7d71c4362b18309648
SHA1: e09f8065342a4c8664148bec4b0d9265e7e5842a
SHA256: 285e772a15413afa15e86632327faebaa56ff23d0ca19249c228b2d531e19f96
Tags: 32exeFormbooktrojan
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.hsf777.com/m0d4/"], "decoy": ["prettyhairdivas.mobi", "cityblocksnft.com", "laraqiiz.com", "mubarakdigitalmedia.com", "perstockholm.com", "xn--imprio-dva.site", "baigouw.com", "support-client-video.com", "phomas.info", "dengedizayn.com", "zoommachone.xyz", "houseoflancasterhours.com", "petarungslot.website", "tyrs-it.com", "dalianzhuchiren.com", "tenthgenerationtorah.com", "portres.online", "1-minute.store", "shikakunazo.com", "veymes.store", "ruvedaj.xyz", "apremotesamsung.com", "palia.world", "you-sayso.com", "nftsofis.com", "arthamandirialkesindo.com", "bangkhacollections.com", "digitalfactoryinstitut.com", "aceites.info", "altcoinwatcher.com", "pearlsofgraceinc.com", "xianzyw.com", "gxclzs.com", "greenlighteams.com", "aavinya.com", "sans-gluten.store", "clanbeware.com", "protocolohfresco.site", "meredithlobrien.com", "cryoablation.xyz", "avicciibook.com", "toastpack.com", "linktosmutgoeshere.com", "38289.xyz", "xn--08s.com", "techkaisimi.com", "jllpx.com", "dubaicarclinic.com", "zhidao95.com", "aletterboxd.com", "warrantyglobe.com", "mindfeed.pro", "bhreselect.com", "sdfijsdjidf.xyz", "russetconstruction.com", "futternmitflo.com", "triumphgroup.xyz", "tn299td.com", "bulkheadsrestaurantgroup.com", "luvy.world", "h3s4.com", "gamewaycos.com", "totalbodyfit.online", "trendadler.com"]}
Multi AV Scanner detection for submitted file
Source: dK0SRzWoPq.exe ReversingLabs: Detection: 61%
Yara detected FormBook
Source: Yara match File source: 2.2.pkypr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pkypr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pkypr.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pkypr.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pkypr.exe.2180000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pkypr.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pkypr.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pkypr.exe.2180000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pkypr.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.625629256.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.372566518.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.367373235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.463016643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.443403408.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.463378064.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.625466489.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.416140599.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.625958951.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.463592351.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe ReversingLabs: Detection: 43%
Machine Learning detection for sample
Source: dK0SRzWoPq.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.pkypr.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.pkypr.exe.400000.5.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.pkypr.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.pkypr.exe.2180000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.pkypr.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Uses 32bit PE files
Source: dK0SRzWoPq.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: dK0SRzWoPq.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: pkypr.exe, 00000001.00000003.364787710.0000000002420000.00000004.00001000.00020000.00000000.sdmp, pkypr.exe, 00000001.00000003.365556459.0000000002290000.00000004.00001000.00020000.00000000.sdmp, pkypr.exe, 00000002.00000002.463986070.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, pkypr.exe, 00000002.00000002.464909831.0000000000B8F000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.627628219.000000000510F000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.627373845.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: pkypr.exe, pkypr.exe, 00000002.00000002.463986070.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, pkypr.exe, 00000002.00000002.464909831.0000000000B8F000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, mstsc.exe, 0000000D.00000002.627628219.000000000510F000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.627373845.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: mstsc.pdbGCTL source: pkypr.exe, 00000002.00000002.465895418.00000000028D0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: mstsc.pdb source: pkypr.exe, 00000002.00000002.465895418.00000000028D0000.00000040.10000000.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C13
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe Code function: 0_2_0040683D FindFirstFileW,FindClose, 0_2_0040683D
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 4x nop then pop ebx 2_2_00407B47
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 4x nop then pop ebx 2_2_00407B1C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4x nop then pop ebx 13_2_030F7B1C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 4x nop then pop ebx 13_2_030F7B47

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.xianzyw.com
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.hsf777.com/m0d4/
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: www.baigouw.com replaycode: Server failure (2)
Source: unknown DNS traffic detected: query: www.xianzyw.com replaycode: Server failure (2)
Source: explorer.exe, 00000003.00000000.428243719.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.375813124.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.497440728.00000000026D0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ns.adobY
Source: dK0SRzWoPq.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: unknown DNS traffic detected: queries for: www.xianzyw.com
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe Code function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004056A8

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.pkypr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pkypr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pkypr.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pkypr.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pkypr.exe.2180000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pkypr.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pkypr.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pkypr.exe.2180000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pkypr.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.625629256.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.372566518.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.367373235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.463016643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.443403408.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.463378064.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.625466489.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.416140599.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.625958951.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.463592351.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.pkypr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.pkypr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.pkypr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.pkypr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.pkypr.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.pkypr.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.pkypr.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.pkypr.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.pkypr.exe.2180000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.pkypr.exe.2180000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.pkypr.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.pkypr.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.pkypr.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.pkypr.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.pkypr.exe.2180000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.pkypr.exe.2180000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.pkypr.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.pkypr.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.625629256.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.625629256.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.372566518.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.372566518.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.367373235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.367373235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.463016643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.463016643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.443403408.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.443403408.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.463378064.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.463378064.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.625466489.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.625466489.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.416140599.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.416140599.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.625958951.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.625958951.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.463592351.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.463592351.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: dK0SRzWoPq.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 2.2.pkypr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.pkypr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.pkypr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.pkypr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.pkypr.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.pkypr.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.pkypr.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.pkypr.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.pkypr.exe.2180000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.pkypr.exe.2180000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.pkypr.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.pkypr.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.pkypr.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.pkypr.exe.400000.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.pkypr.exe.2180000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.pkypr.exe.2180000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.pkypr.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.pkypr.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.625629256.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.625629256.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.372566518.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.372566518.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.367373235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.367373235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.463016643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.463016643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.443403408.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.443403408.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.463378064.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.463378064.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.625466489.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.625466489.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.416140599.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.416140599.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.625958951.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.625958951.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.463592351.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.463592351.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
Detected potential crypto function
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe Code function: 0_2_00406BFE 0_2_00406BFE
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 1_2_02170A56 1_2_02170A56
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_0041D80F 2_2_0041D80F
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_0041D96E 2_2_0041D96E
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_0041E33E 2_2_0041E33E
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00402D87 2_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00409E50 2_2_00409E50
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_0041DEDC 2_2_0041DEDC
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC20A0 2_2_00AC20A0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B620A8 2_2_00B620A8
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AAB090 2_2_00AAB090
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B628EC 2_2_00B628EC
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B6E824 2_2_00B6E824
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABA830 2_2_00ABA830
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B51002 2_2_00B51002
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB99BF 2_2_00AB99BF
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB4120 2_2_00AB4120
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A9F900 2_2_00A9F900
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B622AE 2_2_00B622AE
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B4FA2B 2_2_00B4FA2B
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ACEBB0 2_2_00ACEBB0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B5DBD2 2_2_00B5DBD2
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B503DA 2_2_00B503DA
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B62B28 2_2_00B62B28
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABAB40 2_2_00ABAB40
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA841F 2_2_00AA841F
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B5D466 2_2_00B5D466
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC2581 2_2_00AC2581
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AAD5E0 2_2_00AAD5E0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B625DD 2_2_00B625DD
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A90D20 2_2_00A90D20
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B62D07 2_2_00B62D07
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B61D55 2_2_00B61D55
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B62EF7 2_2_00B62EF7
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB6E30 2_2_00AB6E30
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B5D616 2_2_00B5D616
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B61FF1 2_2_00B61FF1
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B6DFCE 2_2_00B6DFCE
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E2D07 13_2_050E2D07
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05010D20 13_2_05010D20
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E1D55 13_2_050E1D55
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05042581 13_2_05042581
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E25DD 13_2_050E25DD
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0502D5E0 13_2_0502D5E0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0502841F 13_2_0502841F
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050DD466 13_2_050DD466
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050EDFCE 13_2_050EDFCE
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E1FF1 13_2_050E1FF1
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050DD616 13_2_050DD616
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05036E30 13_2_05036E30
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E2EF7 13_2_050E2EF7
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0501F900 13_2_0501F900
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05034120 13_2_05034120
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D1002 13_2_050D1002
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050EE824 13_2_050EE824
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0502B090 13_2_0502B090
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050420A0 13_2_050420A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E20A8 13_2_050E20A8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E28EC 13_2_050E28EC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E2B28 13_2_050E2B28
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0504EBB0 13_2_0504EBB0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D03DA 13_2_050D03DA
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050DDBD2 13_2_050DDBD2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E22AE 13_2_050E22AE
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0310D962 13_2_0310D962
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_030F2FB0 13_2_030F2FB0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_030F9E50 13_2_030F9E50
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_030F2D87 13_2_030F2D87
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_030F2D90 13_2_030F2D90
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\mstsc.exe Code function: String function: 0501B150 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: String function: 00A9B150 appears 72 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_0041A350 NtCreateFile, 2_2_0041A350
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_0041A400 NtReadFile, 2_2_0041A400
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_0041A480 NtClose, 2_2_0041A480
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_0041A530 NtAllocateVirtualMemory, 2_2_0041A530
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_0041A34A NtCreateFile, 2_2_0041A34A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_0041A3A2 NtCreateFile, 2_2_0041A3A2
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_0041A52A NtAllocateVirtualMemory, 2_2_0041A52A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD98F0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_00AD98F0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_00AD9860
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9840 NtDelayExecution,LdrInitializeThunk, 2_2_00AD9840
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD99A0 NtCreateSection,LdrInitializeThunk, 2_2_00AD99A0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_00AD9910
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9A20 NtResumeThread,LdrInitializeThunk, 2_2_00AD9A20
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9A00 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_00AD9A00
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9A50 NtCreateFile,LdrInitializeThunk, 2_2_00AD9A50
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD95D0 NtClose,LdrInitializeThunk, 2_2_00AD95D0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9540 NtReadFile,LdrInitializeThunk, 2_2_00AD9540
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD96E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_00AD96E0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_00AD9660
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD97A0 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_00AD97A0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9780 NtMapViewOfSection,LdrInitializeThunk, 2_2_00AD9780
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9710 NtQueryInformationToken,LdrInitializeThunk, 2_2_00AD9710
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD98A0 NtWriteVirtualMemory, 2_2_00AD98A0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9820 NtEnumerateKey, 2_2_00AD9820
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ADB040 NtSuspendThread, 2_2_00ADB040
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD99D0 NtCreateProcessEx, 2_2_00AD99D0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9950 NtQueueApcThread, 2_2_00AD9950
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9A80 NtOpenDirectoryObject, 2_2_00AD9A80
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9A10 NtQuerySection, 2_2_00AD9A10
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ADA3B0 NtGetContextThread, 2_2_00ADA3B0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9B00 NtSetValueKey, 2_2_00AD9B00
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD95F0 NtQueryInformationFile, 2_2_00AD95F0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9520 NtWaitForSingleObject, 2_2_00AD9520
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ADAD30 NtSetContextThread, 2_2_00ADAD30
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9560 NtWriteFile, 2_2_00AD9560
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD96D0 NtCreateKey, 2_2_00AD96D0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9610 NtEnumerateValueKey, 2_2_00AD9610
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9670 NtQueryInformationProcess, 2_2_00AD9670
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9650 NtQueryValueKey, 2_2_00AD9650
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9FE0 NtCreateMutant, 2_2_00AD9FE0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9730 NtQueryVirtualMemory, 2_2_00AD9730
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ADA710 NtOpenProcessToken, 2_2_00ADA710
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9760 NtOpenProcess, 2_2_00AD9760
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD9770 NtSetInformationFile, 2_2_00AD9770
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ADA770 NtOpenThread, 2_2_00ADA770
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059540 NtReadFile,LdrInitializeThunk, 13_2_05059540
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050595D0 NtClose,LdrInitializeThunk, 13_2_050595D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059710 NtQueryInformationToken,LdrInitializeThunk, 13_2_05059710
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059780 NtMapViewOfSection,LdrInitializeThunk, 13_2_05059780
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059FE0 NtCreateMutant,LdrInitializeThunk, 13_2_05059FE0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059650 NtQueryValueKey,LdrInitializeThunk, 13_2_05059650
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059660 NtAllocateVirtualMemory,LdrInitializeThunk, 13_2_05059660
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050596D0 NtCreateKey,LdrInitializeThunk, 13_2_050596D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050596E0 NtFreeVirtualMemory,LdrInitializeThunk, 13_2_050596E0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059910 NtAdjustPrivilegesToken,LdrInitializeThunk, 13_2_05059910
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050599A0 NtCreateSection,LdrInitializeThunk, 13_2_050599A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059840 NtDelayExecution,LdrInitializeThunk, 13_2_05059840
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059860 NtQuerySystemInformation,LdrInitializeThunk, 13_2_05059860
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059A50 NtCreateFile,LdrInitializeThunk, 13_2_05059A50
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059520 NtWaitForSingleObject, 13_2_05059520
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0505AD30 NtSetContextThread, 13_2_0505AD30
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059560 NtWriteFile, 13_2_05059560
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050595F0 NtQueryInformationFile, 13_2_050595F0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0505A710 NtOpenProcessToken, 13_2_0505A710
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059730 NtQueryVirtualMemory, 13_2_05059730
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059760 NtOpenProcess, 13_2_05059760
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0505A770 NtOpenThread, 13_2_0505A770
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059770 NtSetInformationFile, 13_2_05059770
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050597A0 NtUnmapViewOfSection, 13_2_050597A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059610 NtEnumerateValueKey, 13_2_05059610
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059670 NtQueryInformationProcess, 13_2_05059670
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059950 NtQueueApcThread, 13_2_05059950
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050599D0 NtCreateProcessEx, 13_2_050599D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059820 NtEnumerateKey, 13_2_05059820
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0505B040 NtSuspendThread, 13_2_0505B040
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050598A0 NtWriteVirtualMemory, 13_2_050598A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050598F0 NtReadVirtualMemory, 13_2_050598F0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059B00 NtSetValueKey, 13_2_05059B00
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0505A3B0 NtGetContextThread, 13_2_0505A3B0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059A00 NtProtectVirtualMemory, 13_2_05059A00
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059A10 NtQuerySection, 13_2_05059A10
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059A20 NtResumeThread, 13_2_05059A20
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05059A80 NtOpenDirectoryObject, 13_2_05059A80
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0310A350 NtCreateFile, 13_2_0310A350
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0310A530 NtAllocateVirtualMemory, 13_2_0310A530
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0310A400 NtReadFile, 13_2_0310A400
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0310A480 NtClose, 13_2_0310A480
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0310A34A NtCreateFile, 13_2_0310A34A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0310A3A2 NtCreateFile, 13_2_0310A3A2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0310A52A NtAllocateVirtualMemory, 13_2_0310A52A
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\pkypr.exe 99B049D5615612C79DA226823C3B8D173E66E73BB1C99D0215282274685162ED
Source: dK0SRzWoPq.exe ReversingLabs: Detection: 61%
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe File read: C:\Users\user\Desktop\dK0SRzWoPq.exe Jump to behavior
Source: dK0SRzWoPq.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\dK0SRzWoPq.exe "C:\Users\user\Desktop\dK0SRzWoPq.exe"
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe Process created: C:\Users\user\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\zpcthwca
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Process created: C:\Users\user\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\zpcthwca
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user~1\AppData\Local\Temp\pkypr.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe Process created: C:\Users\user\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\zpcthwca Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Process created: C:\Users\user\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\zpcthwca Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user~1\AppData\Local\Temp\pkypr.exe" Jump to behavior
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe File created: C:\Users\user~1\AppData\Local\Temp\nsa9F70.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/3@8/0
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe Code function: 0_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404954
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6884:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: dK0SRzWoPq.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: pkypr.exe, 00000001.00000003.364787710.0000000002420000.00000004.00001000.00020000.00000000.sdmp, pkypr.exe, 00000001.00000003.365556459.0000000002290000.00000004.00001000.00020000.00000000.sdmp, pkypr.exe, 00000002.00000002.463986070.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, pkypr.exe, 00000002.00000002.464909831.0000000000B8F000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.627628219.000000000510F000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.627373845.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: pkypr.exe, pkypr.exe, 00000002.00000002.463986070.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, pkypr.exe, 00000002.00000002.464909831.0000000000B8F000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, mstsc.exe, 0000000D.00000002.627628219.000000000510F000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.627373845.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: mstsc.pdbGCTL source: pkypr.exe, 00000002.00000002.465895418.00000000028D0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: mstsc.pdb source: pkypr.exe, 00000002.00000002.465895418.00000000028D0000.00000040.10000000.00040000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_0040E26B push ds; ret 2_2_0040E2E6
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_0040E270 push ds; ret 2_2_0040E2E6
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00409BF3 push ebp; retf 2_2_00409BFC
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00416424 push ecx; iretd 2_2_0041642D
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_0041642E push ecx; iretd 2_2_0041642D
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_0041D4F2 push eax; ret 2_2_0041D4F8
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_0041D4FB push eax; ret 2_2_0041D562
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00417CA2 push A91014B2h; retf 2_2_00417CA9
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_0041D4A5 push eax; ret 2_2_0041D4F8
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_0041D55C push eax; ret 2_2_0041D562
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_004175C8 push edi; ret 2_2_00417619
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_004175D0 push edi; ret 2_2_00417619
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_0041761B push edi; ret 2_2_00417619
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AED0D1 push ecx; ret 2_2_00AED0E4
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0506D0D1 push ecx; ret 13_2_0506D0E4
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_030F9BF3 push ebp; retf 13_2_030F9BFC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_030FE26B push ds; ret 13_2_030FE2E6
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_030FE270 push ds; ret 13_2_030FE2E6
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0310761B push edi; ret 13_2_03107619
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0310D55C push eax; ret 13_2_0310D562
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_031075D0 push edi; ret 13_2_03107619
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_031075C8 push edi; ret 13_2_03107619
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_03106424 push ecx; iretd 13_2_0310642D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0310642E push ecx; iretd 13_2_0310642D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_03107CA2 push A91014B2h; retf 13_2_03107CA9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0310D4A5 push eax; ret 13_2_0310D4F8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0310D4F2 push eax; ret 13_2_0310D4F8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0310D4FB push eax; ret 13_2_0310D562
Drops PE files
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe File created: C:\Users\user\AppData\Local\Temp\pkypr.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x86 0x6E 0xED
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe RDTSC instruction interceptor: First address: 00000000030F9904 second address: 00000000030F990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe RDTSC instruction interceptor: First address: 00000000030F9B6E second address: 00000000030F9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\mstsc.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00409AA0 rdtsc 2_2_00409AA0
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe API coverage: 7.7 %
Source: C:\Windows\SysWOW64\mstsc.exe API coverage: 8.9 %
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405C13
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe Code function: 0_2_0040683D FindFirstFileW,FindClose, 0_2_0040683D
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000003.00000000.440339588.0000000006389000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000000.416679586.0000000007C08000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 00000003.00000000.416679586.0000000007C08000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.377017359.0000000004150000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}:
Source: explorer.exe, 00000003.00000000.416679586.0000000007C08000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i&
Source: explorer.exe, 00000003.00000000.391145511.0000000007D2A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.416679586.0000000007C08000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00Iy
Source: explorer.exe, 00000003.00000000.416911177.0000000007CC2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000v
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00409AA0 rdtsc 2_2_00409AA0
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 1_2_021703F8 mov eax, dword ptr fs:[00000030h] 1_2_021703F8
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 1_2_0217061D mov eax, dword ptr fs:[00000030h] 1_2_0217061D
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 1_2_021706F7 mov eax, dword ptr fs:[00000030h] 1_2_021706F7
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 1_2_02170736 mov eax, dword ptr fs:[00000030h] 1_2_02170736
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 1_2_02170772 mov eax, dword ptr fs:[00000030h] 1_2_02170772
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD90AF mov eax, dword ptr fs:[00000030h] 2_2_00AD90AF
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC20A0 mov eax, dword ptr fs:[00000030h] 2_2_00AC20A0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC20A0 mov eax, dword ptr fs:[00000030h] 2_2_00AC20A0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC20A0 mov eax, dword ptr fs:[00000030h] 2_2_00AC20A0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC20A0 mov eax, dword ptr fs:[00000030h] 2_2_00AC20A0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC20A0 mov eax, dword ptr fs:[00000030h] 2_2_00AC20A0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC20A0 mov eax, dword ptr fs:[00000030h] 2_2_00AC20A0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ACF0BF mov ecx, dword ptr fs:[00000030h] 2_2_00ACF0BF
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ACF0BF mov eax, dword ptr fs:[00000030h] 2_2_00ACF0BF
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ACF0BF mov eax, dword ptr fs:[00000030h] 2_2_00ACF0BF
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A99080 mov eax, dword ptr fs:[00000030h] 2_2_00A99080
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B13884 mov eax, dword ptr fs:[00000030h] 2_2_00B13884
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B13884 mov eax, dword ptr fs:[00000030h] 2_2_00B13884
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A958EC mov eax, dword ptr fs:[00000030h] 2_2_00A958EC
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A940E1 mov eax, dword ptr fs:[00000030h] 2_2_00A940E1
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A940E1 mov eax, dword ptr fs:[00000030h] 2_2_00A940E1
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A940E1 mov eax, dword ptr fs:[00000030h] 2_2_00A940E1
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABB8E4 mov eax, dword ptr fs:[00000030h] 2_2_00ABB8E4
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABB8E4 mov eax, dword ptr fs:[00000030h] 2_2_00ABB8E4
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B2B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00B2B8D0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B2B8D0 mov ecx, dword ptr fs:[00000030h] 2_2_00B2B8D0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B2B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00B2B8D0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B2B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00B2B8D0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B2B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00B2B8D0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B2B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00B2B8D0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AAB02A mov eax, dword ptr fs:[00000030h] 2_2_00AAB02A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AAB02A mov eax, dword ptr fs:[00000030h] 2_2_00AAB02A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AAB02A mov eax, dword ptr fs:[00000030h] 2_2_00AAB02A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AAB02A mov eax, dword ptr fs:[00000030h] 2_2_00AAB02A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC002D mov eax, dword ptr fs:[00000030h] 2_2_00AC002D
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC002D mov eax, dword ptr fs:[00000030h] 2_2_00AC002D
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC002D mov eax, dword ptr fs:[00000030h] 2_2_00AC002D
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC002D mov eax, dword ptr fs:[00000030h] 2_2_00AC002D
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC002D mov eax, dword ptr fs:[00000030h] 2_2_00AC002D
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABA830 mov eax, dword ptr fs:[00000030h] 2_2_00ABA830
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABA830 mov eax, dword ptr fs:[00000030h] 2_2_00ABA830
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABA830 mov eax, dword ptr fs:[00000030h] 2_2_00ABA830
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABA830 mov eax, dword ptr fs:[00000030h] 2_2_00ABA830
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B64015 mov eax, dword ptr fs:[00000030h] 2_2_00B64015
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B64015 mov eax, dword ptr fs:[00000030h] 2_2_00B64015
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B17016 mov eax, dword ptr fs:[00000030h] 2_2_00B17016
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B17016 mov eax, dword ptr fs:[00000030h] 2_2_00B17016
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B17016 mov eax, dword ptr fs:[00000030h] 2_2_00B17016
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B61074 mov eax, dword ptr fs:[00000030h] 2_2_00B61074
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B52073 mov eax, dword ptr fs:[00000030h] 2_2_00B52073
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB0050 mov eax, dword ptr fs:[00000030h] 2_2_00AB0050
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB0050 mov eax, dword ptr fs:[00000030h] 2_2_00AB0050
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC61A0 mov eax, dword ptr fs:[00000030h] 2_2_00AC61A0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC61A0 mov eax, dword ptr fs:[00000030h] 2_2_00AC61A0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B151BE mov eax, dword ptr fs:[00000030h] 2_2_00B151BE
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B151BE mov eax, dword ptr fs:[00000030h] 2_2_00B151BE
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B151BE mov eax, dword ptr fs:[00000030h] 2_2_00B151BE
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B151BE mov eax, dword ptr fs:[00000030h] 2_2_00B151BE
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B549A4 mov eax, dword ptr fs:[00000030h] 2_2_00B549A4
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B549A4 mov eax, dword ptr fs:[00000030h] 2_2_00B549A4
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B549A4 mov eax, dword ptr fs:[00000030h] 2_2_00B549A4
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B549A4 mov eax, dword ptr fs:[00000030h] 2_2_00B549A4
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB99BF mov ecx, dword ptr fs:[00000030h] 2_2_00AB99BF
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB99BF mov ecx, dword ptr fs:[00000030h] 2_2_00AB99BF
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB99BF mov eax, dword ptr fs:[00000030h] 2_2_00AB99BF
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB99BF mov ecx, dword ptr fs:[00000030h] 2_2_00AB99BF
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB99BF mov ecx, dword ptr fs:[00000030h] 2_2_00AB99BF
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB99BF mov eax, dword ptr fs:[00000030h] 2_2_00AB99BF
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB99BF mov ecx, dword ptr fs:[00000030h] 2_2_00AB99BF
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB99BF mov ecx, dword ptr fs:[00000030h] 2_2_00AB99BF
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB99BF mov eax, dword ptr fs:[00000030h] 2_2_00AB99BF
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB99BF mov ecx, dword ptr fs:[00000030h] 2_2_00AB99BF
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB99BF mov ecx, dword ptr fs:[00000030h] 2_2_00AB99BF
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB99BF mov eax, dword ptr fs:[00000030h] 2_2_00AB99BF
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B169A6 mov eax, dword ptr fs:[00000030h] 2_2_00B169A6
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ACA185 mov eax, dword ptr fs:[00000030h] 2_2_00ACA185
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABC182 mov eax, dword ptr fs:[00000030h] 2_2_00ABC182
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC2990 mov eax, dword ptr fs:[00000030h] 2_2_00AC2990
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A9B1E1 mov eax, dword ptr fs:[00000030h] 2_2_00A9B1E1
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A9B1E1 mov eax, dword ptr fs:[00000030h] 2_2_00A9B1E1
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A9B1E1 mov eax, dword ptr fs:[00000030h] 2_2_00A9B1E1
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B241E8 mov eax, dword ptr fs:[00000030h] 2_2_00B241E8
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB4120 mov eax, dword ptr fs:[00000030h] 2_2_00AB4120
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB4120 mov eax, dword ptr fs:[00000030h] 2_2_00AB4120
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB4120 mov eax, dword ptr fs:[00000030h] 2_2_00AB4120
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB4120 mov eax, dword ptr fs:[00000030h] 2_2_00AB4120
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB4120 mov ecx, dword ptr fs:[00000030h] 2_2_00AB4120
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC513A mov eax, dword ptr fs:[00000030h] 2_2_00AC513A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC513A mov eax, dword ptr fs:[00000030h] 2_2_00AC513A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A99100 mov eax, dword ptr fs:[00000030h] 2_2_00A99100
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A99100 mov eax, dword ptr fs:[00000030h] 2_2_00A99100
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A99100 mov eax, dword ptr fs:[00000030h] 2_2_00A99100
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A9C962 mov eax, dword ptr fs:[00000030h] 2_2_00A9C962
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A9B171 mov eax, dword ptr fs:[00000030h] 2_2_00A9B171
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A9B171 mov eax, dword ptr fs:[00000030h] 2_2_00A9B171
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABB944 mov eax, dword ptr fs:[00000030h] 2_2_00ABB944
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABB944 mov eax, dword ptr fs:[00000030h] 2_2_00ABB944
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A952A5 mov eax, dword ptr fs:[00000030h] 2_2_00A952A5
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A952A5 mov eax, dword ptr fs:[00000030h] 2_2_00A952A5
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A952A5 mov eax, dword ptr fs:[00000030h] 2_2_00A952A5
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A952A5 mov eax, dword ptr fs:[00000030h] 2_2_00A952A5
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A952A5 mov eax, dword ptr fs:[00000030h] 2_2_00A952A5
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AAAAB0 mov eax, dword ptr fs:[00000030h] 2_2_00AAAAB0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AAAAB0 mov eax, dword ptr fs:[00000030h] 2_2_00AAAAB0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ACFAB0 mov eax, dword ptr fs:[00000030h] 2_2_00ACFAB0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ACD294 mov eax, dword ptr fs:[00000030h] 2_2_00ACD294
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ACD294 mov eax, dword ptr fs:[00000030h] 2_2_00ACD294
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC2AE4 mov eax, dword ptr fs:[00000030h] 2_2_00AC2AE4
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC2ACB mov eax, dword ptr fs:[00000030h] 2_2_00AC2ACB
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD4A2C mov eax, dword ptr fs:[00000030h] 2_2_00AD4A2C
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD4A2C mov eax, dword ptr fs:[00000030h] 2_2_00AD4A2C
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABA229 mov eax, dword ptr fs:[00000030h] 2_2_00ABA229
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABA229 mov eax, dword ptr fs:[00000030h] 2_2_00ABA229
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABA229 mov eax, dword ptr fs:[00000030h] 2_2_00ABA229
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABA229 mov eax, dword ptr fs:[00000030h] 2_2_00ABA229
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABA229 mov eax, dword ptr fs:[00000030h] 2_2_00ABA229
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABA229 mov eax, dword ptr fs:[00000030h] 2_2_00ABA229
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABA229 mov eax, dword ptr fs:[00000030h] 2_2_00ABA229
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABA229 mov eax, dword ptr fs:[00000030h] 2_2_00ABA229
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABA229 mov eax, dword ptr fs:[00000030h] 2_2_00ABA229
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA8A0A mov eax, dword ptr fs:[00000030h] 2_2_00AA8A0A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B5AA16 mov eax, dword ptr fs:[00000030h] 2_2_00B5AA16
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B5AA16 mov eax, dword ptr fs:[00000030h] 2_2_00B5AA16
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB3A1C mov eax, dword ptr fs:[00000030h] 2_2_00AB3A1C
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A95210 mov eax, dword ptr fs:[00000030h] 2_2_00A95210
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A95210 mov ecx, dword ptr fs:[00000030h] 2_2_00A95210
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A95210 mov eax, dword ptr fs:[00000030h] 2_2_00A95210
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A95210 mov eax, dword ptr fs:[00000030h] 2_2_00A95210
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A9AA16 mov eax, dword ptr fs:[00000030h] 2_2_00A9AA16
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A9AA16 mov eax, dword ptr fs:[00000030h] 2_2_00A9AA16
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B4B260 mov eax, dword ptr fs:[00000030h] 2_2_00B4B260
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B4B260 mov eax, dword ptr fs:[00000030h] 2_2_00B4B260
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B68A62 mov eax, dword ptr fs:[00000030h] 2_2_00B68A62
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD927A mov eax, dword ptr fs:[00000030h] 2_2_00AD927A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B5EA55 mov eax, dword ptr fs:[00000030h] 2_2_00B5EA55
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B24257 mov eax, dword ptr fs:[00000030h] 2_2_00B24257
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A99240 mov eax, dword ptr fs:[00000030h] 2_2_00A99240
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A99240 mov eax, dword ptr fs:[00000030h] 2_2_00A99240
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A99240 mov eax, dword ptr fs:[00000030h] 2_2_00A99240
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A99240 mov eax, dword ptr fs:[00000030h] 2_2_00A99240
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC4BAD mov eax, dword ptr fs:[00000030h] 2_2_00AC4BAD
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC4BAD mov eax, dword ptr fs:[00000030h] 2_2_00AC4BAD
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC4BAD mov eax, dword ptr fs:[00000030h] 2_2_00AC4BAD
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B65BA5 mov eax, dword ptr fs:[00000030h] 2_2_00B65BA5
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA1B8F mov eax, dword ptr fs:[00000030h] 2_2_00AA1B8F
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA1B8F mov eax, dword ptr fs:[00000030h] 2_2_00AA1B8F
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B4D380 mov ecx, dword ptr fs:[00000030h] 2_2_00B4D380
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC2397 mov eax, dword ptr fs:[00000030h] 2_2_00AC2397
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ACB390 mov eax, dword ptr fs:[00000030h] 2_2_00ACB390
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B5138A mov eax, dword ptr fs:[00000030h] 2_2_00B5138A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABDBE9 mov eax, dword ptr fs:[00000030h] 2_2_00ABDBE9
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC03E2 mov eax, dword ptr fs:[00000030h] 2_2_00AC03E2
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC03E2 mov eax, dword ptr fs:[00000030h] 2_2_00AC03E2
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC03E2 mov eax, dword ptr fs:[00000030h] 2_2_00AC03E2
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC03E2 mov eax, dword ptr fs:[00000030h] 2_2_00AC03E2
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC03E2 mov eax, dword ptr fs:[00000030h] 2_2_00AC03E2
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC03E2 mov eax, dword ptr fs:[00000030h] 2_2_00AC03E2
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B153CA mov eax, dword ptr fs:[00000030h] 2_2_00B153CA
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B153CA mov eax, dword ptr fs:[00000030h] 2_2_00B153CA
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B5131B mov eax, dword ptr fs:[00000030h] 2_2_00B5131B
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A9DB60 mov ecx, dword ptr fs:[00000030h] 2_2_00A9DB60
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC3B7A mov eax, dword ptr fs:[00000030h] 2_2_00AC3B7A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC3B7A mov eax, dword ptr fs:[00000030h] 2_2_00AC3B7A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A9DB40 mov eax, dword ptr fs:[00000030h] 2_2_00A9DB40
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B68B58 mov eax, dword ptr fs:[00000030h] 2_2_00B68B58
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A9F358 mov eax, dword ptr fs:[00000030h] 2_2_00A9F358
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA849B mov eax, dword ptr fs:[00000030h] 2_2_00AA849B
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B16CF0 mov eax, dword ptr fs:[00000030h] 2_2_00B16CF0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B16CF0 mov eax, dword ptr fs:[00000030h] 2_2_00B16CF0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B16CF0 mov eax, dword ptr fs:[00000030h] 2_2_00B16CF0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B514FB mov eax, dword ptr fs:[00000030h] 2_2_00B514FB
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B68CD6 mov eax, dword ptr fs:[00000030h] 2_2_00B68CD6
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ACBC2C mov eax, dword ptr fs:[00000030h] 2_2_00ACBC2C
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h] 2_2_00B51C06
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h] 2_2_00B51C06
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h] 2_2_00B51C06
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h] 2_2_00B51C06
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h] 2_2_00B51C06
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h] 2_2_00B51C06
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h] 2_2_00B51C06
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h] 2_2_00B51C06
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h] 2_2_00B51C06
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h] 2_2_00B51C06
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h] 2_2_00B51C06
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h] 2_2_00B51C06
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h] 2_2_00B51C06
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h] 2_2_00B51C06
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B6740D mov eax, dword ptr fs:[00000030h] 2_2_00B6740D
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B6740D mov eax, dword ptr fs:[00000030h] 2_2_00B6740D
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B6740D mov eax, dword ptr fs:[00000030h] 2_2_00B6740D
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B16C0A mov eax, dword ptr fs:[00000030h] 2_2_00B16C0A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B16C0A mov eax, dword ptr fs:[00000030h] 2_2_00B16C0A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B16C0A mov eax, dword ptr fs:[00000030h] 2_2_00B16C0A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B16C0A mov eax, dword ptr fs:[00000030h] 2_2_00B16C0A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB746D mov eax, dword ptr fs:[00000030h] 2_2_00AB746D
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B2C450 mov eax, dword ptr fs:[00000030h] 2_2_00B2C450
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B2C450 mov eax, dword ptr fs:[00000030h] 2_2_00B2C450
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ACA44B mov eax, dword ptr fs:[00000030h] 2_2_00ACA44B
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC35A1 mov eax, dword ptr fs:[00000030h] 2_2_00AC35A1
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC1DB5 mov eax, dword ptr fs:[00000030h] 2_2_00AC1DB5
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC1DB5 mov eax, dword ptr fs:[00000030h] 2_2_00AC1DB5
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC1DB5 mov eax, dword ptr fs:[00000030h] 2_2_00AC1DB5
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B605AC mov eax, dword ptr fs:[00000030h] 2_2_00B605AC
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B605AC mov eax, dword ptr fs:[00000030h] 2_2_00B605AC
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A92D8A mov eax, dword ptr fs:[00000030h] 2_2_00A92D8A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A92D8A mov eax, dword ptr fs:[00000030h] 2_2_00A92D8A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A92D8A mov eax, dword ptr fs:[00000030h] 2_2_00A92D8A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A92D8A mov eax, dword ptr fs:[00000030h] 2_2_00A92D8A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A92D8A mov eax, dword ptr fs:[00000030h] 2_2_00A92D8A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC2581 mov eax, dword ptr fs:[00000030h] 2_2_00AC2581
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC2581 mov eax, dword ptr fs:[00000030h] 2_2_00AC2581
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC2581 mov eax, dword ptr fs:[00000030h] 2_2_00AC2581
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC2581 mov eax, dword ptr fs:[00000030h] 2_2_00AC2581
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ACFD9B mov eax, dword ptr fs:[00000030h] 2_2_00ACFD9B
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ACFD9B mov eax, dword ptr fs:[00000030h] 2_2_00ACFD9B
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B48DF1 mov eax, dword ptr fs:[00000030h] 2_2_00B48DF1
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AAD5E0 mov eax, dword ptr fs:[00000030h] 2_2_00AAD5E0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AAD5E0 mov eax, dword ptr fs:[00000030h] 2_2_00AAD5E0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B5FDE2 mov eax, dword ptr fs:[00000030h] 2_2_00B5FDE2
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B5FDE2 mov eax, dword ptr fs:[00000030h] 2_2_00B5FDE2
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B5FDE2 mov eax, dword ptr fs:[00000030h] 2_2_00B5FDE2
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B5FDE2 mov eax, dword ptr fs:[00000030h] 2_2_00B5FDE2
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B16DC9 mov eax, dword ptr fs:[00000030h] 2_2_00B16DC9
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B16DC9 mov eax, dword ptr fs:[00000030h] 2_2_00B16DC9
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B16DC9 mov eax, dword ptr fs:[00000030h] 2_2_00B16DC9
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B16DC9 mov ecx, dword ptr fs:[00000030h] 2_2_00B16DC9
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B16DC9 mov eax, dword ptr fs:[00000030h] 2_2_00B16DC9
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B16DC9 mov eax, dword ptr fs:[00000030h] 2_2_00B16DC9
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B68D34 mov eax, dword ptr fs:[00000030h] 2_2_00B68D34
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B1A537 mov eax, dword ptr fs:[00000030h] 2_2_00B1A537
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B5E539 mov eax, dword ptr fs:[00000030h] 2_2_00B5E539
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC4D3B mov eax, dword ptr fs:[00000030h] 2_2_00AC4D3B
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC4D3B mov eax, dword ptr fs:[00000030h] 2_2_00AC4D3B
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC4D3B mov eax, dword ptr fs:[00000030h] 2_2_00AC4D3B
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A9AD30 mov eax, dword ptr fs:[00000030h] 2_2_00A9AD30
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AA3D34
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AA3D34
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AA3D34
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AA3D34
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AA3D34
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AA3D34
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AA3D34
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AA3D34
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AA3D34
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AA3D34
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AA3D34
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AA3D34
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AA3D34
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABC577 mov eax, dword ptr fs:[00000030h] 2_2_00ABC577
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABC577 mov eax, dword ptr fs:[00000030h] 2_2_00ABC577
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD3D43 mov eax, dword ptr fs:[00000030h] 2_2_00AD3D43
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B13540 mov eax, dword ptr fs:[00000030h] 2_2_00B13540
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B43D40 mov eax, dword ptr fs:[00000030h] 2_2_00B43D40
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AB7D50 mov eax, dword ptr fs:[00000030h] 2_2_00AB7D50
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B60EA5 mov eax, dword ptr fs:[00000030h] 2_2_00B60EA5
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B60EA5 mov eax, dword ptr fs:[00000030h] 2_2_00B60EA5
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B60EA5 mov eax, dword ptr fs:[00000030h] 2_2_00B60EA5
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B146A7 mov eax, dword ptr fs:[00000030h] 2_2_00B146A7
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B2FE87 mov eax, dword ptr fs:[00000030h] 2_2_00B2FE87
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA76E2 mov eax, dword ptr fs:[00000030h] 2_2_00AA76E2
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC16E0 mov ecx, dword ptr fs:[00000030h] 2_2_00AC16E0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B68ED6 mov eax, dword ptr fs:[00000030h] 2_2_00B68ED6
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC36CC mov eax, dword ptr fs:[00000030h] 2_2_00AC36CC
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD8EC7 mov eax, dword ptr fs:[00000030h] 2_2_00AD8EC7
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B4FEC0 mov eax, dword ptr fs:[00000030h] 2_2_00B4FEC0
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A9E620 mov eax, dword ptr fs:[00000030h] 2_2_00A9E620
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B4FE3F mov eax, dword ptr fs:[00000030h] 2_2_00B4FE3F
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A9C600 mov eax, dword ptr fs:[00000030h] 2_2_00A9C600
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A9C600 mov eax, dword ptr fs:[00000030h] 2_2_00A9C600
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A9C600 mov eax, dword ptr fs:[00000030h] 2_2_00A9C600
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AC8E00 mov eax, dword ptr fs:[00000030h] 2_2_00AC8E00
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ACA61C mov eax, dword ptr fs:[00000030h] 2_2_00ACA61C
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ACA61C mov eax, dword ptr fs:[00000030h] 2_2_00ACA61C
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B51608 mov eax, dword ptr fs:[00000030h] 2_2_00B51608
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA766D mov eax, dword ptr fs:[00000030h] 2_2_00AA766D
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABAE73 mov eax, dword ptr fs:[00000030h] 2_2_00ABAE73
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABAE73 mov eax, dword ptr fs:[00000030h] 2_2_00ABAE73
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABAE73 mov eax, dword ptr fs:[00000030h] 2_2_00ABAE73
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABAE73 mov eax, dword ptr fs:[00000030h] 2_2_00ABAE73
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABAE73 mov eax, dword ptr fs:[00000030h] 2_2_00ABAE73
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA7E41 mov eax, dword ptr fs:[00000030h] 2_2_00AA7E41
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA7E41 mov eax, dword ptr fs:[00000030h] 2_2_00AA7E41
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA7E41 mov eax, dword ptr fs:[00000030h] 2_2_00AA7E41
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA7E41 mov eax, dword ptr fs:[00000030h] 2_2_00AA7E41
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA7E41 mov eax, dword ptr fs:[00000030h] 2_2_00AA7E41
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA7E41 mov eax, dword ptr fs:[00000030h] 2_2_00AA7E41
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B5AE44 mov eax, dword ptr fs:[00000030h] 2_2_00B5AE44
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B5AE44 mov eax, dword ptr fs:[00000030h] 2_2_00B5AE44
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B17794 mov eax, dword ptr fs:[00000030h] 2_2_00B17794
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B17794 mov eax, dword ptr fs:[00000030h] 2_2_00B17794
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B17794 mov eax, dword ptr fs:[00000030h] 2_2_00B17794
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AA8794 mov eax, dword ptr fs:[00000030h] 2_2_00AA8794
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AD37F5 mov eax, dword ptr fs:[00000030h] 2_2_00AD37F5
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A94F2E mov eax, dword ptr fs:[00000030h] 2_2_00A94F2E
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00A94F2E mov eax, dword ptr fs:[00000030h] 2_2_00A94F2E
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABB73D mov eax, dword ptr fs:[00000030h] 2_2_00ABB73D
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABB73D mov eax, dword ptr fs:[00000030h] 2_2_00ABB73D
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ACE730 mov eax, dword ptr fs:[00000030h] 2_2_00ACE730
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B2FF10 mov eax, dword ptr fs:[00000030h] 2_2_00B2FF10
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B2FF10 mov eax, dword ptr fs:[00000030h] 2_2_00B2FF10
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ACA70E mov eax, dword ptr fs:[00000030h] 2_2_00ACA70E
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ACA70E mov eax, dword ptr fs:[00000030h] 2_2_00ACA70E
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B6070D mov eax, dword ptr fs:[00000030h] 2_2_00B6070D
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B6070D mov eax, dword ptr fs:[00000030h] 2_2_00B6070D
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00ABF716 mov eax, dword ptr fs:[00000030h] 2_2_00ABF716
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AAFF60 mov eax, dword ptr fs:[00000030h] 2_2_00AAFF60
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00B68F6A mov eax, dword ptr fs:[00000030h] 2_2_00B68F6A
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_00AAEF40 mov eax, dword ptr fs:[00000030h] 2_2_00AAEF40
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0501AD30 mov eax, dword ptr fs:[00000030h] 13_2_0501AD30
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050DE539 mov eax, dword ptr fs:[00000030h] 13_2_050DE539
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h] 13_2_05023D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h] 13_2_05023D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h] 13_2_05023D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h] 13_2_05023D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h] 13_2_05023D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h] 13_2_05023D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h] 13_2_05023D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h] 13_2_05023D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h] 13_2_05023D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h] 13_2_05023D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h] 13_2_05023D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h] 13_2_05023D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h] 13_2_05023D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E8D34 mov eax, dword ptr fs:[00000030h] 13_2_050E8D34
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0509A537 mov eax, dword ptr fs:[00000030h] 13_2_0509A537
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05044D3B mov eax, dword ptr fs:[00000030h] 13_2_05044D3B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05044D3B mov eax, dword ptr fs:[00000030h] 13_2_05044D3B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05044D3B mov eax, dword ptr fs:[00000030h] 13_2_05044D3B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05053D43 mov eax, dword ptr fs:[00000030h] 13_2_05053D43
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05093540 mov eax, dword ptr fs:[00000030h] 13_2_05093540
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050C3D40 mov eax, dword ptr fs:[00000030h] 13_2_050C3D40
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05037D50 mov eax, dword ptr fs:[00000030h] 13_2_05037D50
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0503C577 mov eax, dword ptr fs:[00000030h] 13_2_0503C577
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0503C577 mov eax, dword ptr fs:[00000030h] 13_2_0503C577
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05042581 mov eax, dword ptr fs:[00000030h] 13_2_05042581
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05042581 mov eax, dword ptr fs:[00000030h] 13_2_05042581
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05042581 mov eax, dword ptr fs:[00000030h] 13_2_05042581
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05042581 mov eax, dword ptr fs:[00000030h] 13_2_05042581
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05012D8A mov eax, dword ptr fs:[00000030h] 13_2_05012D8A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05012D8A mov eax, dword ptr fs:[00000030h] 13_2_05012D8A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05012D8A mov eax, dword ptr fs:[00000030h] 13_2_05012D8A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05012D8A mov eax, dword ptr fs:[00000030h] 13_2_05012D8A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05012D8A mov eax, dword ptr fs:[00000030h] 13_2_05012D8A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0504FD9B mov eax, dword ptr fs:[00000030h] 13_2_0504FD9B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0504FD9B mov eax, dword ptr fs:[00000030h] 13_2_0504FD9B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E05AC mov eax, dword ptr fs:[00000030h] 13_2_050E05AC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E05AC mov eax, dword ptr fs:[00000030h] 13_2_050E05AC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050435A1 mov eax, dword ptr fs:[00000030h] 13_2_050435A1
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05041DB5 mov eax, dword ptr fs:[00000030h] 13_2_05041DB5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05041DB5 mov eax, dword ptr fs:[00000030h] 13_2_05041DB5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05041DB5 mov eax, dword ptr fs:[00000030h] 13_2_05041DB5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05096DC9 mov eax, dword ptr fs:[00000030h] 13_2_05096DC9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05096DC9 mov eax, dword ptr fs:[00000030h] 13_2_05096DC9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05096DC9 mov eax, dword ptr fs:[00000030h] 13_2_05096DC9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05096DC9 mov ecx, dword ptr fs:[00000030h] 13_2_05096DC9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05096DC9 mov eax, dword ptr fs:[00000030h] 13_2_05096DC9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05096DC9 mov eax, dword ptr fs:[00000030h] 13_2_05096DC9
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0502D5E0 mov eax, dword ptr fs:[00000030h] 13_2_0502D5E0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0502D5E0 mov eax, dword ptr fs:[00000030h] 13_2_0502D5E0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050DFDE2 mov eax, dword ptr fs:[00000030h] 13_2_050DFDE2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050DFDE2 mov eax, dword ptr fs:[00000030h] 13_2_050DFDE2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050DFDE2 mov eax, dword ptr fs:[00000030h] 13_2_050DFDE2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050DFDE2 mov eax, dword ptr fs:[00000030h] 13_2_050DFDE2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050C8DF1 mov eax, dword ptr fs:[00000030h] 13_2_050C8DF1
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E740D mov eax, dword ptr fs:[00000030h] 13_2_050E740D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E740D mov eax, dword ptr fs:[00000030h] 13_2_050E740D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E740D mov eax, dword ptr fs:[00000030h] 13_2_050E740D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05096C0A mov eax, dword ptr fs:[00000030h] 13_2_05096C0A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05096C0A mov eax, dword ptr fs:[00000030h] 13_2_05096C0A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05096C0A mov eax, dword ptr fs:[00000030h] 13_2_05096C0A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05096C0A mov eax, dword ptr fs:[00000030h] 13_2_05096C0A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h] 13_2_050D1C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h] 13_2_050D1C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h] 13_2_050D1C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h] 13_2_050D1C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h] 13_2_050D1C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h] 13_2_050D1C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h] 13_2_050D1C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h] 13_2_050D1C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h] 13_2_050D1C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h] 13_2_050D1C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h] 13_2_050D1C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h] 13_2_050D1C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h] 13_2_050D1C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h] 13_2_050D1C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0504BC2C mov eax, dword ptr fs:[00000030h] 13_2_0504BC2C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0504A44B mov eax, dword ptr fs:[00000030h] 13_2_0504A44B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050AC450 mov eax, dword ptr fs:[00000030h] 13_2_050AC450
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050AC450 mov eax, dword ptr fs:[00000030h] 13_2_050AC450
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0503746D mov eax, dword ptr fs:[00000030h] 13_2_0503746D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0502849B mov eax, dword ptr fs:[00000030h] 13_2_0502849B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E8CD6 mov eax, dword ptr fs:[00000030h] 13_2_050E8CD6
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D14FB mov eax, dword ptr fs:[00000030h] 13_2_050D14FB
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05096CF0 mov eax, dword ptr fs:[00000030h] 13_2_05096CF0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05096CF0 mov eax, dword ptr fs:[00000030h] 13_2_05096CF0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05096CF0 mov eax, dword ptr fs:[00000030h] 13_2_05096CF0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E070D mov eax, dword ptr fs:[00000030h] 13_2_050E070D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E070D mov eax, dword ptr fs:[00000030h] 13_2_050E070D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0504A70E mov eax, dword ptr fs:[00000030h] 13_2_0504A70E
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0504A70E mov eax, dword ptr fs:[00000030h] 13_2_0504A70E
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0503F716 mov eax, dword ptr fs:[00000030h] 13_2_0503F716
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050AFF10 mov eax, dword ptr fs:[00000030h] 13_2_050AFF10
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050AFF10 mov eax, dword ptr fs:[00000030h] 13_2_050AFF10
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05014F2E mov eax, dword ptr fs:[00000030h] 13_2_05014F2E
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05014F2E mov eax, dword ptr fs:[00000030h] 13_2_05014F2E
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0504E730 mov eax, dword ptr fs:[00000030h] 13_2_0504E730
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0502EF40 mov eax, dword ptr fs:[00000030h] 13_2_0502EF40
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0502FF60 mov eax, dword ptr fs:[00000030h] 13_2_0502FF60
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E8F6A mov eax, dword ptr fs:[00000030h] 13_2_050E8F6A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05028794 mov eax, dword ptr fs:[00000030h] 13_2_05028794
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05097794 mov eax, dword ptr fs:[00000030h] 13_2_05097794
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05097794 mov eax, dword ptr fs:[00000030h] 13_2_05097794
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05097794 mov eax, dword ptr fs:[00000030h] 13_2_05097794
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050537F5 mov eax, dword ptr fs:[00000030h] 13_2_050537F5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0501C600 mov eax, dword ptr fs:[00000030h] 13_2_0501C600
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0501C600 mov eax, dword ptr fs:[00000030h] 13_2_0501C600
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0501C600 mov eax, dword ptr fs:[00000030h] 13_2_0501C600
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05048E00 mov eax, dword ptr fs:[00000030h] 13_2_05048E00
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D1608 mov eax, dword ptr fs:[00000030h] 13_2_050D1608
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0504A61C mov eax, dword ptr fs:[00000030h] 13_2_0504A61C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0504A61C mov eax, dword ptr fs:[00000030h] 13_2_0504A61C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0501E620 mov eax, dword ptr fs:[00000030h] 13_2_0501E620
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050CFE3F mov eax, dword ptr fs:[00000030h] 13_2_050CFE3F
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05027E41 mov eax, dword ptr fs:[00000030h] 13_2_05027E41
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05027E41 mov eax, dword ptr fs:[00000030h] 13_2_05027E41
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05027E41 mov eax, dword ptr fs:[00000030h] 13_2_05027E41
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05027E41 mov eax, dword ptr fs:[00000030h] 13_2_05027E41
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05027E41 mov eax, dword ptr fs:[00000030h] 13_2_05027E41
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05027E41 mov eax, dword ptr fs:[00000030h] 13_2_05027E41
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050DAE44 mov eax, dword ptr fs:[00000030h] 13_2_050DAE44
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050DAE44 mov eax, dword ptr fs:[00000030h] 13_2_050DAE44
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0502766D mov eax, dword ptr fs:[00000030h] 13_2_0502766D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0503AE73 mov eax, dword ptr fs:[00000030h] 13_2_0503AE73
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0503AE73 mov eax, dword ptr fs:[00000030h] 13_2_0503AE73
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0503AE73 mov eax, dword ptr fs:[00000030h] 13_2_0503AE73
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0503AE73 mov eax, dword ptr fs:[00000030h] 13_2_0503AE73
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0503AE73 mov eax, dword ptr fs:[00000030h] 13_2_0503AE73
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050AFE87 mov eax, dword ptr fs:[00000030h] 13_2_050AFE87
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E0EA5 mov eax, dword ptr fs:[00000030h] 13_2_050E0EA5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E0EA5 mov eax, dword ptr fs:[00000030h] 13_2_050E0EA5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E0EA5 mov eax, dword ptr fs:[00000030h] 13_2_050E0EA5
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050946A7 mov eax, dword ptr fs:[00000030h] 13_2_050946A7
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05058EC7 mov eax, dword ptr fs:[00000030h] 13_2_05058EC7
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050436CC mov eax, dword ptr fs:[00000030h] 13_2_050436CC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050CFEC0 mov eax, dword ptr fs:[00000030h] 13_2_050CFEC0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E8ED6 mov eax, dword ptr fs:[00000030h] 13_2_050E8ED6
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050276E2 mov eax, dword ptr fs:[00000030h] 13_2_050276E2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050416E0 mov ecx, dword ptr fs:[00000030h] 13_2_050416E0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05019100 mov eax, dword ptr fs:[00000030h] 13_2_05019100
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05019100 mov eax, dword ptr fs:[00000030h] 13_2_05019100
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05019100 mov eax, dword ptr fs:[00000030h] 13_2_05019100
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05034120 mov eax, dword ptr fs:[00000030h] 13_2_05034120
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05034120 mov eax, dword ptr fs:[00000030h] 13_2_05034120
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05034120 mov eax, dword ptr fs:[00000030h] 13_2_05034120
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05034120 mov eax, dword ptr fs:[00000030h] 13_2_05034120
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05034120 mov ecx, dword ptr fs:[00000030h] 13_2_05034120
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0504513A mov eax, dword ptr fs:[00000030h] 13_2_0504513A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0504513A mov eax, dword ptr fs:[00000030h] 13_2_0504513A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0503B944 mov eax, dword ptr fs:[00000030h] 13_2_0503B944
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0503B944 mov eax, dword ptr fs:[00000030h] 13_2_0503B944
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0501C962 mov eax, dword ptr fs:[00000030h] 13_2_0501C962
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0501B171 mov eax, dword ptr fs:[00000030h] 13_2_0501B171
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0501B171 mov eax, dword ptr fs:[00000030h] 13_2_0501B171
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0503C182 mov eax, dword ptr fs:[00000030h] 13_2_0503C182
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0504A185 mov eax, dword ptr fs:[00000030h] 13_2_0504A185
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05042990 mov eax, dword ptr fs:[00000030h] 13_2_05042990
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050461A0 mov eax, dword ptr fs:[00000030h] 13_2_050461A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050461A0 mov eax, dword ptr fs:[00000030h] 13_2_050461A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D49A4 mov eax, dword ptr fs:[00000030h] 13_2_050D49A4
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D49A4 mov eax, dword ptr fs:[00000030h] 13_2_050D49A4
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D49A4 mov eax, dword ptr fs:[00000030h] 13_2_050D49A4
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D49A4 mov eax, dword ptr fs:[00000030h] 13_2_050D49A4
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050969A6 mov eax, dword ptr fs:[00000030h] 13_2_050969A6
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050951BE mov eax, dword ptr fs:[00000030h] 13_2_050951BE
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050951BE mov eax, dword ptr fs:[00000030h] 13_2_050951BE
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050951BE mov eax, dword ptr fs:[00000030h] 13_2_050951BE
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050951BE mov eax, dword ptr fs:[00000030h] 13_2_050951BE
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0501B1E1 mov eax, dword ptr fs:[00000030h] 13_2_0501B1E1
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0501B1E1 mov eax, dword ptr fs:[00000030h] 13_2_0501B1E1
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0501B1E1 mov eax, dword ptr fs:[00000030h] 13_2_0501B1E1
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050A41E8 mov eax, dword ptr fs:[00000030h] 13_2_050A41E8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E4015 mov eax, dword ptr fs:[00000030h] 13_2_050E4015
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E4015 mov eax, dword ptr fs:[00000030h] 13_2_050E4015
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05097016 mov eax, dword ptr fs:[00000030h] 13_2_05097016
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05097016 mov eax, dword ptr fs:[00000030h] 13_2_05097016
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05097016 mov eax, dword ptr fs:[00000030h] 13_2_05097016
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0502B02A mov eax, dword ptr fs:[00000030h] 13_2_0502B02A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0502B02A mov eax, dword ptr fs:[00000030h] 13_2_0502B02A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0502B02A mov eax, dword ptr fs:[00000030h] 13_2_0502B02A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0502B02A mov eax, dword ptr fs:[00000030h] 13_2_0502B02A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0504002D mov eax, dword ptr fs:[00000030h] 13_2_0504002D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0504002D mov eax, dword ptr fs:[00000030h] 13_2_0504002D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0504002D mov eax, dword ptr fs:[00000030h] 13_2_0504002D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0504002D mov eax, dword ptr fs:[00000030h] 13_2_0504002D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_0504002D mov eax, dword ptr fs:[00000030h] 13_2_0504002D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05030050 mov eax, dword ptr fs:[00000030h] 13_2_05030050
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05030050 mov eax, dword ptr fs:[00000030h] 13_2_05030050
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050E1074 mov eax, dword ptr fs:[00000030h] 13_2_050E1074
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_050D2073 mov eax, dword ptr fs:[00000030h] 13_2_050D2073
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 13_2_05019080 mov eax, dword ptr fs:[00000030h] 13_2_05019080
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Code function: 2_2_0040ACE0 LdrLoadDll, 2_2_0040ACE0

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.xianzyw.com
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: 820000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: unknown target: unknown protection: read write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Memory written: C:\Users\user\AppData\Local\Temp\pkypr.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Thread register set: target process: 3808 Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Thread register set: target process: 3808 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\pkypr.exe Process created: C:\Users\user\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\zpcthwca Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user~1\AppData\Local\Temp\pkypr.exe" Jump to behavior
Source: explorer.exe, 00000003.00000000.428100994.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.375616871.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.497183936.0000000000D00000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program ManagerG
Source: explorer.exe, 00000003.00000000.428100994.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.380260326.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.387403754.0000000007C08000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.428100994.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.375616871.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.497183936.0000000000D00000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.428100994.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.375616871.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.497183936.0000000000D00000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.427555306.0000000000628000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.496570294.0000000000628000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.407103470.0000000000628000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanPV*
Source: C:\Users\user\Desktop\dK0SRzWoPq.exe Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004034F7

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.pkypr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pkypr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pkypr.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pkypr.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pkypr.exe.2180000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pkypr.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pkypr.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pkypr.exe.2180000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pkypr.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.625629256.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.372566518.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.367373235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.463016643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.443403408.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.463378064.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.625466489.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.416140599.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.625958951.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.463592351.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 2.2.pkypr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.pkypr.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pkypr.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pkypr.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pkypr.exe.2180000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pkypr.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pkypr.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.pkypr.exe.2180000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.pkypr.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.625629256.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.372566518.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.367373235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.463016643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.443403408.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.463378064.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.625466489.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.416140599.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.625958951.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.463592351.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 620777 Sample: dK0SRzWoPq Startdate: 05/05/2022 Architecture: WINDOWS Score: 100 36 www.baigouw.com 2->36 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 4 other signatures 2->54 12 dK0SRzWoPq.exe 18 2->12         started        signatures3 process4 file5 34 C:\Users\user\AppData\Local\Temp\pkypr.exe, PE32 12->34 dropped 15 pkypr.exe 12->15         started        process6 signatures7 64 Antivirus detection for dropped file 15->64 66 Multi AV Scanner detection for dropped file 15->66 68 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->68 70 2 other signatures 15->70 18 pkypr.exe 15->18         started        process8 signatures9 40 Modifies the context of a thread in another process (thread injection) 18->40 42 Maps a DLL or memory area into another process 18->42 44 Sample uses process hollowing technique 18->44 46 Queues an APC in another process (thread injection) 18->46 21 explorer.exe 18->21 injected process10 dnsIp11 38 www.xianzyw.com 21->38 56 System process connects to network (likely due to code injection or exploit) 21->56 25 mstsc.exe 21->25         started        28 autoconv.exe 21->28         started        signatures12 process13 signatures14 58 Modifies the context of a thread in another process (thread injection) 25->58 60 Maps a DLL or memory area into another process 25->60 62 Tries to detect virtualization through RDTSC time measurements 25->62 30 cmd.exe 1 25->30         started        process15 process16 32 conhost.exe 30->32         started       
No contacted IP infos

Contacted Domains

Name IP Active
www.baigouw.com unknown unknown
www.xianzyw.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.hsf777.com/m0d4/ true
  • Avira URL Cloud: safe
 low