Windows Analysis Report
SecuriteInfo.com.Variant.Jaik.72878.10638.10974

Overview

General Information

Sample Name: SecuriteInfo.com.Variant.Jaik.72878.10638.10974 (renamed file extension from 10974 to exe)
Analysis ID: 626276
MD5: 69250f55fbfe48822c838b4eeaf33a0a
SHA1: 3e4e1dd9dbeb98ec354f7a03d455a0a38ccea4e5
SHA256: 752d0155c769033832d6845eabba29bce2b9d0eedff734b31a49c879ed08ff72
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection

barindex
Source: 00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.worklifefirewalls.com/m9y5/"], "decoy": ["cryptocurrenciesmarketcaps.com", "legaslktiy3.xyz", "cardhj.com", "zouoolaa.xyz", "yjy888.com", "modernboatsalesnadservice.xyz", "zeirishiyamasaki.com", "jamesture.com", "wwwcharleys.com", "walletsw.com", "mbbpaymentplan.com", "lume24.com", "steelonsite.com", "digihm.solutions", "desertunicorns.com", "marbepay.com", "vvv678.com", "73154.xyz", "qzbozhijy.com", "daometalaunch.com", "asproclub.com", "jobeta.net", "whusab.xyz", "delivery-074812.xyz", "magicportriat.com", "floridacommercialprinting.com", "jogodobicho.top", "acessesiteonline01.online", "lakrkajz.xyz", "medicalmassageofpalmbeaches.com", "trendylifeco.com", "upliftpropertysolutions.com", "discountbestdeals.com", "antoniolorenzo.com", "etheteroad.com", "atukr.icu", "xinli-ac.com", "hhydlxs.com", "megabandar.xyz", "olyards.com", "likeama.com", "homes.equipment", "rscall.center", "mayonline.online", "trq-advisors.com", "growyourown.center", "citzensinfo.com", "modernerkredit.com", "chitbucket.com", "kookpedal.com", "tatahotsauce.com", "steadywoman.com", "rfpconsultants.xyz", "insurancecentral.info", "appalachianfamilies.com", "boywhocode.xyz", "a-superb-us-retro-clothes.fyi", "meandmsjones.online", "pastoreemilio.com", "emprendemente.online", "erminelair.com", "doudou-ssr.net", "credit.cool", "dgengcase.com"]}
Source: SecuriteInfo.com.Variant.Jaik.72878.10638.exe Virustotal: Detection: 41% Perma Link
Source: SecuriteInfo.com.Variant.Jaik.72878.10638.exe ReversingLabs: Detection: 43%
Source: Yara match File source: 1.2.fdvucso.exe.a70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.fdvucso.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.fdvucso.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.fdvucso.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.fdvucso.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.fdvucso.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.fdvucso.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.fdvucso.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.fdvucso.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.436409540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.693621783.0000000000550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.514455300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.693742104.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.495589991.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.693389419.0000000000160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.514680084.0000000001130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.514627595.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.438220489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.479898267.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: SecuriteInfo.com.Variant.Jaik.72878.10638.exe Joe Sandbox ML: detected
Source: 2.0.fdvucso.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.fdvucso.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.fdvucso.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.fdvucso.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.fdvucso.exe.a70000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: SecuriteInfo.com.Variant.Jaik.72878.10638.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: SecuriteInfo.com.Variant.Jaik.72878.10638.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\lmwlf\ciwera\wcsu\ec524832ab3648f5b1c9c3185cc05774\hsjgbq\tqrenmhx\Release\tqrenmhx.pdb source: SecuriteInfo.com.Variant.Jaik.72878.10638.exe, 00000000.00000002.454080692.0000000000789000.00000004.00000001.01000000.00000003.sdmp, fdvucso.exe, 00000001.00000000.430396179.000000000119E000.00000002.00000001.01000000.00000004.sdmp, fdvucso.exe, 00000001.00000002.440272687.000000000119E000.00000002.00000001.01000000.00000004.sdmp, fdvucso.exe, 00000002.00000000.433738219.000000000119E000.00000002.00000001.01000000.00000004.sdmp, cmd.exe, 0000000D.00000002.695116331.000000000335F000.00000004.10000000.00040000.00000000.sdmp, nsmCEB5.tmp.0.dr, fdvucso.exe.0.dr
Source: Binary string: wntdll.pdbUGP source: fdvucso.exe, 00000001.00000003.438551302.000000001A540000.00000004.00001000.00020000.00000000.sdmp, fdvucso.exe, 00000001.00000003.434608426.000000001A6D0000.00000004.00001000.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000002.515050798.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000003.441575692.0000000001354000.00000004.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000003.439819748.00000000011B4000.00000004.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000002.515766558.000000000160F000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.694158511.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000003.515945671.0000000000BC9000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000003.514406903.0000000000A30000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.694414486.0000000000E7F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: fdvucso.exe, 00000002.00000002.516194872.0000000003200000.00000040.10000000.00040000.00000000.sdmp, fdvucso.exe, 00000002.00000003.513191387.0000000001041000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.694963571.0000000001100000.00000040.80000000.00040000.00000000.sdmp, cmd.exe, 0000000D.00000000.513997856.0000000001100000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: fdvucso.exe, 00000001.00000003.438551302.000000001A540000.00000004.00001000.00020000.00000000.sdmp, fdvucso.exe, 00000001.00000003.434608426.000000001A6D0000.00000004.00001000.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000002.515050798.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000003.441575692.0000000001354000.00000004.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000003.439819748.00000000011B4000.00000004.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000002.515766558.000000000160F000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000D.00000002.694158511.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000003.515945671.0000000000BC9000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000003.514406903.0000000000A30000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.694414486.0000000000E7F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: cmd.pdb source: fdvucso.exe, 00000002.00000002.516194872.0000000003200000.00000040.10000000.00040000.00000000.sdmp, fdvucso.exe, 00000002.00000003.513191387.0000000001041000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.694963571.0000000001100000.00000040.80000000.00040000.00000000.sdmp, cmd.exe, 0000000D.00000000.513997856.0000000001100000.00000040.80000000.00040000.00000000.sdmp
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe Code function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D7A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe Code function: 0_2_004069A4 FindFirstFileW,FindClose, 0_2_004069A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 4x nop then pop ebx 2_2_00407B20
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 4x nop then pop edi 2_2_00417DB6

Networking

barindex
Source: C:\Windows\explorer.exe Network Connect: 170.75.150.177 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.lume24.com
Source: C:\Windows\explorer.exe Domain query: www.cryptocurrenciesmarketcaps.com
Source: C:\Windows\explorer.exe Network Connect: 35.186.238.101 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.qzbozhijy.com
Source: Malware configuration extractor URLs: www.worklifefirewalls.com/m9y5/
Source: Joe Sandbox View ASN Name: QUICKPACKETUS QUICKPACKETUS
Source: global traffic HTTP traffic detected: GET /m9y5/?GDHDO=orMzR/RfXnMhfSAyBjBjnR1lGR+TvkHzuwdFBkAhJBLh1eKTDfMMMN4zoKLE4Jh6elIQ&2d0tk4=7nxxAXLHM4 HTTP/1.1Host: www.qzbozhijy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /m9y5/?GDHDO=nj3oxEIT1zdIdiXK9EykkBiMkkzJg0Of7VGGA4YdAoGVUT4DfIqyC+XPG7GpV3gppNhE&2d0tk4=7nxxAXLHM4 HTTP/1.1Host: www.cryptocurrenciesmarketcaps.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 13 May 2022 17:45:29 GMTContent-Type: text/htmlContent-Length: 291ETag: "627e693c-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: SecuriteInfo.com.Variant.Jaik.72878.10638.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: cmd.exe, 0000000D.00000002.695248264.000000000384F000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://push.zhanzhang.baidu.com/push.js
Source: cmd.exe, 0000000D.00000002.695248264.000000000384F000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
Source: unknown DNS traffic detected: queries for: www.qzbozhijy.com
Source: global traffic HTTP traffic detected: GET /m9y5/?GDHDO=orMzR/RfXnMhfSAyBjBjnR1lGR+TvkHzuwdFBkAhJBLh1eKTDfMMMN4zoKLE4Jh6elIQ&2d0tk4=7nxxAXLHM4 HTTP/1.1Host: www.qzbozhijy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /m9y5/?GDHDO=nj3oxEIT1zdIdiXK9EykkBiMkkzJg0Of7VGGA4YdAoGVUT4DfIqyC+XPG7GpV3gppNhE&2d0tk4=7nxxAXLHM4 HTTP/1.1Host: www.cryptocurrenciesmarketcaps.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe Code function: 0_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_0040580F

E-Banking Fraud

barindex
Source: Yara match File source: 1.2.fdvucso.exe.a70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.fdvucso.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.fdvucso.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.fdvucso.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.fdvucso.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.fdvucso.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.fdvucso.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.fdvucso.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.fdvucso.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.436409540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.693621783.0000000000550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.514455300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.693742104.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.495589991.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.693389419.0000000000160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.514680084.0000000001130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.514627595.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.438220489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.479898267.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

barindex
Source: 1.2.fdvucso.exe.a70000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.fdvucso.exe.a70000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.fdvucso.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.fdvucso.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.fdvucso.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.fdvucso.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.fdvucso.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.fdvucso.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.fdvucso.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.fdvucso.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.fdvucso.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.fdvucso.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.fdvucso.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.fdvucso.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.fdvucso.exe.a70000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.fdvucso.exe.a70000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.fdvucso.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.fdvucso.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.436409540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.436409540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.693621783.0000000000550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.693621783.0000000000550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.514455300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.514455300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.693742104.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.693742104.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.495589991.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.495589991.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.693389419.0000000000160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.693389419.0000000000160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.514680084.0000000001130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.514680084.0000000001130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.514627595.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.514627595.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.438220489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.438220489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.479898267.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.479898267.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: SecuriteInfo.com.Variant.Jaik.72878.10638.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: 1.2.fdvucso.exe.a70000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.fdvucso.exe.a70000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.fdvucso.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.fdvucso.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.fdvucso.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.fdvucso.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.fdvucso.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.fdvucso.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.fdvucso.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.fdvucso.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.fdvucso.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.fdvucso.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.fdvucso.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.fdvucso.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.fdvucso.exe.a70000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.fdvucso.exe.a70000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.fdvucso.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.fdvucso.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.436409540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.436409540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.693621783.0000000000550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.693621783.0000000000550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.514455300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.514455300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.693742104.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.693742104.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.495589991.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.495589991.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.693389419.0000000000160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.693389419.0000000000160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.514680084.0000000001130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.514680084.0000000001130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.514627595.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.514627595.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.438220489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.438220489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.479898267.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.479898267.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe Code function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403646
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 1_2_01191890 1_2_01191890
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 1_2_0119A184 1_2_0119A184
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 1_2_0119C3BD 1_2_0119C3BD
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 1_2_0119B3F1 1_2_0119B3F1
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 1_2_01199C12 1_2_01199C12
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 1_2_01197E88 1_2_01197E88
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 1_2_011996A0 1_2_011996A0
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_0041E819 2_2_0041E819
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_0041E0B6 2_2_0041E0B6
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_00402D89 2_2_00402D89
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_00409E5B 2_2_00409E5B
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_00409E60 2_2_00409E60
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_0041DE2C 2_2_0041DE2C
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_0041E79E 2_2_0041E79E
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_0119A184 2_2_0119A184
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_01191890 2_2_01191890
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_0119C3BD 2_2_0119C3BD
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_0119B3F1 2_2_0119B3F1
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_01199C12 2_2_01199C12
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_01197E88 2_2_01197E88
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_011996A0 2_2_011996A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E528EC 13_2_00E528EC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D9B090 13_2_00D9B090
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E520A8 13_2_00E520A8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB20A0 13_2_00DB20A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E5E824 13_2_00E5E824
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E41002 13_2_00E41002
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAA830 13_2_00DAA830
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA99BF 13_2_00DA99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D8F900 13_2_00D8F900
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA4120 13_2_00DA4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E522AE 13_2_00E522AE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E3FA2B 13_2_00E3FA2B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E4DBD2 13_2_00E4DBD2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E403DA 13_2_00E403DA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DBEBB0 13_2_00DBEBB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAAB40 13_2_00DAAB40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E52B28 13_2_00E52B28
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E4D466 13_2_00E4D466
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D9841F 13_2_00D9841F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E525DD 13_2_00E525DD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D9D5E0 13_2_00D9D5E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB2581 13_2_00DB2581
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E51D55 13_2_00E51D55
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E52D07 13_2_00E52D07
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D80D20 13_2_00D80D20
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E52EF7 13_2_00E52EF7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA6E30 13_2_00DA6E30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E4D616 13_2_00E4D616
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E51FF1 13_2_00E51FF1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E5DFCE 13_2_00E5DFCE
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: String function: 01192400 appears 54 times
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: String function: 01194599 appears 38 times
Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 00D8B150 appears 72 times
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_0041A360 NtCreateFile, 2_2_0041A360
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_0041A410 NtReadFile, 2_2_0041A410
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_0041A490 NtClose, 2_2_0041A490
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_0041A540 NtAllocateVirtualMemory, 2_2_0041A540
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_0041A35A NtCreateFile, 2_2_0041A35A
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_0041A40A NtReadFile, 2_2_0041A40A
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_0041A53A NtAllocateVirtualMemory, 2_2_0041A53A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9840 NtDelayExecution,LdrInitializeThunk, 13_2_00DC9840
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9860 NtQuerySystemInformation,LdrInitializeThunk, 13_2_00DC9860
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC99A0 NtCreateSection,LdrInitializeThunk, 13_2_00DC99A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 13_2_00DC9910
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9A50 NtCreateFile,LdrInitializeThunk, 13_2_00DC9A50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC95D0 NtClose,LdrInitializeThunk, 13_2_00DC95D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9540 NtReadFile,LdrInitializeThunk, 13_2_00DC9540
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC96D0 NtCreateKey,LdrInitializeThunk, 13_2_00DC96D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC96E0 NtFreeVirtualMemory,LdrInitializeThunk, 13_2_00DC96E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9FE0 NtCreateMutant,LdrInitializeThunk, 13_2_00DC9FE0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9780 NtMapViewOfSection,LdrInitializeThunk, 13_2_00DC9780
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9710 NtQueryInformationToken,LdrInitializeThunk, 13_2_00DC9710
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC98F0 NtReadVirtualMemory, 13_2_00DC98F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC98A0 NtWriteVirtualMemory, 13_2_00DC98A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DCB040 NtSuspendThread, 13_2_00DCB040
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9820 NtEnumerateKey, 13_2_00DC9820
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC99D0 NtCreateProcessEx, 13_2_00DC99D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9950 NtQueueApcThread, 13_2_00DC9950
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9A80 NtOpenDirectoryObject, 13_2_00DC9A80
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9A10 NtQuerySection, 13_2_00DC9A10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9A00 NtProtectVirtualMemory, 13_2_00DC9A00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9A20 NtResumeThread, 13_2_00DC9A20
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DCA3B0 NtGetContextThread, 13_2_00DCA3B0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9B00 NtSetValueKey, 13_2_00DC9B00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC95F0 NtQueryInformationFile, 13_2_00DC95F0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9560 NtWriteFile, 13_2_00DC9560
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DCAD30 NtSetContextThread, 13_2_00DCAD30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9520 NtWaitForSingleObject, 13_2_00DC9520
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9650 NtQueryValueKey, 13_2_00DC9650
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9670 NtQueryInformationProcess, 13_2_00DC9670
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9660 NtAllocateVirtualMemory, 13_2_00DC9660
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9610 NtEnumerateValueKey, 13_2_00DC9610
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC97A0 NtUnmapViewOfSection, 13_2_00DC97A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DCA770 NtOpenThread, 13_2_00DCA770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9770 NtSetInformationFile, 13_2_00DC9770
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9760 NtOpenProcess, 13_2_00DC9760
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DCA710 NtOpenProcessToken, 13_2_00DCA710
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC9730 NtQueryVirtualMemory, 13_2_00DC9730
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\fdvucso.exe 3D9400A6D9CA60C3BBE4212BA2727924E086A41CD2634D5CE1C4B8D9EE02F9DD
Source: SecuriteInfo.com.Variant.Jaik.72878.10638.exe Virustotal: Detection: 41%
Source: SecuriteInfo.com.Variant.Jaik.72878.10638.exe ReversingLabs: Detection: 43%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe Jump to behavior
Source: SecuriteInfo.com.Variant.Jaik.72878.10638.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe Process created: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Process created: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\fdvucso.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe Process created: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Process created: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\fdvucso.exe" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe Code function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403646
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe File created: C:\Users\user\AppData\Local\Temp\nscCE76.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/4@4/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe Code function: 0_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404ABB
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3376:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: SecuriteInfo.com.Variant.Jaik.72878.10638.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\lmwlf\ciwera\wcsu\ec524832ab3648f5b1c9c3185cc05774\hsjgbq\tqrenmhx\Release\tqrenmhx.pdb source: SecuriteInfo.com.Variant.Jaik.72878.10638.exe, 00000000.00000002.454080692.0000000000789000.00000004.00000001.01000000.00000003.sdmp, fdvucso.exe, 00000001.00000000.430396179.000000000119E000.00000002.00000001.01000000.00000004.sdmp, fdvucso.exe, 00000001.00000002.440272687.000000000119E000.00000002.00000001.01000000.00000004.sdmp, fdvucso.exe, 00000002.00000000.433738219.000000000119E000.00000002.00000001.01000000.00000004.sdmp, cmd.exe, 0000000D.00000002.695116331.000000000335F000.00000004.10000000.00040000.00000000.sdmp, nsmCEB5.tmp.0.dr, fdvucso.exe.0.dr
Source: Binary string: wntdll.pdbUGP source: fdvucso.exe, 00000001.00000003.438551302.000000001A540000.00000004.00001000.00020000.00000000.sdmp, fdvucso.exe, 00000001.00000003.434608426.000000001A6D0000.00000004.00001000.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000002.515050798.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000003.441575692.0000000001354000.00000004.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000003.439819748.00000000011B4000.00000004.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000002.515766558.000000000160F000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.694158511.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000003.515945671.0000000000BC9000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000003.514406903.0000000000A30000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.694414486.0000000000E7F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: fdvucso.exe, 00000002.00000002.516194872.0000000003200000.00000040.10000000.00040000.00000000.sdmp, fdvucso.exe, 00000002.00000003.513191387.0000000001041000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.694963571.0000000001100000.00000040.80000000.00040000.00000000.sdmp, cmd.exe, 0000000D.00000000.513997856.0000000001100000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: fdvucso.exe, 00000001.00000003.438551302.000000001A540000.00000004.00001000.00020000.00000000.sdmp, fdvucso.exe, 00000001.00000003.434608426.000000001A6D0000.00000004.00001000.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000002.515050798.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000003.441575692.0000000001354000.00000004.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000003.439819748.00000000011B4000.00000004.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000002.515766558.000000000160F000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000D.00000002.694158511.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000003.515945671.0000000000BC9000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000003.514406903.0000000000A30000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.694414486.0000000000E7F000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: cmd.pdb source: fdvucso.exe, 00000002.00000002.516194872.0000000003200000.00000040.10000000.00040000.00000000.sdmp, fdvucso.exe, 00000002.00000003.513191387.0000000001041000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.694963571.0000000001100000.00000040.80000000.00040000.00000000.sdmp, cmd.exe, 0000000D.00000000.513997856.0000000001100000.00000040.80000000.00040000.00000000.sdmp
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 1_2_01192445 push ecx; ret 1_2_01192458
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_00417811 push cs; ret 2_2_00417815
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_0041E9F4 push ds; ret 2_2_0041E9F8
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_00416495 push edx; retf 2_2_004164A0
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_0041D4B5 push eax; ret 2_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_0041D56C push eax; ret 2_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_0041D502 push eax; ret 2_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_0041D50B push eax; ret 2_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_01192445 push ecx; ret 2_2_01192458
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DDD0D1 push ecx; ret 13_2_00DDD0E4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe File created: C:\Users\user\AppData\Local\Temp\fdvucso.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection

barindex
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEE
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 1_2_01191890 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_01191890
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe RDTSC instruction interceptor: First address: 0000000000169904 second address: 000000000016990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe RDTSC instruction interceptor: First address: 0000000000169B7E second address: 0000000000169B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\explorer.exe TID: 7092 Thread sleep time: -38000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 6824 Thread sleep time: -36000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_00409AB0 rdtsc 2_2_00409AB0
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe API coverage: 4.4 %
Source: C:\Windows\SysWOW64\cmd.exe API coverage: 4.1 %
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe Code function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D7A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe Code function: 0_2_004069A4 FindFirstFileW,FindClose, 0_2_004069A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000005.00000000.477575107.000000000807B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.492546871.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.477575107.000000000807B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8Ll/
Source: explorer.exe, 00000005.00000000.477575107.000000000807B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.493068210.0000000007F92000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.472921591.0000000006900000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.478996643.00000000081C3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}efb8b}$$&2=
Source: explorer.exe, 00000005.00000000.477575107.000000000807B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.493068210.0000000007F92000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.494782734.00000000081C3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 1_2_01191D2C _memset,IsDebuggerPresent, 1_2_01191D2C
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 1_2_0119558A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_0119558A
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 1_2_01191D17 GetProcessHeap, 1_2_01191D17
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_00409AB0 rdtsc 2_2_00409AB0
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E1B8D0 mov eax, dword ptr fs:[00000030h] 13_2_00E1B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E1B8D0 mov ecx, dword ptr fs:[00000030h] 13_2_00E1B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E1B8D0 mov eax, dword ptr fs:[00000030h] 13_2_00E1B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E1B8D0 mov eax, dword ptr fs:[00000030h] 13_2_00E1B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E1B8D0 mov eax, dword ptr fs:[00000030h] 13_2_00E1B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E1B8D0 mov eax, dword ptr fs:[00000030h] 13_2_00E1B8D0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D858EC mov eax, dword ptr fs:[00000030h] 13_2_00D858EC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D840E1 mov eax, dword ptr fs:[00000030h] 13_2_00D840E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D840E1 mov eax, dword ptr fs:[00000030h] 13_2_00D840E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D840E1 mov eax, dword ptr fs:[00000030h] 13_2_00D840E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAB8E4 mov eax, dword ptr fs:[00000030h] 13_2_00DAB8E4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAB8E4 mov eax, dword ptr fs:[00000030h] 13_2_00DAB8E4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D89080 mov eax, dword ptr fs:[00000030h] 13_2_00D89080
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DBF0BF mov ecx, dword ptr fs:[00000030h] 13_2_00DBF0BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DBF0BF mov eax, dword ptr fs:[00000030h] 13_2_00DBF0BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DBF0BF mov eax, dword ptr fs:[00000030h] 13_2_00DBF0BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E03884 mov eax, dword ptr fs:[00000030h] 13_2_00E03884
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E03884 mov eax, dword ptr fs:[00000030h] 13_2_00E03884
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC90AF mov eax, dword ptr fs:[00000030h] 13_2_00DC90AF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB20A0 mov eax, dword ptr fs:[00000030h] 13_2_00DB20A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB20A0 mov eax, dword ptr fs:[00000030h] 13_2_00DB20A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB20A0 mov eax, dword ptr fs:[00000030h] 13_2_00DB20A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB20A0 mov eax, dword ptr fs:[00000030h] 13_2_00DB20A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB20A0 mov eax, dword ptr fs:[00000030h] 13_2_00DB20A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB20A0 mov eax, dword ptr fs:[00000030h] 13_2_00DB20A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA0050 mov eax, dword ptr fs:[00000030h] 13_2_00DA0050
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA0050 mov eax, dword ptr fs:[00000030h] 13_2_00DA0050
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E51074 mov eax, dword ptr fs:[00000030h] 13_2_00E51074
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E42073 mov eax, dword ptr fs:[00000030h] 13_2_00E42073
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAA830 mov eax, dword ptr fs:[00000030h] 13_2_00DAA830
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAA830 mov eax, dword ptr fs:[00000030h] 13_2_00DAA830
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAA830 mov eax, dword ptr fs:[00000030h] 13_2_00DAA830
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAA830 mov eax, dword ptr fs:[00000030h] 13_2_00DAA830
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E54015 mov eax, dword ptr fs:[00000030h] 13_2_00E54015
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E54015 mov eax, dword ptr fs:[00000030h] 13_2_00E54015
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D9B02A mov eax, dword ptr fs:[00000030h] 13_2_00D9B02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D9B02A mov eax, dword ptr fs:[00000030h] 13_2_00D9B02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D9B02A mov eax, dword ptr fs:[00000030h] 13_2_00D9B02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D9B02A mov eax, dword ptr fs:[00000030h] 13_2_00D9B02A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E07016 mov eax, dword ptr fs:[00000030h] 13_2_00E07016
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E07016 mov eax, dword ptr fs:[00000030h] 13_2_00E07016
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E07016 mov eax, dword ptr fs:[00000030h] 13_2_00E07016
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB002D mov eax, dword ptr fs:[00000030h] 13_2_00DB002D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB002D mov eax, dword ptr fs:[00000030h] 13_2_00DB002D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB002D mov eax, dword ptr fs:[00000030h] 13_2_00DB002D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB002D mov eax, dword ptr fs:[00000030h] 13_2_00DB002D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB002D mov eax, dword ptr fs:[00000030h] 13_2_00DB002D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E141E8 mov eax, dword ptr fs:[00000030h] 13_2_00E141E8
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D8B1E1 mov eax, dword ptr fs:[00000030h] 13_2_00D8B1E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D8B1E1 mov eax, dword ptr fs:[00000030h] 13_2_00D8B1E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D8B1E1 mov eax, dword ptr fs:[00000030h] 13_2_00D8B1E1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E449A4 mov eax, dword ptr fs:[00000030h] 13_2_00E449A4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E449A4 mov eax, dword ptr fs:[00000030h] 13_2_00E449A4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E449A4 mov eax, dword ptr fs:[00000030h] 13_2_00E449A4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E449A4 mov eax, dword ptr fs:[00000030h] 13_2_00E449A4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E069A6 mov eax, dword ptr fs:[00000030h] 13_2_00E069A6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB2990 mov eax, dword ptr fs:[00000030h] 13_2_00DB2990
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAC182 mov eax, dword ptr fs:[00000030h] 13_2_00DAC182
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DBA185 mov eax, dword ptr fs:[00000030h] 13_2_00DBA185
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E051BE mov eax, dword ptr fs:[00000030h] 13_2_00E051BE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E051BE mov eax, dword ptr fs:[00000030h] 13_2_00E051BE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E051BE mov eax, dword ptr fs:[00000030h] 13_2_00E051BE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E051BE mov eax, dword ptr fs:[00000030h] 13_2_00E051BE
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA99BF mov ecx, dword ptr fs:[00000030h] 13_2_00DA99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA99BF mov ecx, dword ptr fs:[00000030h] 13_2_00DA99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA99BF mov eax, dword ptr fs:[00000030h] 13_2_00DA99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA99BF mov ecx, dword ptr fs:[00000030h] 13_2_00DA99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA99BF mov ecx, dword ptr fs:[00000030h] 13_2_00DA99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA99BF mov eax, dword ptr fs:[00000030h] 13_2_00DA99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA99BF mov ecx, dword ptr fs:[00000030h] 13_2_00DA99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA99BF mov ecx, dword ptr fs:[00000030h] 13_2_00DA99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA99BF mov eax, dword ptr fs:[00000030h] 13_2_00DA99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA99BF mov ecx, dword ptr fs:[00000030h] 13_2_00DA99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA99BF mov ecx, dword ptr fs:[00000030h] 13_2_00DA99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA99BF mov eax, dword ptr fs:[00000030h] 13_2_00DA99BF
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB61A0 mov eax, dword ptr fs:[00000030h] 13_2_00DB61A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB61A0 mov eax, dword ptr fs:[00000030h] 13_2_00DB61A0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAB944 mov eax, dword ptr fs:[00000030h] 13_2_00DAB944
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAB944 mov eax, dword ptr fs:[00000030h] 13_2_00DAB944
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D8B171 mov eax, dword ptr fs:[00000030h] 13_2_00D8B171
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D8B171 mov eax, dword ptr fs:[00000030h] 13_2_00D8B171
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D8C962 mov eax, dword ptr fs:[00000030h] 13_2_00D8C962
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D89100 mov eax, dword ptr fs:[00000030h] 13_2_00D89100
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D89100 mov eax, dword ptr fs:[00000030h] 13_2_00D89100
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D89100 mov eax, dword ptr fs:[00000030h] 13_2_00D89100
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB513A mov eax, dword ptr fs:[00000030h] 13_2_00DB513A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB513A mov eax, dword ptr fs:[00000030h] 13_2_00DB513A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA4120 mov eax, dword ptr fs:[00000030h] 13_2_00DA4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA4120 mov eax, dword ptr fs:[00000030h] 13_2_00DA4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA4120 mov eax, dword ptr fs:[00000030h] 13_2_00DA4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA4120 mov eax, dword ptr fs:[00000030h] 13_2_00DA4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA4120 mov ecx, dword ptr fs:[00000030h] 13_2_00DA4120
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB2ACB mov eax, dword ptr fs:[00000030h] 13_2_00DB2ACB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB2AE4 mov eax, dword ptr fs:[00000030h] 13_2_00DB2AE4
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DBD294 mov eax, dword ptr fs:[00000030h] 13_2_00DBD294
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DBD294 mov eax, dword ptr fs:[00000030h] 13_2_00DBD294
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D9AAB0 mov eax, dword ptr fs:[00000030h] 13_2_00D9AAB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D9AAB0 mov eax, dword ptr fs:[00000030h] 13_2_00D9AAB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DBFAB0 mov eax, dword ptr fs:[00000030h] 13_2_00DBFAB0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D852A5 mov eax, dword ptr fs:[00000030h] 13_2_00D852A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D852A5 mov eax, dword ptr fs:[00000030h] 13_2_00D852A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D852A5 mov eax, dword ptr fs:[00000030h] 13_2_00D852A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D852A5 mov eax, dword ptr fs:[00000030h] 13_2_00D852A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D852A5 mov eax, dword ptr fs:[00000030h] 13_2_00D852A5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E3B260 mov eax, dword ptr fs:[00000030h] 13_2_00E3B260
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E3B260 mov eax, dword ptr fs:[00000030h] 13_2_00E3B260
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E58A62 mov eax, dword ptr fs:[00000030h] 13_2_00E58A62
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D89240 mov eax, dword ptr fs:[00000030h] 13_2_00D89240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D89240 mov eax, dword ptr fs:[00000030h] 13_2_00D89240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D89240 mov eax, dword ptr fs:[00000030h] 13_2_00D89240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D89240 mov eax, dword ptr fs:[00000030h] 13_2_00D89240
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC927A mov eax, dword ptr fs:[00000030h] 13_2_00DC927A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E4EA55 mov eax, dword ptr fs:[00000030h] 13_2_00E4EA55
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E14257 mov eax, dword ptr fs:[00000030h] 13_2_00E14257
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA3A1C mov eax, dword ptr fs:[00000030h] 13_2_00DA3A1C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D85210 mov eax, dword ptr fs:[00000030h] 13_2_00D85210
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D85210 mov ecx, dword ptr fs:[00000030h] 13_2_00D85210
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D85210 mov eax, dword ptr fs:[00000030h] 13_2_00D85210
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D85210 mov eax, dword ptr fs:[00000030h] 13_2_00D85210
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D8AA16 mov eax, dword ptr fs:[00000030h] 13_2_00D8AA16
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D8AA16 mov eax, dword ptr fs:[00000030h] 13_2_00D8AA16
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D98A0A mov eax, dword ptr fs:[00000030h] 13_2_00D98A0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC4A2C mov eax, dword ptr fs:[00000030h] 13_2_00DC4A2C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC4A2C mov eax, dword ptr fs:[00000030h] 13_2_00DC4A2C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E4AA16 mov eax, dword ptr fs:[00000030h] 13_2_00E4AA16
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E4AA16 mov eax, dword ptr fs:[00000030h] 13_2_00E4AA16
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAA229 mov eax, dword ptr fs:[00000030h] 13_2_00DAA229
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAA229 mov eax, dword ptr fs:[00000030h] 13_2_00DAA229
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAA229 mov eax, dword ptr fs:[00000030h] 13_2_00DAA229
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAA229 mov eax, dword ptr fs:[00000030h] 13_2_00DAA229
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAA229 mov eax, dword ptr fs:[00000030h] 13_2_00DAA229
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAA229 mov eax, dword ptr fs:[00000030h] 13_2_00DAA229
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAA229 mov eax, dword ptr fs:[00000030h] 13_2_00DAA229
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAA229 mov eax, dword ptr fs:[00000030h] 13_2_00DAA229
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAA229 mov eax, dword ptr fs:[00000030h] 13_2_00DAA229
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E053CA mov eax, dword ptr fs:[00000030h] 13_2_00E053CA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E053CA mov eax, dword ptr fs:[00000030h] 13_2_00E053CA
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DADBE9 mov eax, dword ptr fs:[00000030h] 13_2_00DADBE9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB03E2 mov eax, dword ptr fs:[00000030h] 13_2_00DB03E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB03E2 mov eax, dword ptr fs:[00000030h] 13_2_00DB03E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB03E2 mov eax, dword ptr fs:[00000030h] 13_2_00DB03E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB03E2 mov eax, dword ptr fs:[00000030h] 13_2_00DB03E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB03E2 mov eax, dword ptr fs:[00000030h] 13_2_00DB03E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB03E2 mov eax, dword ptr fs:[00000030h] 13_2_00DB03E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E55BA5 mov eax, dword ptr fs:[00000030h] 13_2_00E55BA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DBB390 mov eax, dword ptr fs:[00000030h] 13_2_00DBB390
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB2397 mov eax, dword ptr fs:[00000030h] 13_2_00DB2397
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D91B8F mov eax, dword ptr fs:[00000030h] 13_2_00D91B8F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D91B8F mov eax, dword ptr fs:[00000030h] 13_2_00D91B8F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E3D380 mov ecx, dword ptr fs:[00000030h] 13_2_00E3D380
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E4138A mov eax, dword ptr fs:[00000030h] 13_2_00E4138A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB4BAD mov eax, dword ptr fs:[00000030h] 13_2_00DB4BAD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB4BAD mov eax, dword ptr fs:[00000030h] 13_2_00DB4BAD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB4BAD mov eax, dword ptr fs:[00000030h] 13_2_00DB4BAD
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D8F358 mov eax, dword ptr fs:[00000030h] 13_2_00D8F358
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D8DB40 mov eax, dword ptr fs:[00000030h] 13_2_00D8DB40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB3B7A mov eax, dword ptr fs:[00000030h] 13_2_00DB3B7A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB3B7A mov eax, dword ptr fs:[00000030h] 13_2_00DB3B7A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D8DB60 mov ecx, dword ptr fs:[00000030h] 13_2_00D8DB60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E58B58 mov eax, dword ptr fs:[00000030h] 13_2_00E58B58
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E4131B mov eax, dword ptr fs:[00000030h] 13_2_00E4131B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E06CF0 mov eax, dword ptr fs:[00000030h] 13_2_00E06CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E06CF0 mov eax, dword ptr fs:[00000030h] 13_2_00E06CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E06CF0 mov eax, dword ptr fs:[00000030h] 13_2_00E06CF0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E414FB mov eax, dword ptr fs:[00000030h] 13_2_00E414FB
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E58CD6 mov eax, dword ptr fs:[00000030h] 13_2_00E58CD6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D9849B mov eax, dword ptr fs:[00000030h] 13_2_00D9849B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DBA44B mov eax, dword ptr fs:[00000030h] 13_2_00DBA44B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E1C450 mov eax, dword ptr fs:[00000030h] 13_2_00E1C450
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E1C450 mov eax, dword ptr fs:[00000030h] 13_2_00E1C450
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA746D mov eax, dword ptr fs:[00000030h] 13_2_00DA746D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h] 13_2_00E41C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h] 13_2_00E41C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h] 13_2_00E41C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h] 13_2_00E41C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h] 13_2_00E41C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h] 13_2_00E41C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h] 13_2_00E41C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h] 13_2_00E41C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h] 13_2_00E41C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h] 13_2_00E41C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h] 13_2_00E41C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h] 13_2_00E41C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h] 13_2_00E41C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h] 13_2_00E41C06
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E5740D mov eax, dword ptr fs:[00000030h] 13_2_00E5740D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E5740D mov eax, dword ptr fs:[00000030h] 13_2_00E5740D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E5740D mov eax, dword ptr fs:[00000030h] 13_2_00E5740D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E06C0A mov eax, dword ptr fs:[00000030h] 13_2_00E06C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E06C0A mov eax, dword ptr fs:[00000030h] 13_2_00E06C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E06C0A mov eax, dword ptr fs:[00000030h] 13_2_00E06C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E06C0A mov eax, dword ptr fs:[00000030h] 13_2_00E06C0A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DBBC2C mov eax, dword ptr fs:[00000030h] 13_2_00DBBC2C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E4FDE2 mov eax, dword ptr fs:[00000030h] 13_2_00E4FDE2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E4FDE2 mov eax, dword ptr fs:[00000030h] 13_2_00E4FDE2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E4FDE2 mov eax, dword ptr fs:[00000030h] 13_2_00E4FDE2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E4FDE2 mov eax, dword ptr fs:[00000030h] 13_2_00E4FDE2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E38DF1 mov eax, dword ptr fs:[00000030h] 13_2_00E38DF1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E06DC9 mov eax, dword ptr fs:[00000030h] 13_2_00E06DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E06DC9 mov eax, dword ptr fs:[00000030h] 13_2_00E06DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E06DC9 mov eax, dword ptr fs:[00000030h] 13_2_00E06DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E06DC9 mov ecx, dword ptr fs:[00000030h] 13_2_00E06DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E06DC9 mov eax, dword ptr fs:[00000030h] 13_2_00E06DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E06DC9 mov eax, dword ptr fs:[00000030h] 13_2_00E06DC9
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D9D5E0 mov eax, dword ptr fs:[00000030h] 13_2_00D9D5E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D9D5E0 mov eax, dword ptr fs:[00000030h] 13_2_00D9D5E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DBFD9B mov eax, dword ptr fs:[00000030h] 13_2_00DBFD9B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DBFD9B mov eax, dword ptr fs:[00000030h] 13_2_00DBFD9B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E505AC mov eax, dword ptr fs:[00000030h] 13_2_00E505AC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E505AC mov eax, dword ptr fs:[00000030h] 13_2_00E505AC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D82D8A mov eax, dword ptr fs:[00000030h] 13_2_00D82D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D82D8A mov eax, dword ptr fs:[00000030h] 13_2_00D82D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D82D8A mov eax, dword ptr fs:[00000030h] 13_2_00D82D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D82D8A mov eax, dword ptr fs:[00000030h] 13_2_00D82D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D82D8A mov eax, dword ptr fs:[00000030h] 13_2_00D82D8A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB2581 mov eax, dword ptr fs:[00000030h] 13_2_00DB2581
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB2581 mov eax, dword ptr fs:[00000030h] 13_2_00DB2581
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB2581 mov eax, dword ptr fs:[00000030h] 13_2_00DB2581
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB2581 mov eax, dword ptr fs:[00000030h] 13_2_00DB2581
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB1DB5 mov eax, dword ptr fs:[00000030h] 13_2_00DB1DB5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB1DB5 mov eax, dword ptr fs:[00000030h] 13_2_00DB1DB5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB1DB5 mov eax, dword ptr fs:[00000030h] 13_2_00DB1DB5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB35A1 mov eax, dword ptr fs:[00000030h] 13_2_00DB35A1
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DA7D50 mov eax, dword ptr fs:[00000030h] 13_2_00DA7D50
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC3D43 mov eax, dword ptr fs:[00000030h] 13_2_00DC3D43
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E03540 mov eax, dword ptr fs:[00000030h] 13_2_00E03540
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E33D40 mov eax, dword ptr fs:[00000030h] 13_2_00E33D40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAC577 mov eax, dword ptr fs:[00000030h] 13_2_00DAC577
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAC577 mov eax, dword ptr fs:[00000030h] 13_2_00DAC577
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E58D34 mov eax, dword ptr fs:[00000030h] 13_2_00E58D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E0A537 mov eax, dword ptr fs:[00000030h] 13_2_00E0A537
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E4E539 mov eax, dword ptr fs:[00000030h] 13_2_00E4E539
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB4D3B mov eax, dword ptr fs:[00000030h] 13_2_00DB4D3B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB4D3B mov eax, dword ptr fs:[00000030h] 13_2_00DB4D3B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB4D3B mov eax, dword ptr fs:[00000030h] 13_2_00DB4D3B
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D8AD30 mov eax, dword ptr fs:[00000030h] 13_2_00D8AD30
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h] 13_2_00D93D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h] 13_2_00D93D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h] 13_2_00D93D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h] 13_2_00D93D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h] 13_2_00D93D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h] 13_2_00D93D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h] 13_2_00D93D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h] 13_2_00D93D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h] 13_2_00D93D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h] 13_2_00D93D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h] 13_2_00D93D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h] 13_2_00D93D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h] 13_2_00D93D34
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB36CC mov eax, dword ptr fs:[00000030h] 13_2_00DB36CC
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC8EC7 mov eax, dword ptr fs:[00000030h] 13_2_00DC8EC7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E3FEC0 mov eax, dword ptr fs:[00000030h] 13_2_00E3FEC0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E58ED6 mov eax, dword ptr fs:[00000030h] 13_2_00E58ED6
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB16E0 mov ecx, dword ptr fs:[00000030h] 13_2_00DB16E0
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D976E2 mov eax, dword ptr fs:[00000030h] 13_2_00D976E2
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E50EA5 mov eax, dword ptr fs:[00000030h] 13_2_00E50EA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E50EA5 mov eax, dword ptr fs:[00000030h] 13_2_00E50EA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E50EA5 mov eax, dword ptr fs:[00000030h] 13_2_00E50EA5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E046A7 mov eax, dword ptr fs:[00000030h] 13_2_00E046A7
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E1FE87 mov eax, dword ptr fs:[00000030h] 13_2_00E1FE87
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D97E41 mov eax, dword ptr fs:[00000030h] 13_2_00D97E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D97E41 mov eax, dword ptr fs:[00000030h] 13_2_00D97E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D97E41 mov eax, dword ptr fs:[00000030h] 13_2_00D97E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D97E41 mov eax, dword ptr fs:[00000030h] 13_2_00D97E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D97E41 mov eax, dword ptr fs:[00000030h] 13_2_00D97E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D97E41 mov eax, dword ptr fs:[00000030h] 13_2_00D97E41
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E4AE44 mov eax, dword ptr fs:[00000030h] 13_2_00E4AE44
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E4AE44 mov eax, dword ptr fs:[00000030h] 13_2_00E4AE44
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAAE73 mov eax, dword ptr fs:[00000030h] 13_2_00DAAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAAE73 mov eax, dword ptr fs:[00000030h] 13_2_00DAAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAAE73 mov eax, dword ptr fs:[00000030h] 13_2_00DAAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAAE73 mov eax, dword ptr fs:[00000030h] 13_2_00DAAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAAE73 mov eax, dword ptr fs:[00000030h] 13_2_00DAAE73
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D9766D mov eax, dword ptr fs:[00000030h] 13_2_00D9766D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DBA61C mov eax, dword ptr fs:[00000030h] 13_2_00DBA61C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DBA61C mov eax, dword ptr fs:[00000030h] 13_2_00DBA61C
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D8C600 mov eax, dword ptr fs:[00000030h] 13_2_00D8C600
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D8C600 mov eax, dword ptr fs:[00000030h] 13_2_00D8C600
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D8C600 mov eax, dword ptr fs:[00000030h] 13_2_00D8C600
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DB8E00 mov eax, dword ptr fs:[00000030h] 13_2_00DB8E00
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E3FE3F mov eax, dword ptr fs:[00000030h] 13_2_00E3FE3F
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E41608 mov eax, dword ptr fs:[00000030h] 13_2_00E41608
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D8E620 mov eax, dword ptr fs:[00000030h] 13_2_00D8E620
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DC37F5 mov eax, dword ptr fs:[00000030h] 13_2_00DC37F5
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D98794 mov eax, dword ptr fs:[00000030h] 13_2_00D98794
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E07794 mov eax, dword ptr fs:[00000030h] 13_2_00E07794
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E07794 mov eax, dword ptr fs:[00000030h] 13_2_00E07794
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E07794 mov eax, dword ptr fs:[00000030h] 13_2_00E07794
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E58F6A mov eax, dword ptr fs:[00000030h] 13_2_00E58F6A
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D9EF40 mov eax, dword ptr fs:[00000030h] 13_2_00D9EF40
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D9FF60 mov eax, dword ptr fs:[00000030h] 13_2_00D9FF60
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAF716 mov eax, dword ptr fs:[00000030h] 13_2_00DAF716
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DBA70E mov eax, dword ptr fs:[00000030h] 13_2_00DBA70E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DBA70E mov eax, dword ptr fs:[00000030h] 13_2_00DBA70E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAB73D mov eax, dword ptr fs:[00000030h] 13_2_00DAB73D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DAB73D mov eax, dword ptr fs:[00000030h] 13_2_00DAB73D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E5070D mov eax, dword ptr fs:[00000030h] 13_2_00E5070D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E5070D mov eax, dword ptr fs:[00000030h] 13_2_00E5070D
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00DBE730 mov eax, dword ptr fs:[00000030h] 13_2_00DBE730
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E1FF10 mov eax, dword ptr fs:[00000030h] 13_2_00E1FF10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00E1FF10 mov eax, dword ptr fs:[00000030h] 13_2_00E1FF10
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D84F2E mov eax, dword ptr fs:[00000030h] 13_2_00D84F2E
Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00D84F2E mov eax, dword ptr fs:[00000030h] 13_2_00D84F2E
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_0040ACF0 LdrLoadDll, 2_2_0040ACF0
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 1_2_0119439B SetUnhandledExceptionFilter, 1_2_0119439B
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 1_2_011943CC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_011943CC
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_0119439B SetUnhandledExceptionFilter, 2_2_0119439B
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 2_2_011943CC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_011943CC

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\explorer.exe Network Connect: 170.75.150.177 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.lume24.com
Source: C:\Windows\explorer.exe Domain query: www.cryptocurrenciesmarketcaps.com
Source: C:\Windows\explorer.exe Network Connect: 35.186.238.101 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.qzbozhijy.com
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: 1100000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Thread register set: target process: 684 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Thread register set: target process: 684 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Process created: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\fdvucso.exe" Jump to behavior
Source: explorer.exe, 00000005.00000000.489396240.0000000006100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.476859972.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.454406886.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.531751140.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.485252952.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.469233599.0000000000E38000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.485252952.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.469433162.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.445292066.0000000001430000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: YProgram Managerf
Source: explorer.exe, 00000005.00000000.485252952.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.469433162.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.445292066.0000000001430000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 1_2_01193283 cpuid 1_2_01193283
Source: C:\Users\user\AppData\Local\Temp\fdvucso.exe Code function: 1_2_01193EC8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_01193EC8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe Code function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403646

Stealing of Sensitive Information

barindex
Source: Yara match File source: 1.2.fdvucso.exe.a70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.fdvucso.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.fdvucso.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.fdvucso.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.fdvucso.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.fdvucso.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.fdvucso.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.fdvucso.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.fdvucso.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.436409540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.693621783.0000000000550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.514455300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.693742104.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.495589991.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.693389419.0000000000160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.514680084.0000000001130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.514627595.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.438220489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.479898267.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

barindex
Source: Yara match File source: 1.2.fdvucso.exe.a70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.fdvucso.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.fdvucso.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.fdvucso.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.fdvucso.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.fdvucso.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.fdvucso.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.fdvucso.exe.a70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.fdvucso.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.436409540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.693621783.0000000000550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.514455300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.693742104.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.495589991.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.693389419.0000000000160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.514680084.0000000001130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.514627595.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.438220489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.479898267.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs