Windows Analysis Report
Hbi8WUpShm.exe

Overview

General Information

Sample Name: Hbi8WUpShm.exe
Original Sample Name: 9739b15bd8493e99e281d62d213ddc4cce684b1e833af4634932c57a669035fc.exe
Analysis ID: 830325
MD5: 00a41a4804673581f675471bffa2bafc
SHA1: a9ebc4956b89e080451dbe619176a7e9ab8c8dd9
SHA256: 9739b15bd8493e99e281d62d213ddc4cce684b1e833af4634932c57a669035fc
Tags: exeFormbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Found decision node followed by non-executed suspicious APIs
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Hbi8WUpShm.exe ReversingLabs: Detection: 84%
Yara detected FormBook
Source: Yara match File source: Hbi8WUpShm.exe, type: SAMPLE
Source: Yara match File source: 0.2.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
Antivirus / Scanner detection for submitted sample
Source: Hbi8WUpShm.exe Avira: detected
Antivirus detection for URL or domain
Source: http://www.alessandromargonari.com/nu06/www.languageforall.africa Avira URL Cloud: Label: malware
Source: http://www.alessandromargonari.com/nu06/ Avira URL Cloud: Label: malware
Source: http://www.arrindellnotary.com/nu06/ Avira URL Cloud: Label: malware
Source: http://www.edu-degrees-89998.com/nu06/www.arrindellnotary.com Avira URL Cloud: Label: malware
Source: http://www.eltres-iot.info/nu06/www.smartmetersystems.co.uk Avira URL Cloud: Label: malware
Source: http://www.letstalkreparation.com/nu06/www.zwangerschapvanweektotweek.net Avira URL Cloud: Label: malware
Source: http://www.heikeshuwu.com/nu06/www.alessandromargonari.com Avira URL Cloud: Label: malware
Source: http://www.hervelegerdressshop.co.uk/nu06/www.edu-degrees-89998.com Avira URL Cloud: Label: malware
Source: http://www.alexwright.xyz/nu06/ Avira URL Cloud: Label: malware
Source: http://www.edu-degrees-89998.com/nu06/ Avira URL Cloud: Label: malware
Source: http://www.heikeshuwu.com/nu06/ Avira URL Cloud: Label: malware
Source: http://www.ballinc.online/nu06/ Avira URL Cloud: Label: malware
Source: http://www.hervelegerdressshop.co.uk/nu06/ Avira URL Cloud: Label: malware
Source: http://www.smartmetersystems.co.uk/nu06/ Avira URL Cloud: Label: malware
Source: http://www.evaluatemyathlete.com/nu06/www.coiffeur-kosmetik-basel1.ch Avira URL Cloud: Label: malware
Source: http://www.languageforall.africa/nu06/www.eltres-iot.info Avira URL Cloud: Label: malware
Source: http://www.zwangerschapvanweektotweek.net/nu06/www.gonulserezart.com Avira URL Cloud: Label: malware
Source: http://www.eltres-iot.info/nu06/ Avira URL Cloud: Label: malware
Source: http://www.languageforall.africa/nu06/ Avira URL Cloud: Label: malware
Source: http://www.pyvob.xyz Avira URL Cloud: Label: malware
Source: http://www.smartmetersystems.co.uk/nu06/www.alexwright.xyz Avira URL Cloud: Label: malware
Source: http://www.evaluatemyathlete.com/nu06/?4h8xq=AAU7dHxOAmD1XA8vVT3AMGpmmEX+lZnDYwXHz32oiklDU/SqaBIxIuHdufVlmX9k3aqv&UrZ=9rv4vpj Avira URL Cloud: Label: malware
Source: http://www.pyvob.xyz/nu06/www.heikeshuwu.com Avira URL Cloud: Label: malware
Source: www.eltres-iot.info/nu06/ Avira URL Cloud: Label: malware
Source: http://www.coiffeur-kosmetik-basel1.ch/nu06/www.pyvob.xyz Avira URL Cloud: Label: malware
Source: http://www.gonulserezart.com/nu06/www.evaluatemyathlete.com Avira URL Cloud: Label: malware
Source: http://www.gonulserezart.com/nu06/?UrZ=9rv4vpj&4h8xq=XguJjI6AKJ7iGHg0sIvbxor8PKuuNZIswUYLv8brtIVcEL19nblZmBuHZOHdf2lpP/kE Avira URL Cloud: Label: malware
Source: http://www.gonulserezart.com/nu06/ Avira URL Cloud: Label: malware
Source: http://www.evaluatemyathlete.com/nu06/ Avira URL Cloud: Label: malware
Source: http://www.coiffeur-kosmetik-basel1.ch/nu06/ Avira URL Cloud: Label: malware
Source: http://www.pyvob.xyz/nu06/ Avira URL Cloud: Label: malware
Source: http://www.ballinc.online/nu06/www.hervelegerdressshop.co.uk Avira URL Cloud: Label: malware
Source: http://www.zwangerschapvanweektotweek.net/nu06/?4h8xq=RzhUDSljQ8La7qrFgsCqcMZ5F/GKaWYSy/YExKb0zDK6Qw0jyiEXU4SBBDL3oY4sWHH+&UrZ=9rv4vpj Avira URL Cloud: Label: malware
Source: http://www.alexwright.xyz/nu06/www.ballinc.online Avira URL Cloud: Label: malware
Source: http://www.zwangerschapvanweektotweek.net/nu06/ Avira URL Cloud: Label: malware
Source: http://www.letstalkreparation.com/nu06/ Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: Hbi8WUpShm.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.0.Hbi8WUpShm.exe.830000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.Hbi8WUpShm.exe.830000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.eltres-iot.info/nu06/"], "decoy": ["cutmentor.net", "alexwright.xyz", "gymbastic.com", "creperie-lalios.com", "equipmentblock.com", "zwangerschapvanweektotweek.net", "asimulationcompany.com", "g9technoinnovation.com", "bestbirdies.xyz", "addhair.online", "get-breakfastburns.com", "aex-studentki.guru", "jhpx888.com", "gemologic.dev", "thegreencarshop.co.uk", "alessandromargonari.com", "cosmosynz.click", "letstalkreparation.com", "bka-i.com", "hervelegerdressshop.co.uk", "xn--5hqsa64xi8tdhd1xsp5oyyi.com", "jobstrendpk.com", "pavilionroofingservices.co.uk", "gonulserezart.com", "iby923.xyz", "languageforall.africa", "helloular3.com", "faster1.one", "lborient.com", "bzhxqm.com", "smartmetersystems.co.uk", "icfc2019.com", "handymantroop.com", "mychefacademy.com", "credit-cards-70626.com", "letmewowyou.com", "cityguide.africa", "dismissalnoise.com", "edu-degrees-89998.com", "estebanecheverry.com", "celsopaula.com", "jihuajl.com", "pyvob.xyz", "gdbdkj.com", "ballinc.online", "amadeussalem.net", "ievc-technologies.com", "arrindellnotary.com", "laneseempowerment.com", "bullreward.com", "evaluatemyathlete.com", "seu-qzs.com", "hexmexico.com", "coiffeur-kosmetik-basel1.ch", "1wacdu.top", "hoot.software", "goldhillmesatimes.com", "jobsnailikely.com", "cyberlavender.com", "ldgyb.com", "crunchtimemotion.com", "xn--74q746a2tj.net", "heikeshuwu.com", "fotel.xyz"]}
Uses 32bit PE files
Source: Hbi8WUpShm.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Hbi8WUpShm.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: chkdsk.pdbGCTL source: Hbi8WUpShm.exe, 00000000.00000002.343821234.0000000000DA0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: chkdsk.pdb source: Hbi8WUpShm.exe, 00000000.00000002.343821234.0000000000DA0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: Hbi8WUpShm.exe, 00000000.00000002.343927149.0000000000F2F000.00000040.00001000.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000003.306876462.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000002.343927149.0000000000E10000.00000040.00001000.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000003.305219114.0000000000AE2000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000002.573987841.000000000549F000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000002.573987841.0000000005380000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000003.344421529.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000003.339337414.0000000000E16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Hbi8WUpShm.exe, 00000000.00000002.343927149.0000000000F2F000.00000040.00001000.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000003.306876462.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000002.343927149.0000000000E10000.00000040.00001000.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000003.305219114.0000000000AE2000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000002.00000002.573987841.000000000549F000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000002.573987841.0000000005380000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000003.344421529.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000003.339337414.0000000000E16000.00000004.00000020.00020000.00000000.sdmp

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.letstalkreparation.com
Source: C:\Windows\explorer.exe Domain query: www.zwangerschapvanweektotweek.net
Source: C:\Windows\explorer.exe Network Connect: 34.98.99.30 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.117.168.233 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.gonulserezart.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.evaluatemyathlete.com
Source: C:\Windows\explorer.exe Network Connect: 91.218.127.118 80 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49699 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49699 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49699 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49701 -> 34.117.168.233:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49701 -> 34.117.168.233:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49701 -> 34.117.168.233:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.eltres-iot.info/nu06/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GOOGLE-AS-APGoogleAsiaPacificPteLtdSG GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /nu06/?UrZ=9rv4vpj&4h8xq=OZMvKvxZ5i73HD5IFsv1VHO5ZNO69iYYlfpbYuxpW74QVU2iMlDxxLJrAbC6wwddpRFg HTTP/1.1Host: www.letstalkreparation.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nu06/?4h8xq=RzhUDSljQ8La7qrFgsCqcMZ5F/GKaWYSy/YExKb0zDK6Qw0jyiEXU4SBBDL3oY4sWHH+&UrZ=9rv4vpj HTTP/1.1Host: www.zwangerschapvanweektotweek.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nu06/?UrZ=9rv4vpj&4h8xq=XguJjI6AKJ7iGHg0sIvbxor8PKuuNZIswUYLv8brtIVcEL19nblZmBuHZOHdf2lpP/kE HTTP/1.1Host: www.gonulserezart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nu06/?4h8xq=AAU7dHxOAmD1XA8vVT3AMGpmmEX+lZnDYwXHz32oiklDU/SqaBIxIuHdufVlmX9k3aqv&UrZ=9rv4vpj HTTP/1.1Host: www.evaluatemyathlete.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.168.233 34.117.168.233
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 20 Mar 2023 08:11:35 GMTContent-Type: text/htmlContent-Length: 291ETag: "63f88c83-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 20 Mar 2023 08:12:38 GMTContent-Type: text/htmlContent-Length: 291ETag: "63f88c83-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.alessandromargonari.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.alessandromargonari.com/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.alessandromargonari.com/nu06/www.languageforall.africa
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.alessandromargonari.comReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.alexwright.xyz
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.alexwright.xyz/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.alexwright.xyz/nu06/www.ballinc.online
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.alexwright.xyzReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.arrindellnotary.com
Source: explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.arrindellnotary.com/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.arrindellnotary.comReferer:
Source: explorer.exe, 00000001.00000000.308784009.000000000091F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.573479962.0000000000921000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ballinc.online
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ballinc.online/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ballinc.online/nu06/www.hervelegerdressshop.co.uk
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ballinc.onlineReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.coiffeur-kosmetik-basel1.ch
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.coiffeur-kosmetik-basel1.ch/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.coiffeur-kosmetik-basel1.ch/nu06/www.pyvob.xyz
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.coiffeur-kosmetik-basel1.chReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.edu-degrees-89998.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.edu-degrees-89998.com/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.edu-degrees-89998.com/nu06/www.arrindellnotary.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.edu-degrees-89998.comReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eltres-iot.info
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eltres-iot.info/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eltres-iot.info/nu06/www.smartmetersystems.co.uk
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.eltres-iot.infoReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.evaluatemyathlete.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.evaluatemyathlete.com/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.evaluatemyathlete.com/nu06/www.coiffeur-kosmetik-basel1.ch
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.evaluatemyathlete.comReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.gonulserezart.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.gonulserezart.com/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.gonulserezart.com/nu06/www.evaluatemyathlete.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.gonulserezart.comReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.heikeshuwu.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.heikeshuwu.com/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.heikeshuwu.com/nu06/www.alessandromargonari.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.heikeshuwu.comReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hervelegerdressshop.co.uk
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hervelegerdressshop.co.uk/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hervelegerdressshop.co.uk/nu06/www.edu-degrees-89998.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.hervelegerdressshop.co.ukReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.languageforall.africa
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.languageforall.africa/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.languageforall.africa/nu06/www.eltres-iot.info
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.languageforall.africaReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.letstalkreparation.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.letstalkreparation.com/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.letstalkreparation.com/nu06/www.zwangerschapvanweektotweek.net
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.letstalkreparation.comReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.pyvob.xyz
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.pyvob.xyz/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.pyvob.xyz/nu06/www.heikeshuwu.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.pyvob.xyzReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.smartmetersystems.co.uk
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.smartmetersystems.co.uk/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.smartmetersystems.co.uk/nu06/www.alexwright.xyz
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.smartmetersystems.co.ukReferer:
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.zwangerschapvanweektotweek.net
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.zwangerschapvanweektotweek.net/nu06/
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.zwangerschapvanweektotweek.net/nu06/www.gonulserezart.com
Source: explorer.exe, 00000001.00000003.533978211.000000000ED66000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.584394622.000000000ED69000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.zwangerschapvanweektotweek.netReferer:
Source: unknown DNS traffic detected: queries for: www.letstalkreparation.com
Source: C:\Windows\explorer.exe Code function: 1_2_0FB8BF82 getaddrinfo,setsockopt,recv, 1_2_0FB8BF82
Source: global traffic HTTP traffic detected: GET /nu06/?UrZ=9rv4vpj&4h8xq=OZMvKvxZ5i73HD5IFsv1VHO5ZNO69iYYlfpbYuxpW74QVU2iMlDxxLJrAbC6wwddpRFg HTTP/1.1Host: www.letstalkreparation.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nu06/?4h8xq=RzhUDSljQ8La7qrFgsCqcMZ5F/GKaWYSy/YExKb0zDK6Qw0jyiEXU4SBBDL3oY4sWHH+&UrZ=9rv4vpj HTTP/1.1Host: www.zwangerschapvanweektotweek.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nu06/?UrZ=9rv4vpj&4h8xq=XguJjI6AKJ7iGHg0sIvbxor8PKuuNZIswUYLv8brtIVcEL19nblZmBuHZOHdf2lpP/kE HTTP/1.1Host: www.gonulserezart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /nu06/?4h8xq=AAU7dHxOAmD1XA8vVT3AMGpmmEX+lZnDYwXHz32oiklDU/SqaBIxIuHdufVlmX9k3aqv&UrZ=9rv4vpj HTTP/1.1Host: www.evaluatemyathlete.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: Hbi8WUpShm.exe, type: SAMPLE
Source: Yara match File source: 0.2.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Hbi8WUpShm.exe, type: SAMPLE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Hbi8WUpShm.exe, type: SAMPLE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: Hbi8WUpShm.exe, type: SAMPLE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.0.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.0.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.0.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.585228598.000000000FBA3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: Hbi8WUpShm.exe PID: 5868, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 3324, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: chkdsk.exe PID: 6012, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Uses 32bit PE files
Source: Hbi8WUpShm.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: Hbi8WUpShm.exe, type: SAMPLE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Hbi8WUpShm.exe, type: SAMPLE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: Hbi8WUpShm.exe, type: SAMPLE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.0.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.0.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.0.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.585228598.000000000FBA3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: Hbi8WUpShm.exe PID: 5868, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 3324, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: chkdsk.exe PID: 6012, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_00831030 0_2_00831030
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_0084E1AB 0_2_0084E1AB
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_0084D9FC 0_2_0084D9FC
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_0084DABE 0_2_0084DABE
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_0084EBE1 0_2_0084EBE1
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_00832D87 0_2_00832D87
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_00832D90 0_2_00832D90
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_0084D5A6 0_2_0084D5A6
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_0084D5A3 0_2_0084D5A3
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_0084E55F 0_2_0084E55F
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_00839E5B 0_2_00839E5B
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_00839E60 0_2_00839E60
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_00832FB0 0_2_00832FB0
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_0084E7E3 0_2_0084E7E3
Source: C:\Windows\explorer.exe Code function: 1_2_0E44F232 1_2_0E44F232
Source: C:\Windows\explorer.exe Code function: 1_2_0E449B30 1_2_0E449B30
Source: C:\Windows\explorer.exe Code function: 1_2_0E449B32 1_2_0E449B32
Source: C:\Windows\explorer.exe Code function: 1_2_0E44E036 1_2_0E44E036
Source: C:\Windows\explorer.exe Code function: 1_2_0E445082 1_2_0E445082
Source: C:\Windows\explorer.exe Code function: 1_2_0E446D02 1_2_0E446D02
Source: C:\Windows\explorer.exe Code function: 1_2_0E44C912 1_2_0E44C912
Source: C:\Windows\explorer.exe Code function: 1_2_0E4525CD 1_2_0E4525CD
Source: C:\Windows\explorer.exe Code function: 1_2_0FB8B232 1_2_0FB8B232
Source: C:\Windows\explorer.exe Code function: 1_2_0FB8E5CD 1_2_0FB8E5CD
Source: C:\Windows\explorer.exe Code function: 1_2_0FB85B30 1_2_0FB85B30
Source: C:\Windows\explorer.exe Code function: 1_2_0FB85B32 1_2_0FB85B32
Source: C:\Windows\explorer.exe Code function: 1_2_0FB88912 1_2_0FB88912
Source: C:\Windows\explorer.exe Code function: 1_2_0FB82D02 1_2_0FB82D02
Source: C:\Windows\explorer.exe Code function: 1_2_0FB81082 1_2_0FB81082
Source: C:\Windows\explorer.exe Code function: 1_2_0FB8A036 1_2_0FB8A036
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05471D55 2_2_05471D55
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A0D20 2_2_053A0D20
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05472D07 2_2_05472D07
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_054725DD 2_2_054725DD
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D2581 2_2_053D2581
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053BD5E0 2_2_053BD5E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0546D466 2_2_0546D466
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B841F 2_2_053B841F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05471FF1 2_2_05471FF1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053C6E30 2_2_053C6E30
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0546D616 2_2_0546D616
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05472EF7 2_2_05472EF7
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053C4120 2_2_053C4120
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053AF900 2_2_053AF900
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05461002 2_2_05461002
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D20A0 2_2_053D20A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053BB090 2_2_053BB090
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_054728EC 2_2_054728EC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_054720A8 2_2_054720A8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05472B28 2_2_05472B28
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053DEBB0 2_2_053DEBB0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0546DBD2 2_2_0546DBD2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_054722AE 2_2_054722AE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_008F2D87 2_2_008F2D87
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_008F2D90 2_2_008F2D90
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0090D5A3 2_2_0090D5A3
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0090D5A6 2_2_0090D5A6
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_008F9E5B 2_2_008F9E5B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_008F9E60 2_2_008F9E60
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_008F2FB0 2_2_008F2FB0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0090E7E3 2_2_0090E7E3
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 053AB150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_0084A360 NtCreateFile, 0_2_0084A360
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_0084A490 NtClose, 0_2_0084A490
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_0084A410 NtReadFile, 0_2_0084A410
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_0084A540 NtAllocateVirtualMemory, 0_2_0084A540
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_0084A35A NtCreateFile, 0_2_0084A35A
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_0084A48A NtClose, 0_2_0084A48A
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_0084A40C NtReadFile, 0_2_0084A40C
Source: C:\Windows\explorer.exe Code function: 1_2_0FB8B232 NtCreateFile, 1_2_0FB8B232
Source: C:\Windows\explorer.exe Code function: 1_2_0FB8CE12 NtProtectVirtualMemory, 1_2_0FB8CE12
Source: C:\Windows\explorer.exe Code function: 1_2_0FB8CE0A NtProtectVirtualMemory, 1_2_0FB8CE0A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9540 NtReadFile,LdrInitializeThunk, 2_2_053E9540
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E95D0 NtClose,LdrInitializeThunk, 2_2_053E95D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9710 NtQueryInformationToken,LdrInitializeThunk, 2_2_053E9710
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9780 NtMapViewOfSection,LdrInitializeThunk, 2_2_053E9780
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9FE0 NtCreateMutant,LdrInitializeThunk, 2_2_053E9FE0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_053E9660
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9650 NtQueryValueKey,LdrInitializeThunk, 2_2_053E9650
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E96E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_053E96E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E96D0 NtCreateKey,LdrInitializeThunk, 2_2_053E96D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_053E9910
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E99A0 NtCreateSection,LdrInitializeThunk, 2_2_053E99A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_053E9860
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9840 NtDelayExecution,LdrInitializeThunk, 2_2_053E9840
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9A50 NtCreateFile,LdrInitializeThunk, 2_2_053E9A50
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053EAD30 NtSetContextThread, 2_2_053EAD30
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9520 NtWaitForSingleObject, 2_2_053E9520
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9560 NtWriteFile, 2_2_053E9560
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E95F0 NtQueryInformationFile, 2_2_053E95F0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9730 NtQueryVirtualMemory, 2_2_053E9730
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053EA710 NtOpenProcessToken, 2_2_053EA710
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053EA770 NtOpenThread, 2_2_053EA770
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9770 NtSetInformationFile, 2_2_053E9770
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9760 NtOpenProcess, 2_2_053E9760
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E97A0 NtUnmapViewOfSection, 2_2_053E97A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9610 NtEnumerateValueKey, 2_2_053E9610
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9670 NtQueryInformationProcess, 2_2_053E9670
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9950 NtQueueApcThread, 2_2_053E9950
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E99D0 NtCreateProcessEx, 2_2_053E99D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9820 NtEnumerateKey, 2_2_053E9820
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053EB040 NtSuspendThread, 2_2_053EB040
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E98A0 NtWriteVirtualMemory, 2_2_053E98A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E98F0 NtReadVirtualMemory, 2_2_053E98F0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9B00 NtSetValueKey, 2_2_053E9B00
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053EA3B0 NtGetContextThread, 2_2_053EA3B0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9A20 NtResumeThread, 2_2_053E9A20
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9A10 NtQuerySection, 2_2_053E9A10
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9A00 NtProtectVirtualMemory, 2_2_053E9A00
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E9A80 NtOpenDirectoryObject, 2_2_053E9A80
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0090A360 NtCreateFile, 2_2_0090A360
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0090A490 NtClose, 2_2_0090A490
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0090A410 NtReadFile, 2_2_0090A410
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0090A540 NtAllocateVirtualMemory, 2_2_0090A540
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0090A35A NtCreateFile, 2_2_0090A35A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0090A48A NtClose, 2_2_0090A48A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0090A40C NtReadFile, 2_2_0090A40C
PE file does not import any functions
Source: Hbi8WUpShm.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: Hbi8WUpShm.exe, 00000000.00000003.306876462.0000000000D95000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Hbi8WUpShm.exe
Source: Hbi8WUpShm.exe, 00000000.00000002.343927149.0000000000F2F000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Hbi8WUpShm.exe
Source: Hbi8WUpShm.exe, 00000000.00000003.305219114.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Hbi8WUpShm.exe
Source: Hbi8WUpShm.exe, 00000000.00000002.343821234.0000000000DA6000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCHKDSK.EXEj% vs Hbi8WUpShm.exe
Source: Hbi8WUpShm.exe, 00000000.00000002.343927149.00000000010BF000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Hbi8WUpShm.exe
Source: Hbi8WUpShm.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Hbi8WUpShm.exe Static PE information: Section .text
Source: Hbi8WUpShm.exe ReversingLabs: Detection: 84%
Source: Hbi8WUpShm.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Hbi8WUpShm.exe C:\Users\user\Desktop\Hbi8WUpShm.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Hbi8WUpShm.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Hbi8WUpShm.exe" Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{c53e07ec-25f3-4093-aa39-fc67ea22e99d}\InProcServer32 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@6/1@4/4
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3536:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Hbi8WUpShm.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: chkdsk.pdbGCTL source: Hbi8WUpShm.exe, 00000000.00000002.343821234.0000000000DA0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: chkdsk.pdb source: Hbi8WUpShm.exe, 00000000.00000002.343821234.0000000000DA0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: Hbi8WUpShm.exe, 00000000.00000002.343927149.0000000000F2F000.00000040.00001000.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000003.306876462.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000002.343927149.0000000000E10000.00000040.00001000.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000003.305219114.0000000000AE2000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000002.573987841.000000000549F000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000002.573987841.0000000005380000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000003.344421529.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000003.339337414.0000000000E16000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Hbi8WUpShm.exe, 00000000.00000002.343927149.0000000000F2F000.00000040.00001000.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000003.306876462.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000002.343927149.0000000000E10000.00000040.00001000.00020000.00000000.sdmp, Hbi8WUpShm.exe, 00000000.00000003.305219114.0000000000AE2000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000002.00000002.573987841.000000000549F000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000002.573987841.0000000005380000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000003.344421529.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000002.00000003.339337414.0000000000E16000.00000004.00000020.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_0084D4B5 push eax; ret 0_2_0084D508
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_0084D502 push eax; ret 0_2_0084D508
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_00849D02 push eax; retf 0_2_00849D0F
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_0084D50B push eax; ret 0_2_0084D572
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_0084D56C push eax; ret 0_2_0084D572
Source: C:\Windows\explorer.exe Code function: 1_2_0E452B02 push esp; retn 0000h 1_2_0E452B03
Source: C:\Windows\explorer.exe Code function: 1_2_0E452B1E push esp; retn 0000h 1_2_0E452B1F
Source: C:\Windows\explorer.exe Code function: 1_2_0E4529B5 push esp; retn 0000h 1_2_0E452AE7
Source: C:\Windows\explorer.exe Code function: 1_2_0FB8E9B5 push esp; retn 0000h 1_2_0FB8EAE7
Source: C:\Windows\explorer.exe Code function: 1_2_0FB8EB1E push esp; retn 0000h 1_2_0FB8EB1F
Source: C:\Windows\explorer.exe Code function: 1_2_0FB8EB02 push esp; retn 0000h 1_2_0FB8EB03
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053FD0D1 push ecx; ret 2_2_053FD0E4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0090E1A1 pushfd ; retf 2_2_0090E1A2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0090D4B5 push eax; ret 2_2_0090D508
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0090D502 push eax; ret 2_2_0090D508
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_00909D02 push eax; retf 2_2_00909D0F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0090D50B push eax; ret 2_2_0090D572
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0090D56C push eax; ret 2_2_0090D572
Source: initial sample Static PE information: section name: .text entropy: 7.411530981126198

Hooking and other Techniques for Hiding and Protection
barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE4
Source: C:\Windows\SysWOW64\chkdsk.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe RDTSC instruction interceptor: First address: 0000000000839904 second address: 000000000083990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe RDTSC instruction interceptor: First address: 0000000000839B7E second address: 0000000000839B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe RDTSC instruction interceptor: First address: 00000000008F9904 second address: 00000000008F990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe RDTSC instruction interceptor: First address: 00000000008F9B7E second address: 00000000008F9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Found decision node followed by non-executed suspicious APIs
Source: C:\Windows\explorer.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 4516 Thread sleep time: -46000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_00839AB0 rdtsc 0_2_00839AB0
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 864 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 870 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\chkdsk.exe API coverage: 9.5 %
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Process information queried: ProcessInformation Jump to behavior
Source: explorer.exe, 00000001.00000003.547529114.0000000008644000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000001.00000002.584967768.000000000F04A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: vmcI"/
Source: explorer.exe, 00000001.00000000.308784009.000000000091F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000003.534691963.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
Source: explorer.exe, 00000001.00000003.534691963.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000002.575054265.0000000004437000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000001.00000003.535663437.000000000F083000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533653493.000000000F073000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000001.00000003.534691963.00000000086E7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000001.00000003.547529114.0000000008644000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000001.00000002.584326671.000000000ED55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.533800571.000000000ED55000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.536283884.000000000ED55000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_00839AB0 rdtsc 0_2_00839AB0
Enables debug privileges
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05423540 mov eax, dword ptr fs:[00000030h] 2_2_05423540
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D4D3B mov eax, dword ptr fs:[00000030h] 2_2_053D4D3B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D4D3B mov eax, dword ptr fs:[00000030h] 2_2_053D4D3B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D4D3B mov eax, dword ptr fs:[00000030h] 2_2_053D4D3B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053AAD30 mov eax, dword ptr fs:[00000030h] 2_2_053AAD30
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h] 2_2_053B3D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h] 2_2_053B3D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h] 2_2_053B3D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h] 2_2_053B3D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h] 2_2_053B3D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h] 2_2_053B3D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h] 2_2_053B3D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h] 2_2_053B3D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h] 2_2_053B3D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h] 2_2_053B3D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h] 2_2_053B3D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h] 2_2_053B3D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B3D34 mov eax, dword ptr fs:[00000030h] 2_2_053B3D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053CC577 mov eax, dword ptr fs:[00000030h] 2_2_053CC577
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053CC577 mov eax, dword ptr fs:[00000030h] 2_2_053CC577
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053C7D50 mov eax, dword ptr fs:[00000030h] 2_2_053C7D50
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05478D34 mov eax, dword ptr fs:[00000030h] 2_2_05478D34
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0542A537 mov eax, dword ptr fs:[00000030h] 2_2_0542A537
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E3D43 mov eax, dword ptr fs:[00000030h] 2_2_053E3D43
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0546E539 mov eax, dword ptr fs:[00000030h] 2_2_0546E539
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D1DB5 mov eax, dword ptr fs:[00000030h] 2_2_053D1DB5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D1DB5 mov eax, dword ptr fs:[00000030h] 2_2_053D1DB5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D1DB5 mov eax, dword ptr fs:[00000030h] 2_2_053D1DB5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05426DC9 mov eax, dword ptr fs:[00000030h] 2_2_05426DC9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05426DC9 mov eax, dword ptr fs:[00000030h] 2_2_05426DC9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05426DC9 mov eax, dword ptr fs:[00000030h] 2_2_05426DC9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05426DC9 mov ecx, dword ptr fs:[00000030h] 2_2_05426DC9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05426DC9 mov eax, dword ptr fs:[00000030h] 2_2_05426DC9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05426DC9 mov eax, dword ptr fs:[00000030h] 2_2_05426DC9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D35A1 mov eax, dword ptr fs:[00000030h] 2_2_053D35A1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0546FDE2 mov eax, dword ptr fs:[00000030h] 2_2_0546FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0546FDE2 mov eax, dword ptr fs:[00000030h] 2_2_0546FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0546FDE2 mov eax, dword ptr fs:[00000030h] 2_2_0546FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0546FDE2 mov eax, dword ptr fs:[00000030h] 2_2_0546FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053DFD9B mov eax, dword ptr fs:[00000030h] 2_2_053DFD9B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053DFD9B mov eax, dword ptr fs:[00000030h] 2_2_053DFD9B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A2D8A mov eax, dword ptr fs:[00000030h] 2_2_053A2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A2D8A mov eax, dword ptr fs:[00000030h] 2_2_053A2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A2D8A mov eax, dword ptr fs:[00000030h] 2_2_053A2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A2D8A mov eax, dword ptr fs:[00000030h] 2_2_053A2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A2D8A mov eax, dword ptr fs:[00000030h] 2_2_053A2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05458DF1 mov eax, dword ptr fs:[00000030h] 2_2_05458DF1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D2581 mov eax, dword ptr fs:[00000030h] 2_2_053D2581
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D2581 mov eax, dword ptr fs:[00000030h] 2_2_053D2581
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D2581 mov eax, dword ptr fs:[00000030h] 2_2_053D2581
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D2581 mov eax, dword ptr fs:[00000030h] 2_2_053D2581
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053BD5E0 mov eax, dword ptr fs:[00000030h] 2_2_053BD5E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053BD5E0 mov eax, dword ptr fs:[00000030h] 2_2_053BD5E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_054705AC mov eax, dword ptr fs:[00000030h] 2_2_054705AC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_054705AC mov eax, dword ptr fs:[00000030h] 2_2_054705AC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053DBC2C mov eax, dword ptr fs:[00000030h] 2_2_053DBC2C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0543C450 mov eax, dword ptr fs:[00000030h] 2_2_0543C450
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0543C450 mov eax, dword ptr fs:[00000030h] 2_2_0543C450
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h] 2_2_05461C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h] 2_2_05461C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h] 2_2_05461C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h] 2_2_05461C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h] 2_2_05461C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h] 2_2_05461C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h] 2_2_05461C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h] 2_2_05461C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h] 2_2_05461C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h] 2_2_05461C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h] 2_2_05461C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h] 2_2_05461C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h] 2_2_05461C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05461C06 mov eax, dword ptr fs:[00000030h] 2_2_05461C06
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05426C0A mov eax, dword ptr fs:[00000030h] 2_2_05426C0A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05426C0A mov eax, dword ptr fs:[00000030h] 2_2_05426C0A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05426C0A mov eax, dword ptr fs:[00000030h] 2_2_05426C0A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05426C0A mov eax, dword ptr fs:[00000030h] 2_2_05426C0A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0547740D mov eax, dword ptr fs:[00000030h] 2_2_0547740D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0547740D mov eax, dword ptr fs:[00000030h] 2_2_0547740D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0547740D mov eax, dword ptr fs:[00000030h] 2_2_0547740D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053C746D mov eax, dword ptr fs:[00000030h] 2_2_053C746D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053DA44B mov eax, dword ptr fs:[00000030h] 2_2_053DA44B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05478CD6 mov eax, dword ptr fs:[00000030h] 2_2_05478CD6
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B849B mov eax, dword ptr fs:[00000030h] 2_2_053B849B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05426CF0 mov eax, dword ptr fs:[00000030h] 2_2_05426CF0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05426CF0 mov eax, dword ptr fs:[00000030h] 2_2_05426CF0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05426CF0 mov eax, dword ptr fs:[00000030h] 2_2_05426CF0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_054614FB mov eax, dword ptr fs:[00000030h] 2_2_054614FB
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053DE730 mov eax, dword ptr fs:[00000030h] 2_2_053DE730
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A4F2E mov eax, dword ptr fs:[00000030h] 2_2_053A4F2E
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A4F2E mov eax, dword ptr fs:[00000030h] 2_2_053A4F2E
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053CF716 mov eax, dword ptr fs:[00000030h] 2_2_053CF716
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05478F6A mov eax, dword ptr fs:[00000030h] 2_2_05478F6A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053DA70E mov eax, dword ptr fs:[00000030h] 2_2_053DA70E
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053DA70E mov eax, dword ptr fs:[00000030h] 2_2_053DA70E
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0547070D mov eax, dword ptr fs:[00000030h] 2_2_0547070D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0547070D mov eax, dword ptr fs:[00000030h] 2_2_0547070D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0543FF10 mov eax, dword ptr fs:[00000030h] 2_2_0543FF10
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0543FF10 mov eax, dword ptr fs:[00000030h] 2_2_0543FF10
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053BFF60 mov eax, dword ptr fs:[00000030h] 2_2_053BFF60
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053BEF40 mov eax, dword ptr fs:[00000030h] 2_2_053BEF40
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B8794 mov eax, dword ptr fs:[00000030h] 2_2_053B8794
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E37F5 mov eax, dword ptr fs:[00000030h] 2_2_053E37F5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05427794 mov eax, dword ptr fs:[00000030h] 2_2_05427794
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05427794 mov eax, dword ptr fs:[00000030h] 2_2_05427794
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05427794 mov eax, dword ptr fs:[00000030h] 2_2_05427794
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0546AE44 mov eax, dword ptr fs:[00000030h] 2_2_0546AE44
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0546AE44 mov eax, dword ptr fs:[00000030h] 2_2_0546AE44
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053AE620 mov eax, dword ptr fs:[00000030h] 2_2_053AE620
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053DA61C mov eax, dword ptr fs:[00000030h] 2_2_053DA61C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053DA61C mov eax, dword ptr fs:[00000030h] 2_2_053DA61C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053AC600 mov eax, dword ptr fs:[00000030h] 2_2_053AC600
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053AC600 mov eax, dword ptr fs:[00000030h] 2_2_053AC600
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053AC600 mov eax, dword ptr fs:[00000030h] 2_2_053AC600
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D8E00 mov eax, dword ptr fs:[00000030h] 2_2_053D8E00
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05461608 mov eax, dword ptr fs:[00000030h] 2_2_05461608
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053CAE73 mov eax, dword ptr fs:[00000030h] 2_2_053CAE73
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053CAE73 mov eax, dword ptr fs:[00000030h] 2_2_053CAE73
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053CAE73 mov eax, dword ptr fs:[00000030h] 2_2_053CAE73
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053CAE73 mov eax, dword ptr fs:[00000030h] 2_2_053CAE73
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053CAE73 mov eax, dword ptr fs:[00000030h] 2_2_053CAE73
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B766D mov eax, dword ptr fs:[00000030h] 2_2_053B766D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0545FE3F mov eax, dword ptr fs:[00000030h] 2_2_0545FE3F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B7E41 mov eax, dword ptr fs:[00000030h] 2_2_053B7E41
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B7E41 mov eax, dword ptr fs:[00000030h] 2_2_053B7E41
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B7E41 mov eax, dword ptr fs:[00000030h] 2_2_053B7E41
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B7E41 mov eax, dword ptr fs:[00000030h] 2_2_053B7E41
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B7E41 mov eax, dword ptr fs:[00000030h] 2_2_053B7E41
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B7E41 mov eax, dword ptr fs:[00000030h] 2_2_053B7E41
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0545FEC0 mov eax, dword ptr fs:[00000030h] 2_2_0545FEC0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05478ED6 mov eax, dword ptr fs:[00000030h] 2_2_05478ED6
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0543FE87 mov eax, dword ptr fs:[00000030h] 2_2_0543FE87
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B76E2 mov eax, dword ptr fs:[00000030h] 2_2_053B76E2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D16E0 mov ecx, dword ptr fs:[00000030h] 2_2_053D16E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05470EA5 mov eax, dword ptr fs:[00000030h] 2_2_05470EA5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05470EA5 mov eax, dword ptr fs:[00000030h] 2_2_05470EA5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05470EA5 mov eax, dword ptr fs:[00000030h] 2_2_05470EA5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_054246A7 mov eax, dword ptr fs:[00000030h] 2_2_054246A7
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D36CC mov eax, dword ptr fs:[00000030h] 2_2_053D36CC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E8EC7 mov eax, dword ptr fs:[00000030h] 2_2_053E8EC7
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D513A mov eax, dword ptr fs:[00000030h] 2_2_053D513A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D513A mov eax, dword ptr fs:[00000030h] 2_2_053D513A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053C4120 mov eax, dword ptr fs:[00000030h] 2_2_053C4120
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053C4120 mov eax, dword ptr fs:[00000030h] 2_2_053C4120
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053C4120 mov eax, dword ptr fs:[00000030h] 2_2_053C4120
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053C4120 mov eax, dword ptr fs:[00000030h] 2_2_053C4120
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053C4120 mov ecx, dword ptr fs:[00000030h] 2_2_053C4120
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A9100 mov eax, dword ptr fs:[00000030h] 2_2_053A9100
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A9100 mov eax, dword ptr fs:[00000030h] 2_2_053A9100
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A9100 mov eax, dword ptr fs:[00000030h] 2_2_053A9100
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053AB171 mov eax, dword ptr fs:[00000030h] 2_2_053AB171
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053AB171 mov eax, dword ptr fs:[00000030h] 2_2_053AB171
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053AC962 mov eax, dword ptr fs:[00000030h] 2_2_053AC962
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053CB944 mov eax, dword ptr fs:[00000030h] 2_2_053CB944
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053CB944 mov eax, dword ptr fs:[00000030h] 2_2_053CB944
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D61A0 mov eax, dword ptr fs:[00000030h] 2_2_053D61A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D61A0 mov eax, dword ptr fs:[00000030h] 2_2_053D61A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_054341E8 mov eax, dword ptr fs:[00000030h] 2_2_054341E8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D2990 mov eax, dword ptr fs:[00000030h] 2_2_053D2990
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053DA185 mov eax, dword ptr fs:[00000030h] 2_2_053DA185
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053CC182 mov eax, dword ptr fs:[00000030h] 2_2_053CC182
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053AB1E1 mov eax, dword ptr fs:[00000030h] 2_2_053AB1E1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053AB1E1 mov eax, dword ptr fs:[00000030h] 2_2_053AB1E1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053AB1E1 mov eax, dword ptr fs:[00000030h] 2_2_053AB1E1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_054269A6 mov eax, dword ptr fs:[00000030h] 2_2_054269A6
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_054251BE mov eax, dword ptr fs:[00000030h] 2_2_054251BE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_054251BE mov eax, dword ptr fs:[00000030h] 2_2_054251BE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_054251BE mov eax, dword ptr fs:[00000030h] 2_2_054251BE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_054251BE mov eax, dword ptr fs:[00000030h] 2_2_054251BE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D002D mov eax, dword ptr fs:[00000030h] 2_2_053D002D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D002D mov eax, dword ptr fs:[00000030h] 2_2_053D002D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D002D mov eax, dword ptr fs:[00000030h] 2_2_053D002D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D002D mov eax, dword ptr fs:[00000030h] 2_2_053D002D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D002D mov eax, dword ptr fs:[00000030h] 2_2_053D002D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053BB02A mov eax, dword ptr fs:[00000030h] 2_2_053BB02A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053BB02A mov eax, dword ptr fs:[00000030h] 2_2_053BB02A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053BB02A mov eax, dword ptr fs:[00000030h] 2_2_053BB02A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053BB02A mov eax, dword ptr fs:[00000030h] 2_2_053BB02A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05471074 mov eax, dword ptr fs:[00000030h] 2_2_05471074
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05462073 mov eax, dword ptr fs:[00000030h] 2_2_05462073
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05474015 mov eax, dword ptr fs:[00000030h] 2_2_05474015
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05474015 mov eax, dword ptr fs:[00000030h] 2_2_05474015
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05427016 mov eax, dword ptr fs:[00000030h] 2_2_05427016
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05427016 mov eax, dword ptr fs:[00000030h] 2_2_05427016
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05427016 mov eax, dword ptr fs:[00000030h] 2_2_05427016
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053C0050 mov eax, dword ptr fs:[00000030h] 2_2_053C0050
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053C0050 mov eax, dword ptr fs:[00000030h] 2_2_053C0050
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053DF0BF mov ecx, dword ptr fs:[00000030h] 2_2_053DF0BF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053DF0BF mov eax, dword ptr fs:[00000030h] 2_2_053DF0BF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053DF0BF mov eax, dword ptr fs:[00000030h] 2_2_053DF0BF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E90AF mov eax, dword ptr fs:[00000030h] 2_2_053E90AF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0543B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0543B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0543B8D0 mov ecx, dword ptr fs:[00000030h] 2_2_0543B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0543B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0543B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0543B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0543B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0543B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0543B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0543B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0543B8D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D20A0 mov eax, dword ptr fs:[00000030h] 2_2_053D20A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D20A0 mov eax, dword ptr fs:[00000030h] 2_2_053D20A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D20A0 mov eax, dword ptr fs:[00000030h] 2_2_053D20A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D20A0 mov eax, dword ptr fs:[00000030h] 2_2_053D20A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D20A0 mov eax, dword ptr fs:[00000030h] 2_2_053D20A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D20A0 mov eax, dword ptr fs:[00000030h] 2_2_053D20A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A9080 mov eax, dword ptr fs:[00000030h] 2_2_053A9080
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05423884 mov eax, dword ptr fs:[00000030h] 2_2_05423884
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05423884 mov eax, dword ptr fs:[00000030h] 2_2_05423884
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A58EC mov eax, dword ptr fs:[00000030h] 2_2_053A58EC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05478B58 mov eax, dword ptr fs:[00000030h] 2_2_05478B58
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D3B7A mov eax, dword ptr fs:[00000030h] 2_2_053D3B7A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D3B7A mov eax, dword ptr fs:[00000030h] 2_2_053D3B7A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053ADB60 mov ecx, dword ptr fs:[00000030h] 2_2_053ADB60
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0546131B mov eax, dword ptr fs:[00000030h] 2_2_0546131B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053AF358 mov eax, dword ptr fs:[00000030h] 2_2_053AF358
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053ADB40 mov eax, dword ptr fs:[00000030h] 2_2_053ADB40
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_054253CA mov eax, dword ptr fs:[00000030h] 2_2_054253CA
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_054253CA mov eax, dword ptr fs:[00000030h] 2_2_054253CA
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D4BAD mov eax, dword ptr fs:[00000030h] 2_2_053D4BAD
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D4BAD mov eax, dword ptr fs:[00000030h] 2_2_053D4BAD
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D4BAD mov eax, dword ptr fs:[00000030h] 2_2_053D4BAD
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D2397 mov eax, dword ptr fs:[00000030h] 2_2_053D2397
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053DB390 mov eax, dword ptr fs:[00000030h] 2_2_053DB390
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B1B8F mov eax, dword ptr fs:[00000030h] 2_2_053B1B8F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B1B8F mov eax, dword ptr fs:[00000030h] 2_2_053B1B8F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0545D380 mov ecx, dword ptr fs:[00000030h] 2_2_0545D380
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0546138A mov eax, dword ptr fs:[00000030h] 2_2_0546138A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053CDBE9 mov eax, dword ptr fs:[00000030h] 2_2_053CDBE9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D03E2 mov eax, dword ptr fs:[00000030h] 2_2_053D03E2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D03E2 mov eax, dword ptr fs:[00000030h] 2_2_053D03E2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D03E2 mov eax, dword ptr fs:[00000030h] 2_2_053D03E2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D03E2 mov eax, dword ptr fs:[00000030h] 2_2_053D03E2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D03E2 mov eax, dword ptr fs:[00000030h] 2_2_053D03E2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D03E2 mov eax, dword ptr fs:[00000030h] 2_2_053D03E2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05475BA5 mov eax, dword ptr fs:[00000030h] 2_2_05475BA5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E4A2C mov eax, dword ptr fs:[00000030h] 2_2_053E4A2C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E4A2C mov eax, dword ptr fs:[00000030h] 2_2_053E4A2C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0546EA55 mov eax, dword ptr fs:[00000030h] 2_2_0546EA55
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05434257 mov eax, dword ptr fs:[00000030h] 2_2_05434257
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053C3A1C mov eax, dword ptr fs:[00000030h] 2_2_053C3A1C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0545B260 mov eax, dword ptr fs:[00000030h] 2_2_0545B260
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0545B260 mov eax, dword ptr fs:[00000030h] 2_2_0545B260
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_05478A62 mov eax, dword ptr fs:[00000030h] 2_2_05478A62
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A5210 mov eax, dword ptr fs:[00000030h] 2_2_053A5210
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A5210 mov ecx, dword ptr fs:[00000030h] 2_2_053A5210
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A5210 mov eax, dword ptr fs:[00000030h] 2_2_053A5210
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A5210 mov eax, dword ptr fs:[00000030h] 2_2_053A5210
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053AAA16 mov eax, dword ptr fs:[00000030h] 2_2_053AAA16
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053AAA16 mov eax, dword ptr fs:[00000030h] 2_2_053AAA16
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053B8A0A mov eax, dword ptr fs:[00000030h] 2_2_053B8A0A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053E927A mov eax, dword ptr fs:[00000030h] 2_2_053E927A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0546AA16 mov eax, dword ptr fs:[00000030h] 2_2_0546AA16
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_0546AA16 mov eax, dword ptr fs:[00000030h] 2_2_0546AA16
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A9240 mov eax, dword ptr fs:[00000030h] 2_2_053A9240
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A9240 mov eax, dword ptr fs:[00000030h] 2_2_053A9240
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A9240 mov eax, dword ptr fs:[00000030h] 2_2_053A9240
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A9240 mov eax, dword ptr fs:[00000030h] 2_2_053A9240
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053BAAB0 mov eax, dword ptr fs:[00000030h] 2_2_053BAAB0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053BAAB0 mov eax, dword ptr fs:[00000030h] 2_2_053BAAB0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053DFAB0 mov eax, dword ptr fs:[00000030h] 2_2_053DFAB0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A52A5 mov eax, dword ptr fs:[00000030h] 2_2_053A52A5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A52A5 mov eax, dword ptr fs:[00000030h] 2_2_053A52A5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A52A5 mov eax, dword ptr fs:[00000030h] 2_2_053A52A5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A52A5 mov eax, dword ptr fs:[00000030h] 2_2_053A52A5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053A52A5 mov eax, dword ptr fs:[00000030h] 2_2_053A52A5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053DD294 mov eax, dword ptr fs:[00000030h] 2_2_053DD294
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053DD294 mov eax, dword ptr fs:[00000030h] 2_2_053DD294
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D2AE4 mov eax, dword ptr fs:[00000030h] 2_2_053D2AE4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 2_2_053D2ACB mov eax, dword ptr fs:[00000030h] 2_2_053D2ACB
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Code function: 0_2_0083ACF0 LdrLoadDll, 0_2_0083ACF0

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.letstalkreparation.com
Source: C:\Windows\explorer.exe Domain query: www.zwangerschapvanweektotweek.net
Source: C:\Windows\explorer.exe Network Connect: 34.98.99.30 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.117.168.233 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.gonulserezart.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.evaluatemyathlete.com
Source: C:\Windows\explorer.exe Network Connect: 91.218.127.118 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 1370000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\Hbi8WUpShm.exe Thread register set: target process: 3324 Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Thread register set: target process: 3324 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Hbi8WUpShm.exe" Jump to behavior
Source: explorer.exe, 00000001.00000003.534691963.00000000086C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.547529114.00000000086B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.309167505.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000001.00000000.309167505.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000002.573862418.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: uProgram Manager*r
Source: explorer.exe, 00000001.00000000.309167505.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000002.573862418.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000001.00000000.309167505.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000002.573862418.0000000000ED0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000001.00000000.308784009.0000000000878000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.573479962.0000000000878000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanLoc*U

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: Hbi8WUpShm.exe, type: SAMPLE
Source: Yara match File source: 0.2.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: Hbi8WUpShm.exe, type: SAMPLE
Source: Yara match File source: 0.2.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Hbi8WUpShm.exe.830000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.340187458.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.573760954.0000000000DC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.573525615.0000000000AE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.304875108.0000000000831000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.573684424.0000000000D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.575081559.00000000058AF000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.343561110.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.343352693.0000000000D20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.573431641.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.586228708.00000000152CF000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 830325 Sample: Hbi8WUpShm.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Malicious sample detected (through community Yara rule) 2->37 39 Antivirus detection for URL or domain 2->39 41 6 other signatures 2->41 9 Hbi8WUpShm.exe 2->9         started        process3 signatures4 43 Modifies the context of a thread in another process (thread injection) 9->43 45 Maps a DLL or memory area into another process 9->45 47 Sample uses process hollowing technique 9->47 49 2 other signatures 9->49 12 explorer.exe 5 1 9->12 injected process5 dnsIp6 23 www.zwangerschapvanweektotweek.net 91.218.127.118, 49700, 80 SERVERIUS-ASNL Netherlands 12->23 25 td-ccm-168-233.wixdns.net 34.117.168.233, 49701, 80 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 12->25 27 6 other IPs or domains 12->27 51 System process connects to network (likely due to code injection or exploit) 12->51 16 chkdsk.exe 12->16         started        signatures7 process8 signatures9 29 Modifies the context of a thread in another process (thread injection) 16->29 31 Maps a DLL or memory area into another process 16->31 33 Tries to detect virtualization through RDTSC time measurements 16->33 19 cmd.exe 1 16->19         started        process10 process11 21 conhost.exe 19->21         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.102.136.180
 letstalkreparation.com United States
15169 GOOGLEUS false
34.98.99.30
 evaluatemyathlete.com United States
15169 GOOGLEUS false
34.117.168.233
 td-ccm-168-233.wixdns.net United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG true
91.218.127.118
 www.zwangerschapvanweektotweek.net Netherlands
50673 SERVERIUS-ASNL true

Contacted Domains

Name IP Active
td-ccm-168-233.wixdns.net 34.117.168.233 true
evaluatemyathlete.com 34.98.99.30 true
www.zwangerschapvanweektotweek.net 91.218.127.118 true
letstalkreparation.com 34.102.136.180 true
www.letstalkreparation.com unknown unknown
www.evaluatemyathlete.com unknown unknown
www.gonulserezart.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.evaluatemyathlete.com/nu06/?4h8xq=AAU7dHxOAmD1XA8vVT3AMGpmmEX+lZnDYwXHz32oiklDU/SqaBIxIuHdufVlmX9k3aqv&UrZ=9rv4vpj false
  • Avira URL Cloud: malware
 unknown
www.eltres-iot.info/nu06/ true
  • Avira URL Cloud: malware
 low
http://www.gonulserezart.com/nu06/?UrZ=9rv4vpj&4h8xq=XguJjI6AKJ7iGHg0sIvbxor8PKuuNZIswUYLv8brtIVcEL19nblZmBuHZOHdf2lpP/kE true
  • Avira URL Cloud: malware
 unknown
http://www.zwangerschapvanweektotweek.net/nu06/?4h8xq=RzhUDSljQ8La7qrFgsCqcMZ5F/GKaWYSy/YExKb0zDK6Qw0jyiEXU4SBBDL3oY4sWHH+&UrZ=9rv4vpj true
  • Avira URL Cloud: malware
 unknown