Analysis Report UGGJ4NnzFz

Overview

General Information

Sample Name: UGGJ4NnzFz (renamed file extension from none to exe)
Analysis ID: 432566
MD5: b148ae414eb8a1b34a15cdb32c21f9ee
SHA1: 25b78f76010cc34843352c78d4f8e07a28b46b32
SHA256: 193788545c12c697fe660e9dd178e5d97478d5b90d5b0096f1cd6a9b641d48e9
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.rebeccannemontgomery.net/dp3a/"], "decoy": ["frayl.com", "utmostroofing.com", "galactigames.com", "kingguardgroup.com", "goldinsacks.com", "platinumcreditrepair.net", "sw-advisers.com", "ininjawebtech.com", "spectrurnvisionpartners.com", "freshdeliciousberryfarm.com", "12796.xyz", "goldgrandpa.com", "chicago-trading.academy", "newstechealth.com", "pecon.pro", "2dmaxximumrecords.com", "athrivingthirtysomething.com", "universalphonemarket.com", "motivationinterviewsinc.com", "virtualrealty.tours", "bring-wellness.com", "fengshuimingshi.com", "urbanpite.com", "28ji.site", "xuanpei.net", "letstrumpbiden.com", "xtremetechtv.com", "leyardzm.net", "funemoke.net", "closetofaurora.com", "theyogirunner.com", "pmbcommercial.com", "michiganpsychologist.com", "foodandbio.com", "goodlukc.com", "kingofkingslovesyou.com", "topazsnacks.com", "vinpearlnhatrangbay.com", "24x7dream.com", "attafine.com", "hireinone.xyz", "growwithjenn.com", "fortworthsurrogacy.com", "kladios.com", "aishark.net", "havenparent.com", "elementaryelegance.com", "moulardfarms.net", "tomrings.com", "allyexpense.com", "juleshypnosis.com", "rboxtogo.com", "restorey.com", "oilleakgames.com", "protectpursuit.com", "checkitreviews.com", "jeremypohu.com", "mnanoramaonline.com", "xn--instagrm-fza.com", "fianser.com", "www-338616.com", "woollardhenry.com", "reviewdrkofford.com", "vandalvans.com"]}
Multi AV Scanner detection for submitted file
Source: UGGJ4NnzFz.exe Virustotal: Detection: 29% Perma Link
Source: UGGJ4NnzFz.exe ReversingLabs: Detection: 29%
Yara detected FormBook
Source: Yara match File source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UGGJ4NnzFz.exe.2290000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: UGGJ4NnzFz.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 9.2.cmmon32.exe.624368.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 9.2.cmmon32.exe.4a87960.5.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: UGGJ4NnzFz.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: cmmon32.pdb source: UGGJ4NnzFz.exe, 00000001.00000002.274327095.0000000000930000.00000040.00000001.sdmp
Source: Binary string: cmmon32.pdbGCTL source: UGGJ4NnzFz.exe, 00000001.00000002.274327095.0000000000930000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: UGGJ4NnzFz.exe, 00000000.00000003.212550994.0000000009A50000.00000004.00000001.sdmp, UGGJ4NnzFz.exe, 00000001.00000002.274348250.0000000000970000.00000040.00000001.sdmp, cmmon32.exe, 00000009.00000002.477934562.000000000466F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: UGGJ4NnzFz.exe, cmmon32.exe
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 0_2_00405E61 FindFirstFileA,FindClose, 0_2_00405E61
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_0040548B
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 0_2_0040263E FindFirstFileA, 0_2_0040263E
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe File opened: C:\Users\user\Desktop\UGGJ4NnzFz.exe Jump to behavior
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe File opened: C:\Users\user\AppData\Local\Temp\nsyA3E3.tmp Jump to behavior
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe File opened: C:\Users\user\AppData\Local\Temp\dceotuvjnitpz Jump to behavior
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe File opened: C:\Users\user\AppData\Local\Temp\6jlp0t221b5inmotwb6 Jump to behavior

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 4x nop then pop esi 1_2_0041583E
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 4x nop then pop ebx 1_2_00406A96
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then pop esi 9_2_003B583E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then pop ebx 9_2_003A6A96

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 157.245.232.77:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 157.245.232.77:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 157.245.232.77:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49744 -> 23.227.38.74:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49744 -> 23.227.38.74:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49744 -> 23.227.38.74:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 62.149.128.40:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 62.149.128.40:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 62.149.128.40:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.rebeccannemontgomery.net/dp3a/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /dp3a/?rTWxa=fFin23A3InOxv8Q1OZSqiWR/FjS3KuFpXPcC+roY+PuFOGx4uYNLJpybUr51Ny74Rks0&qXtd=VpFTeL6xRNZ0stZ0 HTTP/1.1Host: www.protectpursuit.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=DH0B3lUhAa5VBPw8nCCOXpLU24maY23yGmrt22qj0kvQjGAaKYYXdT0Mh/TRCK5k4cmX HTTP/1.1Host: www.freshdeliciousberryfarm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?rTWxa=76AMkVxxuSKB5pgh4RNc3EipO3rbFW8MEUNJys/eLa/AxdTMjRac1XeBowoP/wZORJRk&qXtd=VpFTeL6xRNZ0stZ0 HTTP/1.1Host: www.sw-advisers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=GkWHDDYMiWr4Ju0U4teKyAR8hKcpKlGmV2ZHyKwA/bXhSAEvQCtqjiLuXtjyxk2BGjrR HTTP/1.1Host: www.goldgrandpa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=2EHAYBF9OrZScLBFfnY/kB1lNYuVodkTQi7ynUSvkYXlrnDKiUoE/Bv6J35YIy7pKLvP HTTP/1.1Host: www.goldinsacks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=WU2tAheQ8tcf93YEudKDnPgih3iSbxP+RxOmhUzH4Gc7ohEPLFzZpUy5aqQrTWYg/sJi HTTP/1.1Host: www.growwithjenn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?rTWxa=F+NQG3wr2qmzRibT9BAJK2aVObQEDzb5Y6jfukgEe6sv7RNklleEIbtQ/MsGh07J4TVQ&qXtd=VpFTeL6xRNZ0stZ0 HTTP/1.1Host: www.bring-wellness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 62.149.128.40 62.149.128.40
Source: Joe Sandbox View IP Address: 160.153.136.3 160.153.136.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ARUBA-ASNIT ARUBA-ASNIT
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View ASN Name: GODADDY-AMSDE GODADDY-AMSDE
Source: global traffic HTTP traffic detected: GET /dp3a/?rTWxa=fFin23A3InOxv8Q1OZSqiWR/FjS3KuFpXPcC+roY+PuFOGx4uYNLJpybUr51Ny74Rks0&qXtd=VpFTeL6xRNZ0stZ0 HTTP/1.1Host: www.protectpursuit.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=DH0B3lUhAa5VBPw8nCCOXpLU24maY23yGmrt22qj0kvQjGAaKYYXdT0Mh/TRCK5k4cmX HTTP/1.1Host: www.freshdeliciousberryfarm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?rTWxa=76AMkVxxuSKB5pgh4RNc3EipO3rbFW8MEUNJys/eLa/AxdTMjRac1XeBowoP/wZORJRk&qXtd=VpFTeL6xRNZ0stZ0 HTTP/1.1Host: www.sw-advisers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=GkWHDDYMiWr4Ju0U4teKyAR8hKcpKlGmV2ZHyKwA/bXhSAEvQCtqjiLuXtjyxk2BGjrR HTTP/1.1Host: www.goldgrandpa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=2EHAYBF9OrZScLBFfnY/kB1lNYuVodkTQi7ynUSvkYXlrnDKiUoE/Bv6J35YIy7pKLvP HTTP/1.1Host: www.goldinsacks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=WU2tAheQ8tcf93YEudKDnPgih3iSbxP+RxOmhUzH4Gc7ohEPLFzZpUy5aqQrTWYg/sJi HTTP/1.1Host: www.growwithjenn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /dp3a/?rTWxa=F+NQG3wr2qmzRibT9BAJK2aVObQEDzb5Y6jfukgEe6sv7RNklleEIbtQ/MsGh07J4TVQ&qXtd=VpFTeL6xRNZ0stZ0 HTTP/1.1Host: www.bring-wellness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.allyexpense.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 10 Jun 2021 12:36:41 GMTContent-Length: 0Connection: closeVary: Origin
Source: explorer.exe, 00000005.00000000.243022524.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: UGGJ4NnzFz.exe String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: UGGJ4NnzFz.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: cmmon32.exe, 00000009.00000002.479471132.0000000004C02000.00000004.00000001.sdmp String found in binary or memory: http://www.goldinsacks.com:80/dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=2EHAYBF9OrZScLBFfnY/kB1lNYuVodkT
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405042
Creates a DirectInput object (often for capturing keystrokes)
Source: UGGJ4NnzFz.exe, 00000000.00000002.219983630.00000000006FA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UGGJ4NnzFz.exe.2290000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.UGGJ4NnzFz.exe.2290000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.UGGJ4NnzFz.exe.2290000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_004181C0 NtCreateFile, 1_2_004181C0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00418270 NtReadFile, 1_2_00418270
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_004182F0 NtClose, 1_2_004182F0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_004183A0 NtAllocateVirtualMemory, 1_2_004183A0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_004181BC NtCreateFile, 1_2_004181BC
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_004182EB NtClose, 1_2_004182EB
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0041839B NtAllocateVirtualMemory, 1_2_0041839B
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D98F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_009D98F0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D9840 NtDelayExecution,LdrInitializeThunk, 1_2_009D9840
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D9860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_009D9860
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D99A0 NtCreateSection,LdrInitializeThunk, 1_2_009D99A0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_009D9910
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D9A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_009D9A00
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D9A20 NtResumeThread,LdrInitializeThunk, 1_2_009D9A20
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D9A50 NtCreateFile,LdrInitializeThunk, 1_2_009D9A50
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D95D0 NtClose,LdrInitializeThunk, 1_2_009D95D0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D9540 NtReadFile,LdrInitializeThunk, 1_2_009D9540
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D96E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_009D96E0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D9660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_009D9660
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D9780 NtMapViewOfSection,LdrInitializeThunk, 1_2_009D9780
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D97A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_009D97A0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D9FE0 NtCreateMutant,LdrInitializeThunk, 1_2_009D9FE0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D9710 NtQueryInformationToken,LdrInitializeThunk, 1_2_009D9710
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D98A0 NtWriteVirtualMemory, 1_2_009D98A0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D9820 NtEnumerateKey, 1_2_009D9820
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009DB040 NtSuspendThread, 1_2_009DB040
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D99D0 NtCreateProcessEx, 1_2_009D99D0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D9950 NtQueueApcThread, 1_2_009D9950
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D9A80 NtOpenDirectoryObject, 1_2_009D9A80
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D9A10 NtQuerySection, 1_2_009D9A10
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009DA3B0 NtGetContextThread, 1_2_009DA3B0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D9B00 NtSetValueKey, 1_2_009D9B00
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D95F0 NtQueryInformationFile, 1_2_009D95F0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009DAD30 NtSetContextThread, 1_2_009DAD30
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D9520 NtWaitForSingleObject, 1_2_009D9520
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D9560 NtWriteFile, 1_2_009D9560
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D96D0 NtCreateKey, 1_2_009D96D0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D9610 NtEnumerateValueKey, 1_2_009D9610
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D9650 NtQueryValueKey, 1_2_009D9650
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D9670 NtQueryInformationProcess, 1_2_009D9670
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009DA710 NtOpenProcessToken, 1_2_009DA710
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D9730 NtQueryVirtualMemory, 1_2_009D9730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9540 NtReadFile,LdrInitializeThunk, 9_2_045B9540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B95D0 NtClose,LdrInitializeThunk, 9_2_045B95D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9650 NtQueryValueKey,LdrInitializeThunk, 9_2_045B9650
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9660 NtAllocateVirtualMemory,LdrInitializeThunk, 9_2_045B9660
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B96D0 NtCreateKey,LdrInitializeThunk, 9_2_045B96D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B96E0 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_045B96E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9710 NtQueryInformationToken,LdrInitializeThunk, 9_2_045B9710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9FE0 NtCreateMutant,LdrInitializeThunk, 9_2_045B9FE0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9780 NtMapViewOfSection,LdrInitializeThunk, 9_2_045B9780
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9840 NtDelayExecution,LdrInitializeThunk, 9_2_045B9840
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9860 NtQuerySystemInformation,LdrInitializeThunk, 9_2_045B9860
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_045B9910
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B99A0 NtCreateSection,LdrInitializeThunk, 9_2_045B99A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9A50 NtCreateFile,LdrInitializeThunk, 9_2_045B9A50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9560 NtWriteFile, 9_2_045B9560
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045BAD30 NtSetContextThread, 9_2_045BAD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9520 NtWaitForSingleObject, 9_2_045B9520
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B95F0 NtQueryInformationFile, 9_2_045B95F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9670 NtQueryInformationProcess, 9_2_045B9670
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9610 NtEnumerateValueKey, 9_2_045B9610
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045BA770 NtOpenThread, 9_2_045BA770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9770 NtSetInformationFile, 9_2_045B9770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9760 NtOpenProcess, 9_2_045B9760
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045BA710 NtOpenProcessToken, 9_2_045BA710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9730 NtQueryVirtualMemory, 9_2_045B9730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B97A0 NtUnmapViewOfSection, 9_2_045B97A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045BB040 NtSuspendThread, 9_2_045BB040
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9820 NtEnumerateKey, 9_2_045B9820
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B98F0 NtReadVirtualMemory, 9_2_045B98F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B98A0 NtWriteVirtualMemory, 9_2_045B98A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9950 NtQueueApcThread, 9_2_045B9950
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B99D0 NtCreateProcessEx, 9_2_045B99D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9A10 NtQuerySection, 9_2_045B9A10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9A00 NtProtectVirtualMemory, 9_2_045B9A00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9A20 NtResumeThread, 9_2_045B9A20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9A80 NtOpenDirectoryObject, 9_2_045B9A80
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B9B00 NtSetValueKey, 9_2_045B9B00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045BA3B0 NtGetContextThread, 9_2_045BA3B0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_003B81C0 NtCreateFile, 9_2_003B81C0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_003B8270 NtReadFile, 9_2_003B8270
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_003B82F0 NtClose, 9_2_003B82F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_003B83A0 NtAllocateVirtualMemory, 9_2_003B83A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_003B81BC NtCreateFile, 9_2_003B81BC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_003B82EB NtClose, 9_2_003B82EB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_003B839B NtAllocateVirtualMemory, 9_2_003B839B
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_0040323C
Detected potential crypto function
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 0_2_00404853 0_2_00404853
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 0_2_00406131 0_2_00406131
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 0_2_73751A98 0_2_73751A98
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0041D042 1_2_0041D042
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0041CB69 1_2_0041CB69
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00408C5B 1_2_00408C5B
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00408C60 1_2_00408C60
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00402D87 1_2_00402D87
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0041CF4E 1_2_0041CF4E
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009AB090 1_2_009AB090
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A620A8 1_2_00A620A8
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C20A0 1_2_009C20A0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A628EC 1_2_00A628EC
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A6E824 1_2_00A6E824
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A51002 1_2_00A51002
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BA830 1_2_009BA830
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B99BF 1_2_009B99BF
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0099F900 1_2_0099F900
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B4120 1_2_009B4120
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A622AE 1_2_00A622AE
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A4FA2B 1_2_00A4FA2B
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009CEBB0 1_2_009CEBB0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A5DBD2 1_2_00A5DBD2
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A503DA 1_2_00A503DA
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A62B28 1_2_00A62B28
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BAB40 1_2_009BAB40
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A841F 1_2_009A841F
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A5D466 1_2_00A5D466
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C2581 1_2_009C2581
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009AD5E0 1_2_009AD5E0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A625DD 1_2_00A625DD
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A62D07 1_2_00A62D07
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00990D20 1_2_00990D20
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A61D55 1_2_00A61D55
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A62EF7 1_2_00A62EF7
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B6E30 1_2_009B6E30
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A5D616 1_2_00A5D616
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A61FF1 1_2_00A61FF1
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A6DFCE 1_2_00A6DFCE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0463D466 9_2_0463D466
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0458841F 9_2_0458841F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04641D55 9_2_04641D55
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04642D07 9_2_04642D07
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04570D20 9_2_04570D20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0458D5E0 9_2_0458D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_046425DD 9_2_046425DD
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A2581 9_2_045A2581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04596E30 9_2_04596E30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0463D616 9_2_0463D616
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04642EF7 9_2_04642EF7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04641FF1 9_2_04641FF1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0464DFCE 9_2_0464DFCE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0464E824 9_2_0464E824
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04631002 9_2_04631002
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0459A830 9_2_0459A830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_046428EC 9_2_046428EC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0458B090 9_2_0458B090
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_046420A8 9_2_046420A8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A20A0 9_2_045A20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0457F900 9_2_0457F900
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04594120 9_2_04594120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045999BF 9_2_045999BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0462FA2B 9_2_0462FA2B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_046422AE 9_2_046422AE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0459AB40 9_2_0459AB40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04642B28 9_2_04642B28
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0463DBD2 9_2_0463DBD2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_046303DA 9_2_046303DA
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045AEBB0 9_2_045AEBB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_003BD042 9_2_003BD042
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_003BCB69 9_2_003BCB69
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_003A8C60 9_2_003A8C60
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_003A8C5B 9_2_003A8C5B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_003A2D90 9_2_003A2D90
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_003A2D87 9_2_003A2D87
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_003BCF4E 9_2_003BCF4E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_003A2FB0 9_2_003A2FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: String function: 0099B150 appears 72 times
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: String function: 0457B150 appears 72 times
Sample file is different than original file name gathered from version info
Source: UGGJ4NnzFz.exe, 00000000.00000003.217329027.00000000099D6000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs UGGJ4NnzFz.exe
Source: UGGJ4NnzFz.exe, 00000001.00000002.274341058.0000000000939000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMMON32.exe` vs UGGJ4NnzFz.exe
Source: UGGJ4NnzFz.exe, 00000001.00000002.274699413.0000000000C1F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs UGGJ4NnzFz.exe
Uses 32bit PE files
Source: UGGJ4NnzFz.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.UGGJ4NnzFz.exe.2290000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.UGGJ4NnzFz.exe.2290000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/4@12/6
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404356
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar, 0_2_00402020
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04587D72 FindResourceA, 9_2_04587D72
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6676:120:WilError_01
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe File created: C:\Users\user\AppData\Local\Temp\nsyA3E2.tmp Jump to behavior
Source: UGGJ4NnzFz.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: UGGJ4NnzFz.exe Virustotal: Detection: 29%
Source: UGGJ4NnzFz.exe ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe File read: C:\Users\user\Desktop\UGGJ4NnzFz.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\UGGJ4NnzFz.exe 'C:\Users\user\Desktop\UGGJ4NnzFz.exe'
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Process created: C:\Users\user\Desktop\UGGJ4NnzFz.exe 'C:\Users\user\Desktop\UGGJ4NnzFz.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UGGJ4NnzFz.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Process created: C:\Users\user\Desktop\UGGJ4NnzFz.exe 'C:\Users\user\Desktop\UGGJ4NnzFz.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UGGJ4NnzFz.exe' Jump to behavior
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Binary string: cmmon32.pdb source: UGGJ4NnzFz.exe, 00000001.00000002.274327095.0000000000930000.00000040.00000001.sdmp
Source: Binary string: cmmon32.pdbGCTL source: UGGJ4NnzFz.exe, 00000001.00000002.274327095.0000000000930000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: UGGJ4NnzFz.exe, 00000000.00000003.212550994.0000000009A50000.00000004.00000001.sdmp, UGGJ4NnzFz.exe, 00000001.00000002.274348250.0000000000970000.00000040.00000001.sdmp, cmmon32.exe, 00000009.00000002.477934562.000000000466F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: UGGJ4NnzFz.exe, cmmon32.exe

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Unpacked PE file: 1.2.UGGJ4NnzFz.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405E88
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 0_2_73752F60 push eax; ret 0_2_73752F8E
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00416026 push ebx; iretd 1_2_00416027
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0041C087 push dword ptr [DF0C81F8h]; ret 1_2_0041C1C4
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00409A94 push 00D6BDC6h; iretd 1_2_00409A99
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0041B3B5 push eax; ret 1_2_0041B408
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0041B46C push eax; ret 1_2_0041B472
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0041B402 push eax; ret 1_2_0041B408
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0041B40B push eax; ret 1_2_0041B472
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009ED0D1 push ecx; ret 1_2_009ED0E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045CD0D1 push ecx; ret 9_2_045CD0E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_003B6026 push ebx; iretd 9_2_003B6027
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_003BC087 push dword ptr [DF0C81F8h]; ret 9_2_003BC1C4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_003A9A94 push 00D6BDC6h; iretd 9_2_003A9A99
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_003BB3B5 push eax; ret 9_2_003BB408
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_003BB40B push eax; ret 9_2_003BB472
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_003BB402 push eax; ret 9_2_003BB408
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_003BB46C push eax; ret 9_2_003BB472

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe File created: C:\Users\user\AppData\Local\Temp\nsyA3E4.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 00000000003A85E4 second address: 00000000003A85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 00000000003A897E second address: 00000000003A8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_004088B0 rdtsc 1_2_004088B0
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe API coverage: 8.1 %
Source: C:\Windows\SysWOW64\cmmon32.exe API coverage: 8.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6164 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 6984 Thread sleep time: -44000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmmon32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmmon32.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 0_2_00405E61 FindFirstFileA,FindClose, 0_2_00405E61
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_0040548B
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 0_2_0040263E FindFirstFileA, 0_2_0040263E
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe File opened: C:\Users\user\Desktop\UGGJ4NnzFz.exe Jump to behavior
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe File opened: C:\Users\user\AppData\Local\Temp\nsyA3E3.tmp Jump to behavior
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe File opened: C:\Users\user\AppData\Local\Temp\dceotuvjnitpz Jump to behavior
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe File opened: C:\Users\user\AppData\Local\Temp\6jlp0t221b5inmotwb6 Jump to behavior
Source: explorer.exe, 00000005.00000000.241512606.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.241512606.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000005.00000000.222167961.0000000001398000.00000004.00000020.sdmp Binary or memory string: War&Prod_VMware_SATAR
Source: explorer.exe, 00000005.00000000.247174427.000000000F6E3000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.240796692.0000000008640000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.239093563.0000000008220000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000005.00000000.252370895.0000000001398000.00000004.00000020.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
Source: explorer.exe, 00000005.00000000.232477567.0000000004E61000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATAv
Source: explorer.exe, 00000005.00000000.261705438.00000000055D0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000005.00000000.241512606.000000000871F000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000005.00000000.241512606.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.242412172.00000000087D1000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000005.00000000.261725875.0000000005603000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000005.00000000.239093563.0000000008220000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000005.00000000.239093563.0000000008220000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000005.00000000.239093563.0000000008220000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_004088B0 rdtsc 1_2_004088B0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00409B20 LdrLoadDll, 1_2_00409B20
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405E88
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00999080 mov eax, dword ptr fs:[00000030h] 1_2_00999080
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009CF0BF mov ecx, dword ptr fs:[00000030h] 1_2_009CF0BF
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009CF0BF mov eax, dword ptr fs:[00000030h] 1_2_009CF0BF
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009CF0BF mov eax, dword ptr fs:[00000030h] 1_2_009CF0BF
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A13884 mov eax, dword ptr fs:[00000030h] 1_2_00A13884
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A13884 mov eax, dword ptr fs:[00000030h] 1_2_00A13884
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D90AF mov eax, dword ptr fs:[00000030h] 1_2_009D90AF
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h] 1_2_009C20A0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h] 1_2_009C20A0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h] 1_2_009C20A0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h] 1_2_009C20A0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h] 1_2_009C20A0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h] 1_2_009C20A0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A2B8D0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A2B8D0 mov ecx, dword ptr fs:[00000030h] 1_2_00A2B8D0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A2B8D0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A2B8D0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A2B8D0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h] 1_2_00A2B8D0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009958EC mov eax, dword ptr fs:[00000030h] 1_2_009958EC
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009940E1 mov eax, dword ptr fs:[00000030h] 1_2_009940E1
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009940E1 mov eax, dword ptr fs:[00000030h] 1_2_009940E1
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009940E1 mov eax, dword ptr fs:[00000030h] 1_2_009940E1
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BB8E4 mov eax, dword ptr fs:[00000030h] 1_2_009BB8E4
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BB8E4 mov eax, dword ptr fs:[00000030h] 1_2_009BB8E4
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BA830 mov eax, dword ptr fs:[00000030h] 1_2_009BA830
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BA830 mov eax, dword ptr fs:[00000030h] 1_2_009BA830
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BA830 mov eax, dword ptr fs:[00000030h] 1_2_009BA830
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BA830 mov eax, dword ptr fs:[00000030h] 1_2_009BA830
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h] 1_2_009AB02A
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h] 1_2_009AB02A
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h] 1_2_009AB02A
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h] 1_2_009AB02A
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C002D mov eax, dword ptr fs:[00000030h] 1_2_009C002D
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C002D mov eax, dword ptr fs:[00000030h] 1_2_009C002D
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C002D mov eax, dword ptr fs:[00000030h] 1_2_009C002D
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C002D mov eax, dword ptr fs:[00000030h] 1_2_009C002D
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C002D mov eax, dword ptr fs:[00000030h] 1_2_009C002D
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A64015 mov eax, dword ptr fs:[00000030h] 1_2_00A64015
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A64015 mov eax, dword ptr fs:[00000030h] 1_2_00A64015
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h] 1_2_00A17016
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h] 1_2_00A17016
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h] 1_2_00A17016
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B0050 mov eax, dword ptr fs:[00000030h] 1_2_009B0050
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B0050 mov eax, dword ptr fs:[00000030h] 1_2_009B0050
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A61074 mov eax, dword ptr fs:[00000030h] 1_2_00A61074
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A52073 mov eax, dword ptr fs:[00000030h] 1_2_00A52073
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A549A4 mov eax, dword ptr fs:[00000030h] 1_2_00A549A4
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A549A4 mov eax, dword ptr fs:[00000030h] 1_2_00A549A4
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A549A4 mov eax, dword ptr fs:[00000030h] 1_2_00A549A4
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A549A4 mov eax, dword ptr fs:[00000030h] 1_2_00A549A4
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A169A6 mov eax, dword ptr fs:[00000030h] 1_2_00A169A6
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C2990 mov eax, dword ptr fs:[00000030h] 1_2_009C2990
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009CA185 mov eax, dword ptr fs:[00000030h] 1_2_009CA185
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BC182 mov eax, dword ptr fs:[00000030h] 1_2_009BC182
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h] 1_2_00A151BE
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h] 1_2_00A151BE
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h] 1_2_00A151BE
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h] 1_2_00A151BE
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h] 1_2_009B99BF
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h] 1_2_009B99BF
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B99BF mov eax, dword ptr fs:[00000030h] 1_2_009B99BF
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h] 1_2_009B99BF
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h] 1_2_009B99BF
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B99BF mov eax, dword ptr fs:[00000030h] 1_2_009B99BF
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h] 1_2_009B99BF
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h] 1_2_009B99BF
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B99BF mov eax, dword ptr fs:[00000030h] 1_2_009B99BF
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h] 1_2_009B99BF
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h] 1_2_009B99BF
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B99BF mov eax, dword ptr fs:[00000030h] 1_2_009B99BF
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C61A0 mov eax, dword ptr fs:[00000030h] 1_2_009C61A0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C61A0 mov eax, dword ptr fs:[00000030h] 1_2_009C61A0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A241E8 mov eax, dword ptr fs:[00000030h] 1_2_00A241E8
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h] 1_2_0099B1E1
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h] 1_2_0099B1E1
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h] 1_2_0099B1E1
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00999100 mov eax, dword ptr fs:[00000030h] 1_2_00999100
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00999100 mov eax, dword ptr fs:[00000030h] 1_2_00999100
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00999100 mov eax, dword ptr fs:[00000030h] 1_2_00999100
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C513A mov eax, dword ptr fs:[00000030h] 1_2_009C513A
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C513A mov eax, dword ptr fs:[00000030h] 1_2_009C513A
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h] 1_2_009B4120
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h] 1_2_009B4120
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h] 1_2_009B4120
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h] 1_2_009B4120
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B4120 mov ecx, dword ptr fs:[00000030h] 1_2_009B4120
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BB944 mov eax, dword ptr fs:[00000030h] 1_2_009BB944
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BB944 mov eax, dword ptr fs:[00000030h] 1_2_009BB944
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0099B171 mov eax, dword ptr fs:[00000030h] 1_2_0099B171
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0099B171 mov eax, dword ptr fs:[00000030h] 1_2_0099B171
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0099C962 mov eax, dword ptr fs:[00000030h] 1_2_0099C962
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009CD294 mov eax, dword ptr fs:[00000030h] 1_2_009CD294
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009CD294 mov eax, dword ptr fs:[00000030h] 1_2_009CD294
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009AAAB0 mov eax, dword ptr fs:[00000030h] 1_2_009AAAB0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009AAAB0 mov eax, dword ptr fs:[00000030h] 1_2_009AAAB0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009CFAB0 mov eax, dword ptr fs:[00000030h] 1_2_009CFAB0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h] 1_2_009952A5
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h] 1_2_009952A5
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h] 1_2_009952A5
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h] 1_2_009952A5
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h] 1_2_009952A5
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C2ACB mov eax, dword ptr fs:[00000030h] 1_2_009C2ACB
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C2AE4 mov eax, dword ptr fs:[00000030h] 1_2_009C2AE4
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B3A1C mov eax, dword ptr fs:[00000030h] 1_2_009B3A1C
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00995210 mov eax, dword ptr fs:[00000030h] 1_2_00995210
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00995210 mov ecx, dword ptr fs:[00000030h] 1_2_00995210
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00995210 mov eax, dword ptr fs:[00000030h] 1_2_00995210
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00995210 mov eax, dword ptr fs:[00000030h] 1_2_00995210
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0099AA16 mov eax, dword ptr fs:[00000030h] 1_2_0099AA16
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0099AA16 mov eax, dword ptr fs:[00000030h] 1_2_0099AA16
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A8A0A mov eax, dword ptr fs:[00000030h] 1_2_009A8A0A
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D4A2C mov eax, dword ptr fs:[00000030h] 1_2_009D4A2C
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D4A2C mov eax, dword ptr fs:[00000030h] 1_2_009D4A2C
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h] 1_2_009BA229
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h] 1_2_009BA229
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h] 1_2_009BA229
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h] 1_2_009BA229
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h] 1_2_009BA229
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h] 1_2_009BA229
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h] 1_2_009BA229
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h] 1_2_009BA229
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h] 1_2_009BA229
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A5AA16 mov eax, dword ptr fs:[00000030h] 1_2_00A5AA16
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A5AA16 mov eax, dword ptr fs:[00000030h] 1_2_00A5AA16
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A4B260 mov eax, dword ptr fs:[00000030h] 1_2_00A4B260
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A4B260 mov eax, dword ptr fs:[00000030h] 1_2_00A4B260
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A68A62 mov eax, dword ptr fs:[00000030h] 1_2_00A68A62
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h] 1_2_00999240
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h] 1_2_00999240
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h] 1_2_00999240
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h] 1_2_00999240
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D927A mov eax, dword ptr fs:[00000030h] 1_2_009D927A
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A5EA55 mov eax, dword ptr fs:[00000030h] 1_2_00A5EA55
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A24257 mov eax, dword ptr fs:[00000030h] 1_2_00A24257
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A65BA5 mov eax, dword ptr fs:[00000030h] 1_2_00A65BA5
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C2397 mov eax, dword ptr fs:[00000030h] 1_2_009C2397
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009CB390 mov eax, dword ptr fs:[00000030h] 1_2_009CB390
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A1B8F mov eax, dword ptr fs:[00000030h] 1_2_009A1B8F
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A1B8F mov eax, dword ptr fs:[00000030h] 1_2_009A1B8F
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A4D380 mov ecx, dword ptr fs:[00000030h] 1_2_00A4D380
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A5138A mov eax, dword ptr fs:[00000030h] 1_2_00A5138A
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C4BAD mov eax, dword ptr fs:[00000030h] 1_2_009C4BAD
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C4BAD mov eax, dword ptr fs:[00000030h] 1_2_009C4BAD
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C4BAD mov eax, dword ptr fs:[00000030h] 1_2_009C4BAD
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A153CA mov eax, dword ptr fs:[00000030h] 1_2_00A153CA
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A153CA mov eax, dword ptr fs:[00000030h] 1_2_00A153CA
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BDBE9 mov eax, dword ptr fs:[00000030h] 1_2_009BDBE9
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h] 1_2_009C03E2
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h] 1_2_009C03E2
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h] 1_2_009C03E2
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h] 1_2_009C03E2
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h] 1_2_009C03E2
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h] 1_2_009C03E2
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A5131B mov eax, dword ptr fs:[00000030h] 1_2_00A5131B
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0099F358 mov eax, dword ptr fs:[00000030h] 1_2_0099F358
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0099DB40 mov eax, dword ptr fs:[00000030h] 1_2_0099DB40
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C3B7A mov eax, dword ptr fs:[00000030h] 1_2_009C3B7A
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C3B7A mov eax, dword ptr fs:[00000030h] 1_2_009C3B7A
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0099DB60 mov ecx, dword ptr fs:[00000030h] 1_2_0099DB60
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A68B58 mov eax, dword ptr fs:[00000030h] 1_2_00A68B58
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A849B mov eax, dword ptr fs:[00000030h] 1_2_009A849B
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A16CF0 mov eax, dword ptr fs:[00000030h] 1_2_00A16CF0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A16CF0 mov eax, dword ptr fs:[00000030h] 1_2_00A16CF0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A16CF0 mov eax, dword ptr fs:[00000030h] 1_2_00A16CF0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A514FB mov eax, dword ptr fs:[00000030h] 1_2_00A514FB
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A68CD6 mov eax, dword ptr fs:[00000030h] 1_2_00A68CD6
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h] 1_2_00A51C06
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h] 1_2_00A6740D
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h] 1_2_00A6740D
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h] 1_2_00A6740D
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h] 1_2_00A16C0A
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h] 1_2_00A16C0A
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h] 1_2_00A16C0A
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h] 1_2_00A16C0A
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009CBC2C mov eax, dword ptr fs:[00000030h] 1_2_009CBC2C
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009CA44B mov eax, dword ptr fs:[00000030h] 1_2_009CA44B
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A2C450 mov eax, dword ptr fs:[00000030h] 1_2_00A2C450
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A2C450 mov eax, dword ptr fs:[00000030h] 1_2_00A2C450
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B746D mov eax, dword ptr fs:[00000030h] 1_2_009B746D
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009CFD9B mov eax, dword ptr fs:[00000030h] 1_2_009CFD9B
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009CFD9B mov eax, dword ptr fs:[00000030h] 1_2_009CFD9B
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A605AC mov eax, dword ptr fs:[00000030h] 1_2_00A605AC
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A605AC mov eax, dword ptr fs:[00000030h] 1_2_00A605AC
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h] 1_2_00992D8A
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h] 1_2_00992D8A
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h] 1_2_00992D8A
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h] 1_2_00992D8A
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h] 1_2_00992D8A
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h] 1_2_009C2581
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h] 1_2_009C2581
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h] 1_2_009C2581
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h] 1_2_009C2581
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C1DB5 mov eax, dword ptr fs:[00000030h] 1_2_009C1DB5
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C1DB5 mov eax, dword ptr fs:[00000030h] 1_2_009C1DB5
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C1DB5 mov eax, dword ptr fs:[00000030h] 1_2_009C1DB5
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C35A1 mov eax, dword ptr fs:[00000030h] 1_2_009C35A1
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A5FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00A5FDE2
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A5FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00A5FDE2
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A5FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00A5FDE2
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A5FDE2 mov eax, dword ptr fs:[00000030h] 1_2_00A5FDE2
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A48DF1 mov eax, dword ptr fs:[00000030h] 1_2_00A48DF1
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A16DC9
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A16DC9
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A16DC9
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A16DC9 mov ecx, dword ptr fs:[00000030h] 1_2_00A16DC9
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A16DC9
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h] 1_2_00A16DC9
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009AD5E0 mov eax, dword ptr fs:[00000030h] 1_2_009AD5E0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009AD5E0 mov eax, dword ptr fs:[00000030h] 1_2_009AD5E0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A68D34 mov eax, dword ptr fs:[00000030h] 1_2_00A68D34
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A1A537 mov eax, dword ptr fs:[00000030h] 1_2_00A1A537
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A5E539 mov eax, dword ptr fs:[00000030h] 1_2_00A5E539
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h] 1_2_009C4D3B
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h] 1_2_009C4D3B
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h] 1_2_009C4D3B
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0099AD30 mov eax, dword ptr fs:[00000030h] 1_2_0099AD30
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h] 1_2_009A3D34
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009B7D50 mov eax, dword ptr fs:[00000030h] 1_2_009B7D50
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D3D43 mov eax, dword ptr fs:[00000030h] 1_2_009D3D43
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A13540 mov eax, dword ptr fs:[00000030h] 1_2_00A13540
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A43D40 mov eax, dword ptr fs:[00000030h] 1_2_00A43D40
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BC577 mov eax, dword ptr fs:[00000030h] 1_2_009BC577
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BC577 mov eax, dword ptr fs:[00000030h] 1_2_009BC577
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h] 1_2_00A60EA5
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h] 1_2_00A60EA5
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h] 1_2_00A60EA5
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A146A7 mov eax, dword ptr fs:[00000030h] 1_2_00A146A7
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A2FE87 mov eax, dword ptr fs:[00000030h] 1_2_00A2FE87
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C36CC mov eax, dword ptr fs:[00000030h] 1_2_009C36CC
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D8EC7 mov eax, dword ptr fs:[00000030h] 1_2_009D8EC7
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A4FEC0 mov eax, dword ptr fs:[00000030h] 1_2_00A4FEC0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A68ED6 mov eax, dword ptr fs:[00000030h] 1_2_00A68ED6
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A76E2 mov eax, dword ptr fs:[00000030h] 1_2_009A76E2
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C16E0 mov ecx, dword ptr fs:[00000030h] 1_2_009C16E0
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009CA61C mov eax, dword ptr fs:[00000030h] 1_2_009CA61C
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009CA61C mov eax, dword ptr fs:[00000030h] 1_2_009CA61C
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h] 1_2_0099C600
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h] 1_2_0099C600
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h] 1_2_0099C600
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A4FE3F mov eax, dword ptr fs:[00000030h] 1_2_00A4FE3F
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009C8E00 mov eax, dword ptr fs:[00000030h] 1_2_009C8E00
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A51608 mov eax, dword ptr fs:[00000030h] 1_2_00A51608
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_0099E620 mov eax, dword ptr fs:[00000030h] 1_2_0099E620
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h] 1_2_009A7E41
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h] 1_2_009A7E41
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h] 1_2_009A7E41
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h] 1_2_009A7E41
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h] 1_2_009A7E41
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h] 1_2_009A7E41
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A5AE44 mov eax, dword ptr fs:[00000030h] 1_2_00A5AE44
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A5AE44 mov eax, dword ptr fs:[00000030h] 1_2_00A5AE44
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h] 1_2_009BAE73
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h] 1_2_009BAE73
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h] 1_2_009BAE73
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h] 1_2_009BAE73
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h] 1_2_009BAE73
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A766D mov eax, dword ptr fs:[00000030h] 1_2_009A766D
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009A8794 mov eax, dword ptr fs:[00000030h] 1_2_009A8794
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A17794 mov eax, dword ptr fs:[00000030h] 1_2_00A17794
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A17794 mov eax, dword ptr fs:[00000030h] 1_2_00A17794
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A17794 mov eax, dword ptr fs:[00000030h] 1_2_00A17794
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009D37F5 mov eax, dword ptr fs:[00000030h] 1_2_009D37F5
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BF716 mov eax, dword ptr fs:[00000030h] 1_2_009BF716
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009CA70E mov eax, dword ptr fs:[00000030h] 1_2_009CA70E
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009CA70E mov eax, dword ptr fs:[00000030h] 1_2_009CA70E
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BB73D mov eax, dword ptr fs:[00000030h] 1_2_009BB73D
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009BB73D mov eax, dword ptr fs:[00000030h] 1_2_009BB73D
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A6070D mov eax, dword ptr fs:[00000030h] 1_2_00A6070D
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A6070D mov eax, dword ptr fs:[00000030h] 1_2_00A6070D
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_009CE730 mov eax, dword ptr fs:[00000030h] 1_2_009CE730
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A2FF10 mov eax, dword ptr fs:[00000030h] 1_2_00A2FF10
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00A2FF10 mov eax, dword ptr fs:[00000030h] 1_2_00A2FF10
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00994F2E mov eax, dword ptr fs:[00000030h] 1_2_00994F2E
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 1_2_00994F2E mov eax, dword ptr fs:[00000030h] 1_2_00994F2E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045AA44B mov eax, dword ptr fs:[00000030h] 9_2_045AA44B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0460C450 mov eax, dword ptr fs:[00000030h] 9_2_0460C450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0460C450 mov eax, dword ptr fs:[00000030h] 9_2_0460C450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0459746D mov eax, dword ptr fs:[00000030h] 9_2_0459746D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F6C0A mov eax, dword ptr fs:[00000030h] 9_2_045F6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F6C0A mov eax, dword ptr fs:[00000030h] 9_2_045F6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F6C0A mov eax, dword ptr fs:[00000030h] 9_2_045F6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F6C0A mov eax, dword ptr fs:[00000030h] 9_2_045F6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h] 9_2_04631C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h] 9_2_04631C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h] 9_2_04631C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h] 9_2_04631C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h] 9_2_04631C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h] 9_2_04631C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h] 9_2_04631C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h] 9_2_04631C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h] 9_2_04631C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h] 9_2_04631C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h] 9_2_04631C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h] 9_2_04631C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h] 9_2_04631C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04631C06 mov eax, dword ptr fs:[00000030h] 9_2_04631C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0464740D mov eax, dword ptr fs:[00000030h] 9_2_0464740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0464740D mov eax, dword ptr fs:[00000030h] 9_2_0464740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0464740D mov eax, dword ptr fs:[00000030h] 9_2_0464740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045ABC2C mov eax, dword ptr fs:[00000030h] 9_2_045ABC2C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_046314FB mov eax, dword ptr fs:[00000030h] 9_2_046314FB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F6CF0 mov eax, dword ptr fs:[00000030h] 9_2_045F6CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F6CF0 mov eax, dword ptr fs:[00000030h] 9_2_045F6CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F6CF0 mov eax, dword ptr fs:[00000030h] 9_2_045F6CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04648CD6 mov eax, dword ptr fs:[00000030h] 9_2_04648CD6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0458849B mov eax, dword ptr fs:[00000030h] 9_2_0458849B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04597D50 mov eax, dword ptr fs:[00000030h] 9_2_04597D50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B3D43 mov eax, dword ptr fs:[00000030h] 9_2_045B3D43
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F3540 mov eax, dword ptr fs:[00000030h] 9_2_045F3540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04623D40 mov eax, dword ptr fs:[00000030h] 9_2_04623D40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0459C577 mov eax, dword ptr fs:[00000030h] 9_2_0459C577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0459C577 mov eax, dword ptr fs:[00000030h] 9_2_0459C577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04648D34 mov eax, dword ptr fs:[00000030h] 9_2_04648D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0463E539 mov eax, dword ptr fs:[00000030h] 9_2_0463E539
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A4D3B mov eax, dword ptr fs:[00000030h] 9_2_045A4D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A4D3B mov eax, dword ptr fs:[00000030h] 9_2_045A4D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A4D3B mov eax, dword ptr fs:[00000030h] 9_2_045A4D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0457AD30 mov eax, dword ptr fs:[00000030h] 9_2_0457AD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045FA537 mov eax, dword ptr fs:[00000030h] 9_2_045FA537
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h] 9_2_04583D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h] 9_2_04583D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h] 9_2_04583D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h] 9_2_04583D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h] 9_2_04583D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h] 9_2_04583D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h] 9_2_04583D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h] 9_2_04583D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h] 9_2_04583D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h] 9_2_04583D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h] 9_2_04583D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h] 9_2_04583D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04583D34 mov eax, dword ptr fs:[00000030h] 9_2_04583D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0463FDE2 mov eax, dword ptr fs:[00000030h] 9_2_0463FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0463FDE2 mov eax, dword ptr fs:[00000030h] 9_2_0463FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0463FDE2 mov eax, dword ptr fs:[00000030h] 9_2_0463FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0463FDE2 mov eax, dword ptr fs:[00000030h] 9_2_0463FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04628DF1 mov eax, dword ptr fs:[00000030h] 9_2_04628DF1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F6DC9 mov eax, dword ptr fs:[00000030h] 9_2_045F6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F6DC9 mov eax, dword ptr fs:[00000030h] 9_2_045F6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F6DC9 mov eax, dword ptr fs:[00000030h] 9_2_045F6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F6DC9 mov ecx, dword ptr fs:[00000030h] 9_2_045F6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F6DC9 mov eax, dword ptr fs:[00000030h] 9_2_045F6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F6DC9 mov eax, dword ptr fs:[00000030h] 9_2_045F6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0458D5E0 mov eax, dword ptr fs:[00000030h] 9_2_0458D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0458D5E0 mov eax, dword ptr fs:[00000030h] 9_2_0458D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045AFD9B mov eax, dword ptr fs:[00000030h] 9_2_045AFD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045AFD9B mov eax, dword ptr fs:[00000030h] 9_2_045AFD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_046405AC mov eax, dword ptr fs:[00000030h] 9_2_046405AC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_046405AC mov eax, dword ptr fs:[00000030h] 9_2_046405AC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A2581 mov eax, dword ptr fs:[00000030h] 9_2_045A2581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A2581 mov eax, dword ptr fs:[00000030h] 9_2_045A2581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A2581 mov eax, dword ptr fs:[00000030h] 9_2_045A2581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A2581 mov eax, dword ptr fs:[00000030h] 9_2_045A2581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04572D8A mov eax, dword ptr fs:[00000030h] 9_2_04572D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04572D8A mov eax, dword ptr fs:[00000030h] 9_2_04572D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04572D8A mov eax, dword ptr fs:[00000030h] 9_2_04572D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04572D8A mov eax, dword ptr fs:[00000030h] 9_2_04572D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04572D8A mov eax, dword ptr fs:[00000030h] 9_2_04572D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A1DB5 mov eax, dword ptr fs:[00000030h] 9_2_045A1DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A1DB5 mov eax, dword ptr fs:[00000030h] 9_2_045A1DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A1DB5 mov eax, dword ptr fs:[00000030h] 9_2_045A1DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A35A1 mov eax, dword ptr fs:[00000030h] 9_2_045A35A1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04587E41 mov eax, dword ptr fs:[00000030h] 9_2_04587E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04587E41 mov eax, dword ptr fs:[00000030h] 9_2_04587E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04587E41 mov eax, dword ptr fs:[00000030h] 9_2_04587E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04587E41 mov eax, dword ptr fs:[00000030h] 9_2_04587E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04587E41 mov eax, dword ptr fs:[00000030h] 9_2_04587E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04587E41 mov eax, dword ptr fs:[00000030h] 9_2_04587E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0463AE44 mov eax, dword ptr fs:[00000030h] 9_2_0463AE44
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0463AE44 mov eax, dword ptr fs:[00000030h] 9_2_0463AE44
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0459AE73 mov eax, dword ptr fs:[00000030h] 9_2_0459AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0459AE73 mov eax, dword ptr fs:[00000030h] 9_2_0459AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0459AE73 mov eax, dword ptr fs:[00000030h] 9_2_0459AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0459AE73 mov eax, dword ptr fs:[00000030h] 9_2_0459AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0459AE73 mov eax, dword ptr fs:[00000030h] 9_2_0459AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0458766D mov eax, dword ptr fs:[00000030h] 9_2_0458766D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045AA61C mov eax, dword ptr fs:[00000030h] 9_2_045AA61C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045AA61C mov eax, dword ptr fs:[00000030h] 9_2_045AA61C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0457C600 mov eax, dword ptr fs:[00000030h] 9_2_0457C600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0457C600 mov eax, dword ptr fs:[00000030h] 9_2_0457C600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0457C600 mov eax, dword ptr fs:[00000030h] 9_2_0457C600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A8E00 mov eax, dword ptr fs:[00000030h] 9_2_045A8E00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0462FE3F mov eax, dword ptr fs:[00000030h] 9_2_0462FE3F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04631608 mov eax, dword ptr fs:[00000030h] 9_2_04631608
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0457E620 mov eax, dword ptr fs:[00000030h] 9_2_0457E620
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A36CC mov eax, dword ptr fs:[00000030h] 9_2_045A36CC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B8EC7 mov eax, dword ptr fs:[00000030h] 9_2_045B8EC7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0462FEC0 mov eax, dword ptr fs:[00000030h] 9_2_0462FEC0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04648ED6 mov eax, dword ptr fs:[00000030h] 9_2_04648ED6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A16E0 mov ecx, dword ptr fs:[00000030h] 9_2_045A16E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045876E2 mov eax, dword ptr fs:[00000030h] 9_2_045876E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04640EA5 mov eax, dword ptr fs:[00000030h] 9_2_04640EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04640EA5 mov eax, dword ptr fs:[00000030h] 9_2_04640EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04640EA5 mov eax, dword ptr fs:[00000030h] 9_2_04640EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0460FE87 mov eax, dword ptr fs:[00000030h] 9_2_0460FE87
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F46A7 mov eax, dword ptr fs:[00000030h] 9_2_045F46A7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04648F6A mov eax, dword ptr fs:[00000030h] 9_2_04648F6A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0458EF40 mov eax, dword ptr fs:[00000030h] 9_2_0458EF40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0458FF60 mov eax, dword ptr fs:[00000030h] 9_2_0458FF60
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0459F716 mov eax, dword ptr fs:[00000030h] 9_2_0459F716
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045AA70E mov eax, dword ptr fs:[00000030h] 9_2_045AA70E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045AA70E mov eax, dword ptr fs:[00000030h] 9_2_045AA70E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0459B73D mov eax, dword ptr fs:[00000030h] 9_2_0459B73D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0459B73D mov eax, dword ptr fs:[00000030h] 9_2_0459B73D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0464070D mov eax, dword ptr fs:[00000030h] 9_2_0464070D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0464070D mov eax, dword ptr fs:[00000030h] 9_2_0464070D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045AE730 mov eax, dword ptr fs:[00000030h] 9_2_045AE730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0460FF10 mov eax, dword ptr fs:[00000030h] 9_2_0460FF10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0460FF10 mov eax, dword ptr fs:[00000030h] 9_2_0460FF10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04574F2E mov eax, dword ptr fs:[00000030h] 9_2_04574F2E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04574F2E mov eax, dword ptr fs:[00000030h] 9_2_04574F2E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B37F5 mov eax, dword ptr fs:[00000030h] 9_2_045B37F5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F7794 mov eax, dword ptr fs:[00000030h] 9_2_045F7794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F7794 mov eax, dword ptr fs:[00000030h] 9_2_045F7794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F7794 mov eax, dword ptr fs:[00000030h] 9_2_045F7794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04588794 mov eax, dword ptr fs:[00000030h] 9_2_04588794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04590050 mov eax, dword ptr fs:[00000030h] 9_2_04590050
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04590050 mov eax, dword ptr fs:[00000030h] 9_2_04590050
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04632073 mov eax, dword ptr fs:[00000030h] 9_2_04632073
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04641074 mov eax, dword ptr fs:[00000030h] 9_2_04641074
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F7016 mov eax, dword ptr fs:[00000030h] 9_2_045F7016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F7016 mov eax, dword ptr fs:[00000030h] 9_2_045F7016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F7016 mov eax, dword ptr fs:[00000030h] 9_2_045F7016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0459A830 mov eax, dword ptr fs:[00000030h] 9_2_0459A830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0459A830 mov eax, dword ptr fs:[00000030h] 9_2_0459A830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0459A830 mov eax, dword ptr fs:[00000030h] 9_2_0459A830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0459A830 mov eax, dword ptr fs:[00000030h] 9_2_0459A830
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04644015 mov eax, dword ptr fs:[00000030h] 9_2_04644015
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04644015 mov eax, dword ptr fs:[00000030h] 9_2_04644015
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0458B02A mov eax, dword ptr fs:[00000030h] 9_2_0458B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0458B02A mov eax, dword ptr fs:[00000030h] 9_2_0458B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0458B02A mov eax, dword ptr fs:[00000030h] 9_2_0458B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0458B02A mov eax, dword ptr fs:[00000030h] 9_2_0458B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A002D mov eax, dword ptr fs:[00000030h] 9_2_045A002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A002D mov eax, dword ptr fs:[00000030h] 9_2_045A002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A002D mov eax, dword ptr fs:[00000030h] 9_2_045A002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A002D mov eax, dword ptr fs:[00000030h] 9_2_045A002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A002D mov eax, dword ptr fs:[00000030h] 9_2_045A002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0460B8D0 mov eax, dword ptr fs:[00000030h] 9_2_0460B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0460B8D0 mov ecx, dword ptr fs:[00000030h] 9_2_0460B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0460B8D0 mov eax, dword ptr fs:[00000030h] 9_2_0460B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0460B8D0 mov eax, dword ptr fs:[00000030h] 9_2_0460B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0460B8D0 mov eax, dword ptr fs:[00000030h] 9_2_0460B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0460B8D0 mov eax, dword ptr fs:[00000030h] 9_2_0460B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045740E1 mov eax, dword ptr fs:[00000030h] 9_2_045740E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045740E1 mov eax, dword ptr fs:[00000030h] 9_2_045740E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045740E1 mov eax, dword ptr fs:[00000030h] 9_2_045740E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045758EC mov eax, dword ptr fs:[00000030h] 9_2_045758EC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0459B8E4 mov eax, dword ptr fs:[00000030h] 9_2_0459B8E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0459B8E4 mov eax, dword ptr fs:[00000030h] 9_2_0459B8E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04579080 mov eax, dword ptr fs:[00000030h] 9_2_04579080
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F3884 mov eax, dword ptr fs:[00000030h] 9_2_045F3884
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045F3884 mov eax, dword ptr fs:[00000030h] 9_2_045F3884
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045AF0BF mov ecx, dword ptr fs:[00000030h] 9_2_045AF0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045AF0BF mov eax, dword ptr fs:[00000030h] 9_2_045AF0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045AF0BF mov eax, dword ptr fs:[00000030h] 9_2_045AF0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045B90AF mov eax, dword ptr fs:[00000030h] 9_2_045B90AF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A20A0 mov eax, dword ptr fs:[00000030h] 9_2_045A20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A20A0 mov eax, dword ptr fs:[00000030h] 9_2_045A20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A20A0 mov eax, dword ptr fs:[00000030h] 9_2_045A20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A20A0 mov eax, dword ptr fs:[00000030h] 9_2_045A20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A20A0 mov eax, dword ptr fs:[00000030h] 9_2_045A20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A20A0 mov eax, dword ptr fs:[00000030h] 9_2_045A20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0459B944 mov eax, dword ptr fs:[00000030h] 9_2_0459B944
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0459B944 mov eax, dword ptr fs:[00000030h] 9_2_0459B944
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0457B171 mov eax, dword ptr fs:[00000030h] 9_2_0457B171
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0457B171 mov eax, dword ptr fs:[00000030h] 9_2_0457B171
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_0457C962 mov eax, dword ptr fs:[00000030h] 9_2_0457C962
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04579100 mov eax, dword ptr fs:[00000030h] 9_2_04579100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04579100 mov eax, dword ptr fs:[00000030h] 9_2_04579100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04579100 mov eax, dword ptr fs:[00000030h] 9_2_04579100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A513A mov eax, dword ptr fs:[00000030h] 9_2_045A513A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_045A513A mov eax, dword ptr fs:[00000030h] 9_2_045A513A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 9_2_04594120 mov eax, dword ptr fs:[00000030h] 9_2_04594120
Enables debug privileges
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 62.149.128.40 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.growwithjenn.com
Source: C:\Windows\explorer.exe Domain query: www.oilleakgames.com
Source: C:\Windows\explorer.exe Network Connect: 160.153.136.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.227.38.74 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.goldgrandpa.com
Source: C:\Windows\explorer.exe Domain query: www.bring-wellness.com
Source: C:\Windows\explorer.exe Domain query: www.sw-advisers.com
Source: C:\Windows\explorer.exe Network Connect: 165.22.38.5 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.goodlukc.com
Source: C:\Windows\explorer.exe Domain query: www.freshdeliciousberryfarm.com
Source: C:\Windows\explorer.exe Domain query: www.goldinsacks.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 157.245.232.77 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.2dmaxximumrecords.com
Source: C:\Windows\explorer.exe Domain query: www.allyexpense.com
Source: C:\Windows\explorer.exe Domain query: www.protectpursuit.com
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Section loaded: unknown target: C:\Users\user\Desktop\UGGJ4NnzFz.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Thread register set: target process: 3388 Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Thread register set: target process: 3388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: CA0000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Process created: C:\Users\user\Desktop\UGGJ4NnzFz.exe 'C:\Users\user\Desktop\UGGJ4NnzFz.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\UGGJ4NnzFz.exe' Jump to behavior
Source: explorer.exe, 00000005.00000000.222167961.0000000001398000.00000004.00000020.sdmp Binary or memory string: ProgmanamF
Source: explorer.exe, 00000005.00000000.223815044.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000009.00000002.476895776.0000000002CB0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.241512606.000000000871F000.00000004.00000001.sdmp, cmmon32.exe, 00000009.00000002.476895776.0000000002CB0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.223815044.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000009.00000002.476895776.0000000002CB0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.223815044.0000000001980000.00000002.00000001.sdmp, cmmon32.exe, 00000009.00000002.476895776.0000000002CB0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\UGGJ4NnzFz.exe Code function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 0_2_00405B88

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UGGJ4NnzFz.exe.2290000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.1.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UGGJ4NnzFz.exe.2290000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 432566 Sample: UGGJ4NnzFz Startdate: 10/06/2021 Architecture: WINDOWS Score: 100 31 www.topazsnacks.com 2->31 33 topazsnacks.com 2->33 41 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->41 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 4 other signatures 2->47 11 UGGJ4NnzFz.exe 20 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\System.dll, PE32 11->29 dropped 57 Detected unpacking (changes PE section rights) 11->57 59 Maps a DLL or memory area into another process 11->59 61 Tries to detect virtualization through RDTSC time measurements 11->61 15 UGGJ4NnzFz.exe 11->15         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 18 explorer.exe 15->18 injected process9 dnsIp10 35 growwithjenn.com 160.153.136.3, 49749, 80 GODADDY-AMSDE United States 18->35 37 sw-advisers.com 157.245.232.77, 49743, 80 DIGITALOCEAN-ASNUS United States 18->37 39 16 other IPs or domains 18->39 49 System process connects to network (likely due to code injection or exploit) 18->49 22 cmmon32.exe 18->22         started        signatures11 process12 signatures13 51 Modifies the context of a thread in another process (thread injection) 22->51 53 Maps a DLL or memory area into another process 22->53 55 Tries to detect virtualization through RDTSC time measurements 22->55 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
62.149.128.40
 www.goldinsacks.com Italy
31034 ARUBA-ASNIT true
165.22.38.5
 protectpursuit.com United States
14061 DIGITALOCEAN-ASNUS true
160.153.136.3
 growwithjenn.com United States
21501 GODADDY-AMSDE true
34.102.136.180
 bring-wellness.com United States
15169 GOOGLEUS false
157.245.232.77
 sw-advisers.com United States
14061 DIGITALOCEAN-ASNUS true
23.227.38.74
 shops.myshopify.com Canada
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
protectpursuit.com 165.22.38.5 true
bring-wellness.com 34.102.136.180 true
sw-advisers.com 157.245.232.77 true
www.goldinsacks.com 62.149.128.40 true
freshdeliciousberryfarm.com 34.102.136.180 true
shops.myshopify.com 23.227.38.74 true
growwithjenn.com 160.153.136.3 true
topazsnacks.com 135.181.180.74 true
www.growwithjenn.com unknown unknown
www.oilleakgames.com unknown unknown
www.goodlukc.com unknown unknown
www.freshdeliciousberryfarm.com unknown unknown
www.topazsnacks.com unknown unknown
www.goldgrandpa.com unknown unknown
www.bring-wellness.com unknown unknown
www.sw-advisers.com unknown unknown
www.2dmaxximumrecords.com unknown unknown
www.allyexpense.com unknown unknown
www.protectpursuit.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.sw-advisers.com/dp3a/?rTWxa=76AMkVxxuSKB5pgh4RNc3EipO3rbFW8MEUNJys/eLa/AxdTMjRac1XeBowoP/wZORJRk&qXtd=VpFTeL6xRNZ0stZ0 true
  • Avira URL Cloud: safe
 unknown
http://www.bring-wellness.com/dp3a/?rTWxa=F+NQG3wr2qmzRibT9BAJK2aVObQEDzb5Y6jfukgEe6sv7RNklleEIbtQ/MsGh07J4TVQ&qXtd=VpFTeL6xRNZ0stZ0 false
  • Avira URL Cloud: safe
 unknown
http://www.goldgrandpa.com/dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=GkWHDDYMiWr4Ju0U4teKyAR8hKcpKlGmV2ZHyKwA/bXhSAEvQCtqjiLuXtjyxk2BGjrR true
  • Avira URL Cloud: safe
 unknown
http://www.goldinsacks.com/dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=2EHAYBF9OrZScLBFfnY/kB1lNYuVodkTQi7ynUSvkYXlrnDKiUoE/Bv6J35YIy7pKLvP true
  • Avira URL Cloud: safe
 unknown
www.rebeccannemontgomery.net/dp3a/ true
  • Avira URL Cloud: safe
 low