Analysis Report 444890321.exe

AV Detection:

Antivirus detection for URL or domain

Source: www.111bjs.com/ccr/

Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.111bjs.com/ccr/"], "decoy": ["abdullahlodhi.com", "jevya.com", "knoxvillerestaurant.com", "mekarauroko7389.com", "cricketspowder.net", "johannchirinos.com", "orangeorganical.com", "libero-tt.com", "lorenaegianluca.com", "wintab.net", "modernmillievintage.com", "zgdqcyw.com", "jeffabildgaardmd.com", "nurulfikrimakassar.com", "findyourchef.com", "innovationsservicegroup.com", "destek-taleplerimiz.com", "whfqqco.icu", "kosmetikmadeingermany.com", "dieteticos.net", "savarsineklik.com", "newfashiontrends.com", "e-mobilitysolutions.com", "spaced.ltd", "amjadalitrading.com", "thejstutor.com", "zzhqp.com", "exoticomistico.com", "oklahomasundayschool.com", "grwfrog.com", "elementsfitnessamdwellbeing.com", "auldontoyworld.com", "cumhuriyetcidemokratparti.kim", "thetruthinternational.com", "adimadimingilizce.com", "retreatwinds.com", "duoteshop.com", "jasonkokrak.com", "latindancextreme.com", "agavedeals.com", "motz.xyz", "kspecialaroma.com", "yuejinjc.com", "print12580.com", "ampsports.tennis", "affordablebathroomsarizona.com", "casnop.com", "driftwestcoastmarket.com", "bjsjygg.com", "gwpjamshedpur.com", "reserveacalifornia.com", "caobv.com", "culturaenmistacones.com", "back-upstore.com", "jjsmiths.com", "iamxc.com", "siobhankrittiya.com", "digitalakanksha.com", "koatku.com", "shamushalkowich.com", "merplerps.com", "fishexpertise.com", "sweetheartmart.com", "nqs.xyz"]}

Multi AV Scanner detection for submitted file

Source: 444890321.exe	Metadefender: Detection: 17%			Perma Link
Source: 444890321.exe	ReversingLabs: Detection: 67%

Yara detected FormBook

Source: Yara match	File source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.444890321.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.444890321.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.444890321.exe.23b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.444890321.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: 444890321.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 1.2.444890321.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 10.2.WWAHost.exe.431f834.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 10.2.WWAHost.exe.34498d0.2.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.444890321.exe.23b0000.3.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.1.444890321.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: 444890321.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Binary contains paths to debug symbols

Source:	Binary string: WWAHost.pdb source: 444890321.exe, 00000001.00000002.265580843.00000000026B0000.00000040.00000001.sdmp
Source:	Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000004.00000000.238969976.000000000F6D2000.00000004.00000001.sdmp
Source:	Binary string: WWAHost.pdbUGP source: 444890321.exe, 00000001.00000002.265580843.00000000026B0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: 444890321.exe, 00000000.00000003.207642896.00000000099C0000.00000004.00000001.sdmp, 444890321.exe, 00000001.00000002.265126021.0000000000A8F000.00000040.00000001.sdmp, WWAHost.exe, 0000000A.00000002.470470953.0000000003F0F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 444890321.exe, WWAHost.exe
Source:	Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000004.00000000.238969976.000000000F6D2000.00000004.00000001.sdmp

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\444890321.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,		0_2_00405E61
Source: C:\Users\user\Desktop\444890321.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		0_2_0040548B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 0_2_0040263E FindFirstFileA,		0_2_0040263E

Enumerates the file system

Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\System32\TileDataRepository.dll			Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\system32\Windows.StateRepository.dll			Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\SYSTEM32\usermgrcli.dll			Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\System32\Windows.StateRepositoryPS.dll			Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\system32\StateRepository.Core.dll			Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\System32\usermgrproxy.dll			Jump to behavior

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\444890321.exe	Code function: 4x nop then pop edi		1_2_00417D7A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 4x nop then pop edi		1_2_00417D24
Source: C:\Users\user\Desktop\444890321.exe	Code function: 4x nop then pop edi		1_1_00417D7A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 4x nop then pop edi		1_1_00417D24
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4x nop then pop edi		10_2_03247D24
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4x nop then pop edi		10_2_03247D7A

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 35.169.40.107:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 35.169.40.107:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 35.169.40.107:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.111bjs.com/ccr/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /ccr/?FJB=DYL3Mol3r87Z8qId+4Ycjijbq71Py48wOU/SaqdUDZ5D3FcnOOzajI1IKd683KRXh37z&v0=JDK8Zp HTTP/1.1Host: www.mekarauroko7389.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ccr/?FJB=AxjKtjbRfNJtNPnejOfQjb3R2KRHRMY2w4U1+yq2aSZlRtrxzdj5Yr2imIB9O7nqKvHd&v0=JDK8Zp HTTP/1.1Host: www.oklahomasundayschool.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ccr/?FJB=UiEpDr7iywR9iaGhQyAzq1r0qRPgWcdm1KzonEEBzxfYIUCNIf2vy6uHRevKVZrdd8Pf&v0=JDK8Zp HTTP/1.1Host: www.shamushalkowich.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 199.59.242.153 199.59.242.153

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: BODIS-NJUS BODIS-NJUS
Source: Joe Sandbox View	ASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
Source: Joe Sandbox View	ASN Name: AMAZON-AESUS AMAZON-AESUS

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /ccr/?FJB=DYL3Mol3r87Z8qId+4Ycjijbq71Py48wOU/SaqdUDZ5D3FcnOOzajI1IKd683KRXh37z&v0=JDK8Zp HTTP/1.1Host: www.mekarauroko7389.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ccr/?FJB=AxjKtjbRfNJtNPnejOfQjb3R2KRHRMY2w4U1+yq2aSZlRtrxzdj5Yr2imIB9O7nqKvHd&v0=JDK8Zp HTTP/1.1Host: www.oklahomasundayschool.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ccr/?FJB=UiEpDr7iywR9iaGhQyAzq1r0qRPgWcdm1KzonEEBzxfYIUCNIf2vy6uHRevKVZrdd8Pf&v0=JDK8Zp HTTP/1.1Host: www.shamushalkowich.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: www.mekarauroko7389.com

URLs found in memory or binary data

Source: explorer.exe, 00000004.00000000.234301981.0000000008907000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: 444890321.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 444890321.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: WWAHost.exe, 0000000A.00000002.472331929.000000000480F000.00000004.00000001.sdmp	String found in binary or memory: https://www.shamushalkowich.com/ccr/?FJB=UiEpDr7iywR9iaGhQyAzq1r0qRPgWcdm1KzonEEBzxfYIUCNIf2vy6uHRev

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\444890321.exe

Code function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405042

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.444890321.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.444890321.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.444890321.exe.23b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.444890321.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.444890321.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.444890321.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.444890321.exe.23b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.444890321.exe.23b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.444890321.exe.23b0000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.444890321.exe.23b0000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.1.444890321.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.1.444890321.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00419D50 NtCreateFile,		1_2_00419D50
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00419E00 NtReadFile,		1_2_00419E00
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00419E80 NtClose,		1_2_00419E80
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00419F30 NtAllocateVirtualMemory,		1_2_00419F30
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00419DFB NtReadFile,		1_2_00419DFB
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00419F2B NtAllocateVirtualMemory,		1_2_00419F2B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D98F0 NtReadVirtualMemory,LdrInitializeThunk,		1_2_009D98F0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9840 NtDelayExecution,LdrInitializeThunk,		1_2_009D9840
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9860 NtQuerySystemInformation,LdrInitializeThunk,		1_2_009D9860
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D99A0 NtCreateSection,LdrInitializeThunk,		1_2_009D99A0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,		1_2_009D9910
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9A00 NtProtectVirtualMemory,LdrInitializeThunk,		1_2_009D9A00
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9A20 NtResumeThread,LdrInitializeThunk,		1_2_009D9A20
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9A50 NtCreateFile,LdrInitializeThunk,		1_2_009D9A50
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D95D0 NtClose,LdrInitializeThunk,		1_2_009D95D0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9540 NtReadFile,LdrInitializeThunk,		1_2_009D9540
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D96E0 NtFreeVirtualMemory,LdrInitializeThunk,		1_2_009D96E0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9660 NtAllocateVirtualMemory,LdrInitializeThunk,		1_2_009D9660
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9780 NtMapViewOfSection,LdrInitializeThunk,		1_2_009D9780
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D97A0 NtUnmapViewOfSection,LdrInitializeThunk,		1_2_009D97A0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9710 NtQueryInformationToken,LdrInitializeThunk,		1_2_009D9710
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D98A0 NtWriteVirtualMemory,		1_2_009D98A0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9820 NtEnumerateKey,		1_2_009D9820
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009DB040 NtSuspendThread,		1_2_009DB040
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D99D0 NtCreateProcessEx,		1_2_009D99D0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9950 NtQueueApcThread,		1_2_009D9950
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9A80 NtOpenDirectoryObject,		1_2_009D9A80
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9A10 NtQuerySection,		1_2_009D9A10
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009DA3B0 NtGetContextThread,		1_2_009DA3B0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9B00 NtSetValueKey,		1_2_009D9B00
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D95F0 NtQueryInformationFile,		1_2_009D95F0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009DAD30 NtSetContextThread,		1_2_009DAD30
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9520 NtWaitForSingleObject,		1_2_009D9520
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9560 NtWriteFile,		1_2_009D9560
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D96D0 NtCreateKey,		1_2_009D96D0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9610 NtEnumerateValueKey,		1_2_009D9610
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9650 NtQueryValueKey,		1_2_009D9650
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9670 NtQueryInformationProcess,		1_2_009D9670
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9FE0 NtCreateMutant,		1_2_009D9FE0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009DA710 NtOpenProcessToken,		1_2_009DA710
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9730 NtQueryVirtualMemory,		1_2_009D9730
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9770 NtSetInformationFile,		1_2_009D9770
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009DA770 NtOpenThread,		1_2_009DA770
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D9760 NtOpenProcess,		1_2_009D9760
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_1_00419D50 NtCreateFile,		1_1_00419D50
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_1_00419E00 NtReadFile,		1_1_00419E00
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_1_00419E80 NtClose,		1_1_00419E80
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_1_00419F30 NtAllocateVirtualMemory,		1_1_00419F30
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_1_00419DFB NtReadFile,		1_1_00419DFB
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_1_00419F2B NtAllocateVirtualMemory,		1_1_00419F2B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59A50 NtCreateFile,LdrInitializeThunk,		10_2_03E59A50
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E599A0 NtCreateSection,LdrInitializeThunk,		10_2_03E599A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59910 NtAdjustPrivilegesToken,LdrInitializeThunk,		10_2_03E59910
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59860 NtQuerySystemInformation,LdrInitializeThunk,		10_2_03E59860
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59840 NtDelayExecution,LdrInitializeThunk,		10_2_03E59840
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59FE0 NtCreateMutant,LdrInitializeThunk,		10_2_03E59FE0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59780 NtMapViewOfSection,LdrInitializeThunk,		10_2_03E59780
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59710 NtQueryInformationToken,LdrInitializeThunk,		10_2_03E59710
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E596E0 NtFreeVirtualMemory,LdrInitializeThunk,		10_2_03E596E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E596D0 NtCreateKey,LdrInitializeThunk,		10_2_03E596D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59660 NtAllocateVirtualMemory,LdrInitializeThunk,		10_2_03E59660
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59650 NtQueryValueKey,LdrInitializeThunk,		10_2_03E59650
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E595D0 NtClose,LdrInitializeThunk,		10_2_03E595D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59540 NtReadFile,LdrInitializeThunk,		10_2_03E59540
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E5A3B0 NtGetContextThread,		10_2_03E5A3B0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59B00 NtSetValueKey,		10_2_03E59B00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59A80 NtOpenDirectoryObject,		10_2_03E59A80
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59A20 NtResumeThread,		10_2_03E59A20
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59A00 NtProtectVirtualMemory,		10_2_03E59A00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59A10 NtQuerySection,		10_2_03E59A10
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E599D0 NtCreateProcessEx,		10_2_03E599D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59950 NtQueueApcThread,		10_2_03E59950
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E598F0 NtReadVirtualMemory,		10_2_03E598F0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E598A0 NtWriteVirtualMemory,		10_2_03E598A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E5B040 NtSuspendThread,		10_2_03E5B040
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59820 NtEnumerateKey,		10_2_03E59820
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E597A0 NtUnmapViewOfSection,		10_2_03E597A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59760 NtOpenProcess,		10_2_03E59760
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E5A770 NtOpenThread,		10_2_03E5A770
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59770 NtSetInformationFile,		10_2_03E59770
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59730 NtQueryVirtualMemory,		10_2_03E59730
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E5A710 NtOpenProcessToken,		10_2_03E5A710
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59670 NtQueryInformationProcess,		10_2_03E59670
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59610 NtEnumerateValueKey,		10_2_03E59610
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E595F0 NtQueryInformationFile,		10_2_03E595F0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59560 NtWriteFile,		10_2_03E59560
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E59520 NtWaitForSingleObject,		10_2_03E59520
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E5AD30 NtSetContextThread,		10_2_03E5AD30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03249F30 NtAllocateVirtualMemory,		10_2_03249F30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03249E00 NtReadFile,		10_2_03249E00
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03249E80 NtClose,		10_2_03249E80
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03249D50 NtCreateFile,		10_2_03249D50
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03249F2B NtAllocateVirtualMemory,		10_2_03249F2B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03249DFB NtReadFile,		10_2_03249DFB

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\444890321.exe

Code function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040323C

Detected potential crypto function

Source: C:\Users\user\Desktop\444890321.exe	Code function: 0_2_00404853		0_2_00404853
Source: C:\Users\user\Desktop\444890321.exe	Code function: 0_2_00406131		0_2_00406131
Source: C:\Users\user\Desktop\444890321.exe	Code function: 0_2_740D1A98		0_2_740D1A98
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0041E071		1_2_0041E071
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00401030		1_2_00401030
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0041E5FC		1_2_0041E5FC
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00402D87		1_2_00402D87
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00402D90		1_2_00402D90
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00409E30		1_2_00409E30
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00402FB0		1_2_00402FB0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009AB090		1_2_009AB090
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A620A8		1_2_00A620A8
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C20A0		1_2_009C20A0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A628EC		1_2_00A628EC
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A6E824		1_2_00A6E824
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A51002		1_2_00A51002
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA830		1_2_009BA830
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B99BF		1_2_009B99BF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0099F900		1_2_0099F900
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B4120		1_2_009B4120
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A622AE		1_2_00A622AE
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54AEF		1_2_00A54AEF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A4FA2B		1_2_00A4FA2B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CEBB0		1_2_009CEBB0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CABD8		1_2_009CABD8
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A423E3		1_2_00A423E3
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A5DBD2		1_2_00A5DBD2
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A503DA		1_2_00A503DA
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A62B28		1_2_00A62B28
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA309		1_2_009BA309
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BAB40		1_2_009BAB40
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54496		1_2_00A54496
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A841F		1_2_009A841F
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A5D466		1_2_00A5D466
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BB477		1_2_009BB477
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C2581		1_2_009C2581
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A52D82		1_2_00A52D82
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009AD5E0		1_2_009AD5E0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A625DD		1_2_00A625DD
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A62D07		1_2_00A62D07
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00990D20		1_2_00990D20
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A61D55		1_2_00A61D55
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A62EF7		1_2_00A62EF7
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B6E30		1_2_009B6E30
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A5D616		1_2_00A5D616
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A61FF1		1_2_00A61FF1
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A6DFCE		1_2_00A6DFCE
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_1_0041E071		1_1_0041E071
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_1_00401030		1_1_00401030
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_1_0041E5FC		1_1_0041E5FC
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_1_00402D87		1_1_00402D87
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_1_00402D90		1_1_00402D90
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_1_00409E30		1_1_00409E30
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_1_00402FB0		1_1_00402FB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03ED03DA		10_2_03ED03DA
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EDDBD2		10_2_03EDDBD2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E4EBB0		10_2_03E4EBB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E3AB40		10_2_03E3AB40
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EE2B28		10_2_03EE2B28
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EE22AE		10_2_03EE22AE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03ECFA2B		10_2_03ECFA2B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E34120		10_2_03E34120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E1F900		10_2_03E1F900
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EE28EC		10_2_03EE28EC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E420A0		10_2_03E420A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EE20A8		10_2_03EE20A8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E2B090		10_2_03E2B090
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EEE824		10_2_03EEE824
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E3A830		10_2_03E3A830
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03ED1002		10_2_03ED1002
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EE1FF1		10_2_03EE1FF1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EEDFCE		10_2_03EEDFCE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EE2EF7		10_2_03EE2EF7
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E36E30		10_2_03E36E30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EDD616		10_2_03EDD616
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E2D5E0		10_2_03E2D5E0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EE25DD		10_2_03EE25DD
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E42581		10_2_03E42581
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EE1D55		10_2_03EE1D55
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E10D20		10_2_03E10D20
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EE2D07		10_2_03EE2D07
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EDD466		10_2_03EDD466
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E2841F		10_2_03E2841F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0324E071		10_2_0324E071
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03232FB0		10_2_03232FB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03239E30		10_2_03239E30
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03232D87		10_2_03232D87
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03232D90		10_2_03232D90
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0324E5FC		10_2_0324E5FC

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: String function: 03E1B150 appears 54 times
Source: C:\Users\user\Desktop\444890321.exe	Code function: String function: 0041BBD0 appears 38 times
Source: C:\Users\user\Desktop\444890321.exe	Code function: String function: 0099B150 appears 136 times

Sample file is different than original file name gathered from version info

Source: 444890321.exe, 00000000.00000003.204714457.0000000009C6F000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 444890321.exe
Source: 444890321.exe, 00000001.00000002.265683363.0000000002766000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameWWAHost.exej% vs 444890321.exe
Source: 444890321.exe, 00000001.00000002.265126021.0000000000A8F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 444890321.exe

Uses 32bit PE files

Source: 444890321.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.444890321.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.444890321.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.444890321.exe.23b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.444890321.exe.23b0000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.444890321.exe.23b0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.444890321.exe.23b0000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.1.444890321.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.1.444890321.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/4@3/3

Contains functionality to check free disk space

Source: C:\Users\user\Desktop\444890321.exe

Code function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_00404356

Contains functionality to instantiate COM classes

Source: C:\Users\user\Desktop\444890321.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

0_2_00402020

Creates mutexes

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:120:WilError_01

Creates temporary files

Source: C:\Users\user\Desktop\444890321.exe

File created: C:\Users\user\AppData\Local\Temp\nskAF62.tmp

Jump to behavior

PE file has an executable .text section and no other executable section

Source: 444890321.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads ini files

Source: C:\Users\user\Desktop\444890321.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\Desktop\444890321.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: 444890321.exe	Metadefender: Detection: 17%
Source: 444890321.exe	ReversingLabs: Detection: 67%

Sample reads its own file content

Source: C:\Users\user\Desktop\444890321.exe

File read: C:\Users\user\Desktop\444890321.exe

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\444890321.exe 'C:\Users\user\Desktop\444890321.exe'
Source: C:\Users\user\Desktop\444890321.exe	Process created: C:\Users\user\Desktop\444890321.exe 'C:\Users\user\Desktop\444890321.exe'
Source: C:\Users\user\Desktop\444890321.exe	Process created: C:\Windows\System32\backgroundTaskHost.exe 'C:\Windows\system32\backgroundTaskHost.exe' -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
Source: C:\Windows\System32\backgroundTaskHost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\444890321.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\444890321.exe	Process created: C:\Users\user\Desktop\444890321.exe 'C:\Users\user\Desktop\444890321.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\444890321.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\Desktop\444890321.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: WWAHost.pdb source: 444890321.exe, 00000001.00000002.265580843.00000000026B0000.00000040.00000001.sdmp
Source:	Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000004.00000000.238969976.000000000F6D2000.00000004.00000001.sdmp
Source:	Binary string: WWAHost.pdbUGP source: 444890321.exe, 00000001.00000002.265580843.00000000026B0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: 444890321.exe, 00000000.00000003.207642896.00000000099C0000.00000004.00000001.sdmp, 444890321.exe, 00000001.00000002.265126021.0000000000A8F000.00000040.00000001.sdmp, WWAHost.exe, 0000000A.00000002.470470953.0000000003F0F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: 444890321.exe, WWAHost.exe
Source:	Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000004.00000000.238969976.000000000F6D2000.00000004.00000001.sdmp

Data Obfuscation:

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\444890321.exe

Unpacked PE file: 1.2.444890321.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\444890321.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405E88

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\444890321.exe	Code function: 0_2_740D2F60 push eax; ret		0_2_740D2F8E
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_004198E6 pushad ; ret		1_2_004198EA
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00417AA0 push 00FCAB15h; ret		1_2_00417AA6
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00416608 push esp; iretd		1_2_00416609
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0041CEF2 push eax; ret		1_2_0041CEF8
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0041CEFB push eax; ret		1_2_0041CF62
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0041CEA5 push eax; ret		1_2_0041CEF8
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0041CF5C push eax; ret		1_2_0041CF62
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00416FE8 push ss; retf		1_2_00416FE9
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009ED0D1 push ecx; ret		1_2_009ED0E4
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_1_004198E6 pushad ; ret		1_1_004198EA
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_1_00417AA0 push 00FCAB15h; ret		1_1_00417AA6
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_1_00416608 push esp; iretd		1_1_00416609
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_1_0041CEF2 push eax; ret		1_1_0041CEF8
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_1_0041CEFB push eax; ret		1_1_0041CF62
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_1_0041CEA5 push eax; ret		1_1_0041CEF8
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_1_0041CF5C push eax; ret		1_1_0041CF62
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_1_00416FE8 push ss; retf		1_1_00416FE9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E6D0D1 push ecx; ret		10_2_03E6D0E4
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03247AA0 push 00FCAB15h; ret		10_2_03247AA6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_032498E6 pushad ; ret		10_2_032498EA
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0324CF5C push eax; ret		10_2_0324CF62
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03246FE8 push ss; retf		10_2_03246FE9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03246608 push esp; iretd		10_2_03246609
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0324CEA5 push eax; ret		10_2_0324CEF8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0324CEF2 push eax; ret		10_2_0324CEF8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_0324CEFB push eax; ret		10_2_0324CF62

Persistence and Installation Behavior:

Drops PE files

Source: C:\Users\user\Desktop\444890321.exe

File created: C:\Users\user\AppData\Local\Temp\nskAF64.tmp\System.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xE2

Disables application error messsages (SetErrorMode)

Source: C:\Users\user\Desktop\444890321.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\444890321.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\444890321.exe	RDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe	RDTSC instruction interceptor: First address: 00000000032398E4 second address: 00000000032398EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\WWAHost.exe	RDTSC instruction interceptor: First address: 0000000003239B4E second address: 0000000003239B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\444890321.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\444890321.exe

Code function: 1_2_00409A80 rdtsc

1_2_00409A80

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 5972	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe TID: 5620	Thread sleep time: -60000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\444890321.exe	Code function: 0_2_00405E61 FindFirstFileA,FindClose,		0_2_00405E61
Source: C:\Users\user\Desktop\444890321.exe	Code function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		0_2_0040548B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 0_2_0040263E FindFirstFileA,		0_2_0040263E

Enumerates the file system

Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\System32\TileDataRepository.dll			Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\system32\Windows.StateRepository.dll			Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\SYSTEM32\usermgrcli.dll			Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\System32\Windows.StateRepositoryPS.dll			Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\system32\StateRepository.Core.dll			Jump to behavior
Source: C:\Windows\System32\backgroundTaskHost.exe	File opened: C:\Windows\System32\usermgrproxy.dll			Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000004.00000000.232897500.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.232897500.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000004.00000000.238969976.000000000F6D2000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.234236228.00000000088C3000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.230436336.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000004.00000000.232735858.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.254896595.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000004.00000000.232897500.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000004.00000000.232897500.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.233860627.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000004.00000000.255132392.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 00000004.00000000.230436336.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000000.230436336.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000004.00000000.232897500.000000000871F000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATAJ
Source: explorer.exe, 00000004.00000000.230436336.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\Desktop\444890321.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\444890321.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\444890321.exe

Code function: 1_2_00409A80 rdtsc

1_2_00409A80

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\444890321.exe

Code function: 1_2_0040ACC0 LdrLoadDll,

1_2_0040ACC0

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\444890321.exe

Code function: 0_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405E88

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00999080 mov eax, dword ptr fs:[00000030h]		1_2_00999080
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CF0BF mov ecx, dword ptr fs:[00000030h]		1_2_009CF0BF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CF0BF mov eax, dword ptr fs:[00000030h]		1_2_009CF0BF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CF0BF mov eax, dword ptr fs:[00000030h]		1_2_009CF0BF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A13884 mov eax, dword ptr fs:[00000030h]		1_2_00A13884
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A13884 mov eax, dword ptr fs:[00000030h]		1_2_00A13884
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D90AF mov eax, dword ptr fs:[00000030h]		1_2_009D90AF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]		1_2_009C20A0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]		1_2_009C20A0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]		1_2_009C20A0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]		1_2_009C20A0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]		1_2_009C20A0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C20A0 mov eax, dword ptr fs:[00000030h]		1_2_009C20A0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]		1_2_00A2B8D0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A2B8D0 mov ecx, dword ptr fs:[00000030h]		1_2_00A2B8D0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]		1_2_00A2B8D0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]		1_2_00A2B8D0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]		1_2_00A2B8D0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A2B8D0 mov eax, dword ptr fs:[00000030h]		1_2_00A2B8D0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009958EC mov eax, dword ptr fs:[00000030h]		1_2_009958EC
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009940E1 mov eax, dword ptr fs:[00000030h]		1_2_009940E1
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009940E1 mov eax, dword ptr fs:[00000030h]		1_2_009940E1
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009940E1 mov eax, dword ptr fs:[00000030h]		1_2_009940E1
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BB8E4 mov eax, dword ptr fs:[00000030h]		1_2_009BB8E4
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BB8E4 mov eax, dword ptr fs:[00000030h]		1_2_009BB8E4
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA830 mov eax, dword ptr fs:[00000030h]		1_2_009BA830
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA830 mov eax, dword ptr fs:[00000030h]		1_2_009BA830
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA830 mov eax, dword ptr fs:[00000030h]		1_2_009BA830
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA830 mov eax, dword ptr fs:[00000030h]		1_2_009BA830
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]		1_2_009AB02A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]		1_2_009AB02A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]		1_2_009AB02A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009AB02A mov eax, dword ptr fs:[00000030h]		1_2_009AB02A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]		1_2_009C002D
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]		1_2_009C002D
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]		1_2_009C002D
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]		1_2_009C002D
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C002D mov eax, dword ptr fs:[00000030h]		1_2_009C002D
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A64015 mov eax, dword ptr fs:[00000030h]		1_2_00A64015
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A64015 mov eax, dword ptr fs:[00000030h]		1_2_00A64015
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h]		1_2_00A17016
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h]		1_2_00A17016
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A17016 mov eax, dword ptr fs:[00000030h]		1_2_00A17016
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B0050 mov eax, dword ptr fs:[00000030h]		1_2_009B0050
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B0050 mov eax, dword ptr fs:[00000030h]		1_2_009B0050
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A61074 mov eax, dword ptr fs:[00000030h]		1_2_00A61074
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A52073 mov eax, dword ptr fs:[00000030h]		1_2_00A52073
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A549A4 mov eax, dword ptr fs:[00000030h]		1_2_00A549A4
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A549A4 mov eax, dword ptr fs:[00000030h]		1_2_00A549A4
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A549A4 mov eax, dword ptr fs:[00000030h]		1_2_00A549A4
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A549A4 mov eax, dword ptr fs:[00000030h]		1_2_00A549A4
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A169A6 mov eax, dword ptr fs:[00000030h]		1_2_00A169A6
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C2990 mov eax, dword ptr fs:[00000030h]		1_2_009C2990
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CA185 mov eax, dword ptr fs:[00000030h]		1_2_009CA185
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BC182 mov eax, dword ptr fs:[00000030h]		1_2_009BC182
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h]		1_2_00A151BE
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h]		1_2_00A151BE
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h]		1_2_00A151BE
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A151BE mov eax, dword ptr fs:[00000030h]		1_2_00A151BE
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]		1_2_009B99BF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]		1_2_009B99BF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B99BF mov eax, dword ptr fs:[00000030h]		1_2_009B99BF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]		1_2_009B99BF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]		1_2_009B99BF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B99BF mov eax, dword ptr fs:[00000030h]		1_2_009B99BF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]		1_2_009B99BF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]		1_2_009B99BF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B99BF mov eax, dword ptr fs:[00000030h]		1_2_009B99BF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]		1_2_009B99BF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B99BF mov ecx, dword ptr fs:[00000030h]		1_2_009B99BF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B99BF mov eax, dword ptr fs:[00000030h]		1_2_009B99BF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C61A0 mov eax, dword ptr fs:[00000030h]		1_2_009C61A0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C61A0 mov eax, dword ptr fs:[00000030h]		1_2_009C61A0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A241E8 mov eax, dword ptr fs:[00000030h]		1_2_00A241E8
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h]		1_2_0099B1E1
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h]		1_2_0099B1E1
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0099B1E1 mov eax, dword ptr fs:[00000030h]		1_2_0099B1E1
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00999100 mov eax, dword ptr fs:[00000030h]		1_2_00999100
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00999100 mov eax, dword ptr fs:[00000030h]		1_2_00999100
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00999100 mov eax, dword ptr fs:[00000030h]		1_2_00999100
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C513A mov eax, dword ptr fs:[00000030h]		1_2_009C513A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C513A mov eax, dword ptr fs:[00000030h]		1_2_009C513A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]		1_2_009B4120
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]		1_2_009B4120
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]		1_2_009B4120
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B4120 mov eax, dword ptr fs:[00000030h]		1_2_009B4120
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B4120 mov ecx, dword ptr fs:[00000030h]		1_2_009B4120
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BB944 mov eax, dword ptr fs:[00000030h]		1_2_009BB944
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BB944 mov eax, dword ptr fs:[00000030h]		1_2_009BB944
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0099B171 mov eax, dword ptr fs:[00000030h]		1_2_0099B171
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0099B171 mov eax, dword ptr fs:[00000030h]		1_2_0099B171
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0099C962 mov eax, dword ptr fs:[00000030h]		1_2_0099C962
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CD294 mov eax, dword ptr fs:[00000030h]		1_2_009CD294
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CD294 mov eax, dword ptr fs:[00000030h]		1_2_009CD294
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009AAAB0 mov eax, dword ptr fs:[00000030h]		1_2_009AAAB0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009AAAB0 mov eax, dword ptr fs:[00000030h]		1_2_009AAAB0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CFAB0 mov eax, dword ptr fs:[00000030h]		1_2_009CFAB0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]		1_2_009952A5
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]		1_2_009952A5
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]		1_2_009952A5
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]		1_2_009952A5
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009952A5 mov eax, dword ptr fs:[00000030h]		1_2_009952A5
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]		1_2_00A54AEF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]		1_2_00A54AEF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]		1_2_00A54AEF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]		1_2_00A54AEF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]		1_2_00A54AEF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]		1_2_00A54AEF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]		1_2_00A54AEF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]		1_2_00A54AEF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]		1_2_00A54AEF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]		1_2_00A54AEF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]		1_2_00A54AEF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]		1_2_00A54AEF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]		1_2_00A54AEF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54AEF mov eax, dword ptr fs:[00000030h]		1_2_00A54AEF
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C2ACB mov eax, dword ptr fs:[00000030h]		1_2_009C2ACB
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C2AE4 mov eax, dword ptr fs:[00000030h]		1_2_009C2AE4
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B3A1C mov eax, dword ptr fs:[00000030h]		1_2_009B3A1C
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00995210 mov eax, dword ptr fs:[00000030h]		1_2_00995210
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00995210 mov ecx, dword ptr fs:[00000030h]		1_2_00995210
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00995210 mov eax, dword ptr fs:[00000030h]		1_2_00995210
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00995210 mov eax, dword ptr fs:[00000030h]		1_2_00995210
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0099AA16 mov eax, dword ptr fs:[00000030h]		1_2_0099AA16
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0099AA16 mov eax, dword ptr fs:[00000030h]		1_2_0099AA16
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A8A0A mov eax, dword ptr fs:[00000030h]		1_2_009A8A0A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D4A2C mov eax, dword ptr fs:[00000030h]		1_2_009D4A2C
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D4A2C mov eax, dword ptr fs:[00000030h]		1_2_009D4A2C
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]		1_2_009BA229
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]		1_2_009BA229
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]		1_2_009BA229
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]		1_2_009BA229
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]		1_2_009BA229
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]		1_2_009BA229
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]		1_2_009BA229
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]		1_2_009BA229
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA229 mov eax, dword ptr fs:[00000030h]		1_2_009BA229
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A5AA16 mov eax, dword ptr fs:[00000030h]		1_2_00A5AA16
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A5AA16 mov eax, dword ptr fs:[00000030h]		1_2_00A5AA16
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A4B260 mov eax, dword ptr fs:[00000030h]		1_2_00A4B260
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A4B260 mov eax, dword ptr fs:[00000030h]		1_2_00A4B260
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A68A62 mov eax, dword ptr fs:[00000030h]		1_2_00A68A62
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]		1_2_00999240
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]		1_2_00999240
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]		1_2_00999240
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00999240 mov eax, dword ptr fs:[00000030h]		1_2_00999240
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D927A mov eax, dword ptr fs:[00000030h]		1_2_009D927A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A5EA55 mov eax, dword ptr fs:[00000030h]		1_2_00A5EA55
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A24257 mov eax, dword ptr fs:[00000030h]		1_2_00A24257
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A65BA5 mov eax, dword ptr fs:[00000030h]		1_2_00A65BA5
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C2397 mov eax, dword ptr fs:[00000030h]		1_2_009C2397
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CB390 mov eax, dword ptr fs:[00000030h]		1_2_009CB390
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A1B8F mov eax, dword ptr fs:[00000030h]		1_2_009A1B8F
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A1B8F mov eax, dword ptr fs:[00000030h]		1_2_009A1B8F
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A4D380 mov ecx, dword ptr fs:[00000030h]		1_2_00A4D380
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A5138A mov eax, dword ptr fs:[00000030h]		1_2_00A5138A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C4BAD mov eax, dword ptr fs:[00000030h]		1_2_009C4BAD
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C4BAD mov eax, dword ptr fs:[00000030h]		1_2_009C4BAD
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C4BAD mov eax, dword ptr fs:[00000030h]		1_2_009C4BAD
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A423E3 mov ecx, dword ptr fs:[00000030h]		1_2_00A423E3
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A423E3 mov ecx, dword ptr fs:[00000030h]		1_2_00A423E3
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A423E3 mov eax, dword ptr fs:[00000030h]		1_2_00A423E3
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A153CA mov eax, dword ptr fs:[00000030h]		1_2_00A153CA
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A153CA mov eax, dword ptr fs:[00000030h]		1_2_00A153CA
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BDBE9 mov eax, dword ptr fs:[00000030h]		1_2_009BDBE9
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]		1_2_009C03E2
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]		1_2_009C03E2
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]		1_2_009C03E2
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]		1_2_009C03E2
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]		1_2_009C03E2
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C03E2 mov eax, dword ptr fs:[00000030h]		1_2_009C03E2
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]		1_2_009BA309
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]		1_2_009BA309
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]		1_2_009BA309
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]		1_2_009BA309
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]		1_2_009BA309
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]		1_2_009BA309
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]		1_2_009BA309
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]		1_2_009BA309
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]		1_2_009BA309
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]		1_2_009BA309
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]		1_2_009BA309
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]		1_2_009BA309
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]		1_2_009BA309
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]		1_2_009BA309
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]		1_2_009BA309
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]		1_2_009BA309
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]		1_2_009BA309
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]		1_2_009BA309
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]		1_2_009BA309
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]		1_2_009BA309
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BA309 mov eax, dword ptr fs:[00000030h]		1_2_009BA309
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A5131B mov eax, dword ptr fs:[00000030h]		1_2_00A5131B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0099F358 mov eax, dword ptr fs:[00000030h]		1_2_0099F358
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0099DB40 mov eax, dword ptr fs:[00000030h]		1_2_0099DB40
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C3B7A mov eax, dword ptr fs:[00000030h]		1_2_009C3B7A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C3B7A mov eax, dword ptr fs:[00000030h]		1_2_009C3B7A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0099DB60 mov ecx, dword ptr fs:[00000030h]		1_2_0099DB60
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A68B58 mov eax, dword ptr fs:[00000030h]		1_2_00A68B58
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A849B mov eax, dword ptr fs:[00000030h]		1_2_009A849B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]		1_2_00A54496
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]		1_2_00A54496
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]		1_2_00A54496
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]		1_2_00A54496
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]		1_2_00A54496
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]		1_2_00A54496
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]		1_2_00A54496
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]		1_2_00A54496
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]		1_2_00A54496
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]		1_2_00A54496
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]		1_2_00A54496
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]		1_2_00A54496
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A54496 mov eax, dword ptr fs:[00000030h]		1_2_00A54496
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A16CF0 mov eax, dword ptr fs:[00000030h]		1_2_00A16CF0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A16CF0 mov eax, dword ptr fs:[00000030h]		1_2_00A16CF0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A16CF0 mov eax, dword ptr fs:[00000030h]		1_2_00A16CF0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A514FB mov eax, dword ptr fs:[00000030h]		1_2_00A514FB
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A68CD6 mov eax, dword ptr fs:[00000030h]		1_2_00A68CD6
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A51C06 mov eax, dword ptr fs:[00000030h]		1_2_00A51C06
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h]		1_2_00A6740D
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h]		1_2_00A6740D
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A6740D mov eax, dword ptr fs:[00000030h]		1_2_00A6740D
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h]		1_2_00A16C0A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h]		1_2_00A16C0A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h]		1_2_00A16C0A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A16C0A mov eax, dword ptr fs:[00000030h]		1_2_00A16C0A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CBC2C mov eax, dword ptr fs:[00000030h]		1_2_009CBC2C
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CA44B mov eax, dword ptr fs:[00000030h]		1_2_009CA44B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]		1_2_009CAC7B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]		1_2_009CAC7B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]		1_2_009CAC7B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]		1_2_009CAC7B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]		1_2_009CAC7B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]		1_2_009CAC7B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]		1_2_009CAC7B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]		1_2_009CAC7B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]		1_2_009CAC7B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]		1_2_009CAC7B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CAC7B mov eax, dword ptr fs:[00000030h]		1_2_009CAC7B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]		1_2_009BB477
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]		1_2_009BB477
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]		1_2_009BB477
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]		1_2_009BB477
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]		1_2_009BB477
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]		1_2_009BB477
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]		1_2_009BB477
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]		1_2_009BB477
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]		1_2_009BB477
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]		1_2_009BB477
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]		1_2_009BB477
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BB477 mov eax, dword ptr fs:[00000030h]		1_2_009BB477
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A2C450 mov eax, dword ptr fs:[00000030h]		1_2_00A2C450
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A2C450 mov eax, dword ptr fs:[00000030h]		1_2_00A2C450
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B746D mov eax, dword ptr fs:[00000030h]		1_2_009B746D
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CFD9B mov eax, dword ptr fs:[00000030h]		1_2_009CFD9B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CFD9B mov eax, dword ptr fs:[00000030h]		1_2_009CFD9B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A605AC mov eax, dword ptr fs:[00000030h]		1_2_00A605AC
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A605AC mov eax, dword ptr fs:[00000030h]		1_2_00A605AC
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]		1_2_00992D8A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]		1_2_00992D8A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]		1_2_00992D8A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]		1_2_00992D8A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00992D8A mov eax, dword ptr fs:[00000030h]		1_2_00992D8A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h]		1_2_009C2581
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h]		1_2_009C2581
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h]		1_2_009C2581
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C2581 mov eax, dword ptr fs:[00000030h]		1_2_009C2581
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A52D82 mov eax, dword ptr fs:[00000030h]		1_2_00A52D82
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A52D82 mov eax, dword ptr fs:[00000030h]		1_2_00A52D82
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A52D82 mov eax, dword ptr fs:[00000030h]		1_2_00A52D82
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A52D82 mov eax, dword ptr fs:[00000030h]		1_2_00A52D82
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A52D82 mov eax, dword ptr fs:[00000030h]		1_2_00A52D82
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A52D82 mov eax, dword ptr fs:[00000030h]		1_2_00A52D82
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A52D82 mov eax, dword ptr fs:[00000030h]		1_2_00A52D82
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C1DB5 mov eax, dword ptr fs:[00000030h]		1_2_009C1DB5
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C1DB5 mov eax, dword ptr fs:[00000030h]		1_2_009C1DB5
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C1DB5 mov eax, dword ptr fs:[00000030h]		1_2_009C1DB5
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C35A1 mov eax, dword ptr fs:[00000030h]		1_2_009C35A1
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A5FDE2 mov eax, dword ptr fs:[00000030h]		1_2_00A5FDE2
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A5FDE2 mov eax, dword ptr fs:[00000030h]		1_2_00A5FDE2
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A5FDE2 mov eax, dword ptr fs:[00000030h]		1_2_00A5FDE2
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A5FDE2 mov eax, dword ptr fs:[00000030h]		1_2_00A5FDE2
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A48DF1 mov eax, dword ptr fs:[00000030h]		1_2_00A48DF1
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]		1_2_00A16DC9
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]		1_2_00A16DC9
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]		1_2_00A16DC9
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A16DC9 mov ecx, dword ptr fs:[00000030h]		1_2_00A16DC9
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]		1_2_00A16DC9
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A16DC9 mov eax, dword ptr fs:[00000030h]		1_2_00A16DC9
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009AD5E0 mov eax, dword ptr fs:[00000030h]		1_2_009AD5E0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009AD5E0 mov eax, dword ptr fs:[00000030h]		1_2_009AD5E0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A68D34 mov eax, dword ptr fs:[00000030h]		1_2_00A68D34
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A1A537 mov eax, dword ptr fs:[00000030h]		1_2_00A1A537
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A5E539 mov eax, dword ptr fs:[00000030h]		1_2_00A5E539
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h]		1_2_009C4D3B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h]		1_2_009C4D3B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C4D3B mov eax, dword ptr fs:[00000030h]		1_2_009C4D3B
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0099AD30 mov eax, dword ptr fs:[00000030h]		1_2_0099AD30
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A3D34 mov eax, dword ptr fs:[00000030h]		1_2_009A3D34
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009B7D50 mov eax, dword ptr fs:[00000030h]		1_2_009B7D50
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D3D43 mov eax, dword ptr fs:[00000030h]		1_2_009D3D43
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A13540 mov eax, dword ptr fs:[00000030h]		1_2_00A13540
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A43D40 mov eax, dword ptr fs:[00000030h]		1_2_00A43D40
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BC577 mov eax, dword ptr fs:[00000030h]		1_2_009BC577
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BC577 mov eax, dword ptr fs:[00000030h]		1_2_009BC577
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h]		1_2_00A60EA5
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h]		1_2_00A60EA5
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A60EA5 mov eax, dword ptr fs:[00000030h]		1_2_00A60EA5
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A146A7 mov eax, dword ptr fs:[00000030h]		1_2_00A146A7
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A2FE87 mov eax, dword ptr fs:[00000030h]		1_2_00A2FE87
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C36CC mov eax, dword ptr fs:[00000030h]		1_2_009C36CC
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D8EC7 mov eax, dword ptr fs:[00000030h]		1_2_009D8EC7
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A4FEC0 mov eax, dword ptr fs:[00000030h]		1_2_00A4FEC0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A68ED6 mov eax, dword ptr fs:[00000030h]		1_2_00A68ED6
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A76E2 mov eax, dword ptr fs:[00000030h]		1_2_009A76E2
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C16E0 mov ecx, dword ptr fs:[00000030h]		1_2_009C16E0
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CA61C mov eax, dword ptr fs:[00000030h]		1_2_009CA61C
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CA61C mov eax, dword ptr fs:[00000030h]		1_2_009CA61C
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h]		1_2_0099C600
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h]		1_2_0099C600
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0099C600 mov eax, dword ptr fs:[00000030h]		1_2_0099C600
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A4FE3F mov eax, dword ptr fs:[00000030h]		1_2_00A4FE3F
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009C8E00 mov eax, dword ptr fs:[00000030h]		1_2_009C8E00
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A51608 mov eax, dword ptr fs:[00000030h]		1_2_00A51608
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_0099E620 mov eax, dword ptr fs:[00000030h]		1_2_0099E620
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]		1_2_009A7E41
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]		1_2_009A7E41
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]		1_2_009A7E41
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]		1_2_009A7E41
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]		1_2_009A7E41
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A7E41 mov eax, dword ptr fs:[00000030h]		1_2_009A7E41
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A5AE44 mov eax, dword ptr fs:[00000030h]		1_2_00A5AE44
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A5AE44 mov eax, dword ptr fs:[00000030h]		1_2_00A5AE44
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h]		1_2_009BAE73
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h]		1_2_009BAE73
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h]		1_2_009BAE73
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h]		1_2_009BAE73
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BAE73 mov eax, dword ptr fs:[00000030h]		1_2_009BAE73
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A766D mov eax, dword ptr fs:[00000030h]		1_2_009A766D
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009A8794 mov eax, dword ptr fs:[00000030h]		1_2_009A8794
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A17794 mov eax, dword ptr fs:[00000030h]		1_2_00A17794
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A17794 mov eax, dword ptr fs:[00000030h]		1_2_00A17794
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A17794 mov eax, dword ptr fs:[00000030h]		1_2_00A17794
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009D37F5 mov eax, dword ptr fs:[00000030h]		1_2_009D37F5
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BF716 mov eax, dword ptr fs:[00000030h]		1_2_009BF716
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CA70E mov eax, dword ptr fs:[00000030h]		1_2_009CA70E
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CA70E mov eax, dword ptr fs:[00000030h]		1_2_009CA70E
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BB73D mov eax, dword ptr fs:[00000030h]		1_2_009BB73D
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009BB73D mov eax, dword ptr fs:[00000030h]		1_2_009BB73D
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A6070D mov eax, dword ptr fs:[00000030h]		1_2_00A6070D
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A6070D mov eax, dword ptr fs:[00000030h]		1_2_00A6070D
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009CE730 mov eax, dword ptr fs:[00000030h]		1_2_009CE730
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A2FF10 mov eax, dword ptr fs:[00000030h]		1_2_00A2FF10
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A2FF10 mov eax, dword ptr fs:[00000030h]		1_2_00A2FF10
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00994F2E mov eax, dword ptr fs:[00000030h]		1_2_00994F2E
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00994F2E mov eax, dword ptr fs:[00000030h]		1_2_00994F2E
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_00A68F6A mov eax, dword ptr fs:[00000030h]		1_2_00A68F6A
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009AEF40 mov eax, dword ptr fs:[00000030h]		1_2_009AEF40
Source: C:\Users\user\Desktop\444890321.exe	Code function: 1_2_009AFF60 mov eax, dword ptr fs:[00000030h]		1_2_009AFF60
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E403E2 mov eax, dword ptr fs:[00000030h]		10_2_03E403E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E403E2 mov eax, dword ptr fs:[00000030h]		10_2_03E403E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E403E2 mov eax, dword ptr fs:[00000030h]		10_2_03E403E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E403E2 mov eax, dword ptr fs:[00000030h]		10_2_03E403E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E403E2 mov eax, dword ptr fs:[00000030h]		10_2_03E403E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E403E2 mov eax, dword ptr fs:[00000030h]		10_2_03E403E2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E3DBE9 mov eax, dword ptr fs:[00000030h]		10_2_03E3DBE9
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E953CA mov eax, dword ptr fs:[00000030h]		10_2_03E953CA
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E953CA mov eax, dword ptr fs:[00000030h]		10_2_03E953CA
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E44BAD mov eax, dword ptr fs:[00000030h]		10_2_03E44BAD
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E44BAD mov eax, dword ptr fs:[00000030h]		10_2_03E44BAD
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E44BAD mov eax, dword ptr fs:[00000030h]		10_2_03E44BAD
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EE5BA5 mov eax, dword ptr fs:[00000030h]		10_2_03EE5BA5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03ED138A mov eax, dword ptr fs:[00000030h]		10_2_03ED138A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03ECD380 mov ecx, dword ptr fs:[00000030h]		10_2_03ECD380
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E21B8F mov eax, dword ptr fs:[00000030h]		10_2_03E21B8F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E21B8F mov eax, dword ptr fs:[00000030h]		10_2_03E21B8F
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E42397 mov eax, dword ptr fs:[00000030h]		10_2_03E42397
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E4B390 mov eax, dword ptr fs:[00000030h]		10_2_03E4B390
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E1DB60 mov ecx, dword ptr fs:[00000030h]		10_2_03E1DB60
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E43B7A mov eax, dword ptr fs:[00000030h]		10_2_03E43B7A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E43B7A mov eax, dword ptr fs:[00000030h]		10_2_03E43B7A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E1DB40 mov eax, dword ptr fs:[00000030h]		10_2_03E1DB40
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EE8B58 mov eax, dword ptr fs:[00000030h]		10_2_03EE8B58
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E1F358 mov eax, dword ptr fs:[00000030h]		10_2_03E1F358
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03ED131B mov eax, dword ptr fs:[00000030h]		10_2_03ED131B
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E42AE4 mov eax, dword ptr fs:[00000030h]		10_2_03E42AE4
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E42ACB mov eax, dword ptr fs:[00000030h]		10_2_03E42ACB
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E152A5 mov eax, dword ptr fs:[00000030h]		10_2_03E152A5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E152A5 mov eax, dword ptr fs:[00000030h]		10_2_03E152A5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E152A5 mov eax, dword ptr fs:[00000030h]		10_2_03E152A5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E152A5 mov eax, dword ptr fs:[00000030h]		10_2_03E152A5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E152A5 mov eax, dword ptr fs:[00000030h]		10_2_03E152A5
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E2AAB0 mov eax, dword ptr fs:[00000030h]		10_2_03E2AAB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E2AAB0 mov eax, dword ptr fs:[00000030h]		10_2_03E2AAB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E4FAB0 mov eax, dword ptr fs:[00000030h]		10_2_03E4FAB0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E4D294 mov eax, dword ptr fs:[00000030h]		10_2_03E4D294
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E4D294 mov eax, dword ptr fs:[00000030h]		10_2_03E4D294
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03ECB260 mov eax, dword ptr fs:[00000030h]		10_2_03ECB260
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03ECB260 mov eax, dword ptr fs:[00000030h]		10_2_03ECB260
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EE8A62 mov eax, dword ptr fs:[00000030h]		10_2_03EE8A62
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E5927A mov eax, dword ptr fs:[00000030h]		10_2_03E5927A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E19240 mov eax, dword ptr fs:[00000030h]		10_2_03E19240
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E19240 mov eax, dword ptr fs:[00000030h]		10_2_03E19240
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E19240 mov eax, dword ptr fs:[00000030h]		10_2_03E19240
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E19240 mov eax, dword ptr fs:[00000030h]		10_2_03E19240
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EDEA55 mov eax, dword ptr fs:[00000030h]		10_2_03EDEA55
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EA4257 mov eax, dword ptr fs:[00000030h]		10_2_03EA4257
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E54A2C mov eax, dword ptr fs:[00000030h]		10_2_03E54A2C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E54A2C mov eax, dword ptr fs:[00000030h]		10_2_03E54A2C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E3A229 mov eax, dword ptr fs:[00000030h]		10_2_03E3A229
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E3A229 mov eax, dword ptr fs:[00000030h]		10_2_03E3A229
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E3A229 mov eax, dword ptr fs:[00000030h]		10_2_03E3A229
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E3A229 mov eax, dword ptr fs:[00000030h]		10_2_03E3A229
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E3A229 mov eax, dword ptr fs:[00000030h]		10_2_03E3A229
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E3A229 mov eax, dword ptr fs:[00000030h]		10_2_03E3A229
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E3A229 mov eax, dword ptr fs:[00000030h]		10_2_03E3A229
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E3A229 mov eax, dword ptr fs:[00000030h]		10_2_03E3A229
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E3A229 mov eax, dword ptr fs:[00000030h]		10_2_03E3A229
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E28A0A mov eax, dword ptr fs:[00000030h]		10_2_03E28A0A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E15210 mov eax, dword ptr fs:[00000030h]		10_2_03E15210
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E15210 mov ecx, dword ptr fs:[00000030h]		10_2_03E15210
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E15210 mov eax, dword ptr fs:[00000030h]		10_2_03E15210
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E15210 mov eax, dword ptr fs:[00000030h]		10_2_03E15210
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E1AA16 mov eax, dword ptr fs:[00000030h]		10_2_03E1AA16
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E1AA16 mov eax, dword ptr fs:[00000030h]		10_2_03E1AA16
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EDAA16 mov eax, dword ptr fs:[00000030h]		10_2_03EDAA16
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EDAA16 mov eax, dword ptr fs:[00000030h]		10_2_03EDAA16
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E33A1C mov eax, dword ptr fs:[00000030h]		10_2_03E33A1C
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E1B1E1 mov eax, dword ptr fs:[00000030h]		10_2_03E1B1E1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E1B1E1 mov eax, dword ptr fs:[00000030h]		10_2_03E1B1E1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E1B1E1 mov eax, dword ptr fs:[00000030h]		10_2_03E1B1E1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EA41E8 mov eax, dword ptr fs:[00000030h]		10_2_03EA41E8
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E461A0 mov eax, dword ptr fs:[00000030h]		10_2_03E461A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E461A0 mov eax, dword ptr fs:[00000030h]		10_2_03E461A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03ED49A4 mov eax, dword ptr fs:[00000030h]		10_2_03ED49A4
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03ED49A4 mov eax, dword ptr fs:[00000030h]		10_2_03ED49A4
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03ED49A4 mov eax, dword ptr fs:[00000030h]		10_2_03ED49A4
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03ED49A4 mov eax, dword ptr fs:[00000030h]		10_2_03ED49A4
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E969A6 mov eax, dword ptr fs:[00000030h]		10_2_03E969A6
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E951BE mov eax, dword ptr fs:[00000030h]		10_2_03E951BE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E951BE mov eax, dword ptr fs:[00000030h]		10_2_03E951BE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E951BE mov eax, dword ptr fs:[00000030h]		10_2_03E951BE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E951BE mov eax, dword ptr fs:[00000030h]		10_2_03E951BE
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E3C182 mov eax, dword ptr fs:[00000030h]		10_2_03E3C182
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E4A185 mov eax, dword ptr fs:[00000030h]		10_2_03E4A185
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E42990 mov eax, dword ptr fs:[00000030h]		10_2_03E42990
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E1C962 mov eax, dword ptr fs:[00000030h]		10_2_03E1C962
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E1B171 mov eax, dword ptr fs:[00000030h]		10_2_03E1B171
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E1B171 mov eax, dword ptr fs:[00000030h]		10_2_03E1B171
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E3B944 mov eax, dword ptr fs:[00000030h]		10_2_03E3B944
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E3B944 mov eax, dword ptr fs:[00000030h]		10_2_03E3B944
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E34120 mov eax, dword ptr fs:[00000030h]		10_2_03E34120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E34120 mov eax, dword ptr fs:[00000030h]		10_2_03E34120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E34120 mov eax, dword ptr fs:[00000030h]		10_2_03E34120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E34120 mov eax, dword ptr fs:[00000030h]		10_2_03E34120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E34120 mov ecx, dword ptr fs:[00000030h]		10_2_03E34120
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E4513A mov eax, dword ptr fs:[00000030h]		10_2_03E4513A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E4513A mov eax, dword ptr fs:[00000030h]		10_2_03E4513A
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E19100 mov eax, dword ptr fs:[00000030h]		10_2_03E19100
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E19100 mov eax, dword ptr fs:[00000030h]		10_2_03E19100
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E19100 mov eax, dword ptr fs:[00000030h]		10_2_03E19100
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E140E1 mov eax, dword ptr fs:[00000030h]		10_2_03E140E1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E140E1 mov eax, dword ptr fs:[00000030h]		10_2_03E140E1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E140E1 mov eax, dword ptr fs:[00000030h]		10_2_03E140E1
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E158EC mov eax, dword ptr fs:[00000030h]		10_2_03E158EC
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EAB8D0 mov eax, dword ptr fs:[00000030h]		10_2_03EAB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EAB8D0 mov ecx, dword ptr fs:[00000030h]		10_2_03EAB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EAB8D0 mov eax, dword ptr fs:[00000030h]		10_2_03EAB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EAB8D0 mov eax, dword ptr fs:[00000030h]		10_2_03EAB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EAB8D0 mov eax, dword ptr fs:[00000030h]		10_2_03EAB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03EAB8D0 mov eax, dword ptr fs:[00000030h]		10_2_03EAB8D0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E420A0 mov eax, dword ptr fs:[00000030h]		10_2_03E420A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E420A0 mov eax, dword ptr fs:[00000030h]		10_2_03E420A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E420A0 mov eax, dword ptr fs:[00000030h]		10_2_03E420A0
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 10_2_03E420A0 mov eax, dword ptr fs:[00000030h]		10_2_03E420A0

Enables debug privileges

Source: C:\Users\user\Desktop\444890321.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 35.169.40.107 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.mekarauroko7389.com
Source: C:\Windows\explorer.exe	Domain query: www.oklahomasundayschool.com
Source: C:\Windows\explorer.exe	Network Connect: 199.59.242.153 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 163.44.239.72 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.shamushalkowich.com

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\444890321.exe	Section loaded: unknown target: C:\Users\user\Desktop\444890321.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\444890321.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\444890321.exe	Section loaded: unknown target: C:\Windows\System32\backgroundTaskHost.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\444890321.exe	Section loaded: unknown target: C:\Windows\System32\backgroundTaskHost.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\444890321.exe	Thread register set: target process: 3388			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Thread register set: target process: 3388			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\444890321.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\444890321.exe

Section unmapped: C:\Windows\System32\backgroundTaskHost.exe base address: A30000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\444890321.exe	Process created: C:\Users\user\Desktop\444890321.exe 'C:\Users\user\Desktop\444890321.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\WWAHost.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\444890321.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000004.00000000.215576974.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000004.00000000.215844960.0000000001980000.00000002.00000001.sdmp, WWAHost.exe, 0000000A.00000002.472475721.0000000005080000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.215844960.0000000001980000.00000002.00000001.sdmp, WWAHost.exe, 0000000A.00000002.472475721.0000000005080000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.215844960.0000000001980000.00000002.00000001.sdmp, WWAHost.exe, 0000000A.00000002.472475721.0000000005080000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.215844960.0000000001980000.00000002.00000001.sdmp, WWAHost.exe, 0000000A.00000002.472475721.0000000005080000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Contains functionality to query windows version

Source: C:\Users\user\Desktop\444890321.exe

Code function: 0_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405B88

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.444890321.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.444890321.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.444890321.exe.23b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.444890321.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 1.2.444890321.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.444890321.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.444890321.exe.23b0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.1.444890321.exe.400000.0.unpack, type: UNPACKEDPE