Windows Analysis Report mvui1vY6Mo

Overview

General Information

Sample Name: mvui1vY6Mo (renamed file extension from none to exe)
Analysis ID: 458944
MD5: 059b1244ac9fda54de086692db4b5a08
SHA1: 6e5f6326bd9da7e5d9c70b3e4491d308eb7f842b
SHA256: abb29be2c1eccd851bdb99b126e822a8cf0f57be95e9b71a921aa703b2c285be
Tags: 32exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.ejsuniqueclasses.com/ehp9/"], "decoy": ["kebao100.com", "telco360.com", "gilleyaviation.com", "thedangleman.com", "kmpetersonphoto.com", "bykjsz.com", "comparaca.com", "wlalumsforantiracism.com", "razerzonr.com", "856380062.xyz", "cubesoftwaresolution.com", "atokastore.com", "joinlashedbyjamie.com", "azcorra.com", "lilys-galaxy.com", "wheretheresaytheresaway.com", "avantix-colts.com", "pornsitehub.com", "jagoviral.com", "loansforgiven.com", "bainrix.com", "jesuschrist.care", "gunvue.com", "ijajs.com", "gee825.com", "runninghogfarm.com", "zotaac-ee.com", "secretholeagency.com", "maakapforgoodhealth.com", "lovebodystyles.com", "macrovigilance.com", "attractanygirl.com", "ingawellinc.com", "bet365q8.com", "globalmillionairessclub.com", "marcellaandann.com", "cmnkt-byem.xyz", "wolfzoom.net", "laura-claim.com", "tunnurl.com", "twinedinmagic.com", "libertybaptistchurchmedia.com", "pureembryo.com", "ssdigitaltirunelveli.com", "skiphirescunthorpe.com", "displashop.com", "whitebylole.com", "eggplantreport.com", "rje3.net", "healthpragency.com", "dxdoors.com", "blissbunnyworld.com", "ifn.xyz", "nationalurc.info", "designcumbriauk.com", "sonchirraiyya.com", "466se.com", "bombayy.com", "mairaalves.art", "nazarppe.com", "smokinskiing.com", "redwhitescrewed.com", "quantumnepal.codes", "circusocks.com"]}
Multi AV Scanner detection for submitted file
Source: mvui1vY6Mo.exe Virustotal: Detection: 58% Perma Link
Source: mvui1vY6Mo.exe ReversingLabs: Detection: 60%
Yara detected FormBook
Source: Yara match File source: 2.2.mvui1vY6Mo.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mvui1vY6Mo.exe.2eb0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mvui1vY6Mo.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.mvui1vY6Mo.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.745894672.0000000001B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.915098041.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.660274297.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.745860975.0000000001B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.744663875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.914915179.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
Machine Learning detection for sample
Source: mvui1vY6Mo.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.mvui1vY6Mo.exe.2eb0000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.mvui1vY6Mo.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: mvui1vY6Mo.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: mvui1vY6Mo.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cmmon32.pdb source: mvui1vY6Mo.exe, 00000002.00000002.746740818.0000000003890000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.708388219.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: C:\xampp\htdocs\Cryptor\0238f0732c6a40e5a54bccb37ef03c58\Loader\Project1\Release\Project1.pdb source: mvui1vY6Mo.exe
Source: Binary string: cmmon32.pdbGCTL source: mvui1vY6Mo.exe, 00000002.00000002.746740818.0000000003890000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: mvui1vY6Mo.exe, 00000000.00000003.655268474.0000000003240000.00000004.00000001.sdmp, mvui1vY6Mo.exe, 00000002.00000002.745274685.0000000001810000.00000040.00000001.sdmp, cmmon32.exe, 0000000B.00000002.915794120.0000000004810000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: mvui1vY6Mo.exe, cmmon32.exe
Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.708388219.0000000005A00000.00000002.00000001.sdmp
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 0_2_002F431C FindFirstFileExW, 0_2_002F431C
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_002F431C FindFirstFileExW, 2_2_002F431C

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 4x nop then pop esi 2_2_00415848
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 4x nop then pop ebx 2_2_00406AC2
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 4x nop then pop ebx 2_2_00406AA2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then pop esi 11_2_008B5848
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then pop ebx 11_2_008A6AA2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then pop ebx 11_2_008A6AC2

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49747 -> 164.68.104.58:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49747 -> 164.68.104.58:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49747 -> 164.68.104.58:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.ejsuniqueclasses.com/ehp9/
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.856380062.xyz
Source: C:\Windows\SysWOW64\cmmon32.exe DNS query: www.856380062.xyz
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ehp9/?zZbXur=fPkLdxO&0vrPA=8c/5QoMWiMUW3SjDqDOgvqNfypt6IHckOwJjeT/c3u4BTCnBI4ecsnyb0a1UBRXLCY1T HTTP/1.1Host: www.ejsuniqueclasses.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ehp9/?0vrPA=5Xsjz7+Z5WLh89j81EYl3Aroso+z/qN2CpRl0IKGrQQKTktOwLuaqldWAZoOLzUBzR5Q&zZbXur=fPkLdxO HTTP/1.1Host: www.healthpragency.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ehp9/?zZbXur=fPkLdxO&0vrPA=oRr9ZXza/sqKFb1a4cLVquMpSAfNXH/ZGOEKtA079HuOHtafooLLPyAXrAQLja/+16Ky HTTP/1.1Host: www.circusocks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ehp9/?0vrPA=UsPTfcJ0BZ5q3mR+pFMXthX3126RUWmODdEpc4rh++F4qt19VniXLc7dOQb8qNRTbKnv&zZbXur=fPkLdxO HTTP/1.1Host: www.466se.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 52.58.78.16 52.58.78.16
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: ILIGHT-NETUS ILIGHT-NETUS
Source: global traffic HTTP traffic detected: GET /ehp9/?zZbXur=fPkLdxO&0vrPA=8c/5QoMWiMUW3SjDqDOgvqNfypt6IHckOwJjeT/c3u4BTCnBI4ecsnyb0a1UBRXLCY1T HTTP/1.1Host: www.ejsuniqueclasses.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ehp9/?0vrPA=5Xsjz7+Z5WLh89j81EYl3Aroso+z/qN2CpRl0IKGrQQKTktOwLuaqldWAZoOLzUBzR5Q&zZbXur=fPkLdxO HTTP/1.1Host: www.healthpragency.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ehp9/?zZbXur=fPkLdxO&0vrPA=oRr9ZXza/sqKFb1a4cLVquMpSAfNXH/ZGOEKtA079HuOHtafooLLPyAXrAQLja/+16Ky HTTP/1.1Host: www.circusocks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /ehp9/?0vrPA=UsPTfcJ0BZ5q3mR+pFMXthX3126RUWmODdEpc4rh++F4qt19VniXLc7dOQb8qNRTbKnv&zZbXur=fPkLdxO HTTP/1.1Host: www.466se.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.ejsuniqueclasses.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 03 Aug 2021 20:19:35 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000004.00000000.663579400.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: cmmon32.exe, 0000000B.00000002.915247011.0000000000C60000.00000004.00000020.sdmp String found in binary or memory: http://www.856380062.xyz/ehp9/?zZbXur=fPkLdxO&0vrPA=sBJ6lOoTYYoNcaluCGHxKraeNDG0llcp1STurr5zu7Kck/pV
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 2.2.mvui1vY6Mo.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mvui1vY6Mo.exe.2eb0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mvui1vY6Mo.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.mvui1vY6Mo.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.745894672.0000000001B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.915098041.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.660274297.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.745860975.0000000001B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.744663875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.914915179.00000000008A0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.mvui1vY6Mo.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.mvui1vY6Mo.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.mvui1vY6Mo.exe.2eb0000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.mvui1vY6Mo.exe.2eb0000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.mvui1vY6Mo.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.mvui1vY6Mo.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.mvui1vY6Mo.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.mvui1vY6Mo.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.745894672.0000000001B70000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.745894672.0000000001B70000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.915098041.0000000000B10000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.915098041.0000000000B10000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.660274297.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.660274297.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.745860975.0000000001B40000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.745860975.0000000001B40000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.744663875.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.744663875.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.914915179.00000000008A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.914915179.00000000008A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_004181D0 NtCreateFile, 2_2_004181D0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_00418280 NtReadFile, 2_2_00418280
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_00418300 NtClose, 2_2_00418300
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_004183B0 NtAllocateVirtualMemory, 2_2_004183B0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_004183AB NtAllocateVirtualMemory, 2_2_004183AB
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018799A0 NtCreateSection,LdrInitializeThunk, 2_2_018799A0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018795D0 NtClose,LdrInitializeThunk, 2_2_018795D0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_01879910
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879540 NtReadFile,LdrInitializeThunk, 2_2_01879540
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018798F0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_018798F0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879840 NtDelayExecution,LdrInitializeThunk, 2_2_01879840
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_01879860
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879780 NtMapViewOfSection,LdrInitializeThunk, 2_2_01879780
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018797A0 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_018797A0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879FE0 NtCreateMutant,LdrInitializeThunk, 2_2_01879FE0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879710 NtQueryInformationToken,LdrInitializeThunk, 2_2_01879710
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018796E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_018796E0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879A00 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_01879A00
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879A20 NtResumeThread,LdrInitializeThunk, 2_2_01879A20
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879A50 NtCreateFile,LdrInitializeThunk, 2_2_01879A50
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_01879660
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018799D0 NtCreateProcessEx, 2_2_018799D0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018795F0 NtQueryInformationFile, 2_2_018795F0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879520 NtWaitForSingleObject, 2_2_01879520
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0187AD30 NtSetContextThread, 2_2_0187AD30
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879950 NtQueueApcThread, 2_2_01879950
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879560 NtWriteFile, 2_2_01879560
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018798A0 NtWriteVirtualMemory, 2_2_018798A0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879820 NtEnumerateKey, 2_2_01879820
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0187B040 NtSuspendThread, 2_2_0187B040
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0187A3B0 NtGetContextThread, 2_2_0187A3B0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879B00 NtSetValueKey, 2_2_01879B00
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0187A710 NtOpenProcessToken, 2_2_0187A710
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879730 NtQueryVirtualMemory, 2_2_01879730
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879760 NtOpenProcess, 2_2_01879760
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879770 NtSetInformationFile, 2_2_01879770
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0187A770 NtOpenThread, 2_2_0187A770
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879A80 NtOpenDirectoryObject, 2_2_01879A80
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018796D0 NtCreateKey, 2_2_018796D0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879610 NtEnumerateValueKey, 2_2_01879610
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879A10 NtQuerySection, 2_2_01879A10
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879650 NtQueryValueKey, 2_2_01879650
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01879670 NtQueryInformationProcess, 2_2_01879670
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048795D0 NtClose,LdrInitializeThunk, 11_2_048795D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879540 NtReadFile,LdrInitializeThunk, 11_2_04879540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048796D0 NtCreateKey,LdrInitializeThunk, 11_2_048796D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048796E0 NtFreeVirtualMemory,LdrInitializeThunk, 11_2_048796E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879650 NtQueryValueKey,LdrInitializeThunk, 11_2_04879650
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879660 NtAllocateVirtualMemory,LdrInitializeThunk, 11_2_04879660
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879780 NtMapViewOfSection,LdrInitializeThunk, 11_2_04879780
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879FE0 NtCreateMutant,LdrInitializeThunk, 11_2_04879FE0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879710 NtQueryInformationToken,LdrInitializeThunk, 11_2_04879710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879840 NtDelayExecution,LdrInitializeThunk, 11_2_04879840
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879860 NtQuerySystemInformation,LdrInitializeThunk, 11_2_04879860
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048799A0 NtCreateSection,LdrInitializeThunk, 11_2_048799A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879910 NtAdjustPrivilegesToken,LdrInitializeThunk, 11_2_04879910
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879A50 NtCreateFile,LdrInitializeThunk, 11_2_04879A50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048795F0 NtQueryInformationFile, 11_2_048795F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879520 NtWaitForSingleObject, 11_2_04879520
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0487AD30 NtSetContextThread, 11_2_0487AD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879560 NtWriteFile, 11_2_04879560
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879610 NtEnumerateValueKey, 11_2_04879610
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879670 NtQueryInformationProcess, 11_2_04879670
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048797A0 NtUnmapViewOfSection, 11_2_048797A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0487A710 NtOpenProcessToken, 11_2_0487A710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879730 NtQueryVirtualMemory, 11_2_04879730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879760 NtOpenProcess, 11_2_04879760
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0487A770 NtOpenThread, 11_2_0487A770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879770 NtSetInformationFile, 11_2_04879770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048798A0 NtWriteVirtualMemory, 11_2_048798A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048798F0 NtReadVirtualMemory, 11_2_048798F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879820 NtEnumerateKey, 11_2_04879820
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0487B040 NtSuspendThread, 11_2_0487B040
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048799D0 NtCreateProcessEx, 11_2_048799D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879950 NtQueueApcThread, 11_2_04879950
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879A80 NtOpenDirectoryObject, 11_2_04879A80
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879A00 NtProtectVirtualMemory, 11_2_04879A00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879A10 NtQuerySection, 11_2_04879A10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879A20 NtResumeThread, 11_2_04879A20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0487A3B0 NtGetContextThread, 11_2_0487A3B0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04879B00 NtSetValueKey, 11_2_04879B00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_008B81D0 NtCreateFile, 11_2_008B81D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_008B8280 NtReadFile, 11_2_008B8280
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_008B83B0 NtAllocateVirtualMemory, 11_2_008B83B0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_008B8300 NtClose, 11_2_008B8300
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_008B83AB NtAllocateVirtualMemory, 11_2_008B83AB
Detected potential crypto function
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 0_2_00304C25 0_2_00304C25
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 0_2_002F9B35 0_2_002F9B35
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_002F9B35 2_2_002F9B35
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_00401027 2_2_00401027
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_00408C6D 2_2_00408C6D
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_00408C70 2_2_00408C70
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0041C497 2_2_0041C497
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0041B4B3 2_2_0041B4B3
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0041C506 2_2_0041C506
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_00402D87 2_2_00402D87
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0041BE70 2_2_0041BE70
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0041BE00 2_2_0041BE00
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0041C771 2_2_0041C771
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0041BF09 2_2_0041BF09
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01862581 2_2_01862581
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_019025DD 2_2_019025DD
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0184D5E0 2_2_0184D5E0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0183F900 2_2_0183F900
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01902D07 2_2_01902D07
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01830D20 2_2_01830D20
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01854120 2_2_01854120
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01901D55 2_2_01901D55
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0184B090 2_2_0184B090
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018620A0 2_2_018620A0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_019020A8 2_2_019020A8
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_019028EC 2_2_019028EC
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018F1002 2_2_018F1002
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0184841F 2_2_0184841F
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186EBB0 2_2_0186EBB0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018FDBD2 2_2_018FDBD2
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01901FF1 2_2_01901FF1
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01902B28 2_2_01902B28
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_019022AE 2_2_019022AE
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01902EF7 2_2_01902EF7
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01856E30 2_2_01856E30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0484841F 11_2_0484841F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048FD466 11_2_048FD466
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04862581 11_2_04862581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_049025DD 11_2_049025DD
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0484D5E0 11_2_0484D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04902D07 11_2_04902D07
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04830D20 11_2_04830D20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04901D55 11_2_04901D55
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04902EF7 11_2_04902EF7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04856E30 11_2_04856E30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04901FF1 11_2_04901FF1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0484B090 11_2_0484B090
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048620A0 11_2_048620A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_049020A8 11_2_049020A8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_049028EC 11_2_049028EC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048F1002 11_2_048F1002
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0483F900 11_2_0483F900
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04854120 11_2_04854120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_049022AE 11_2_049022AE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486EBB0 11_2_0486EBB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048FDBD2 11_2_048FDBD2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04902B28 11_2_04902B28
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_008BC497 11_2_008BC497
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_008BB4B3 11_2_008BB4B3
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_008A8C6D 11_2_008A8C6D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_008A8C70 11_2_008A8C70
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_008A2D87 11_2_008A2D87
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_008A2D90 11_2_008A2D90
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_008BC506 11_2_008BC506
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_008BBEF9 11_2_008BBEF9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_008BBE00 11_2_008BBE00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_008A2FB0 11_2_008A2FB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_008BC771 11_2_008BC771
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: String function: 0183B150 appears 35 times
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: String function: 002F17D0 appears 46 times
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: String function: 002F4F91 appears 36 times
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: String function: 0483B150 appears 35 times
Sample file is different than original file name gathered from version info
Source: mvui1vY6Mo.exe, 00000000.00000003.651762525.00000000031C6000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs mvui1vY6Mo.exe
Source: mvui1vY6Mo.exe, 00000002.00000002.746750846.0000000003899000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMMON32.exe` vs mvui1vY6Mo.exe
Source: mvui1vY6Mo.exe, 00000002.00000002.745559030.000000000192F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs mvui1vY6Mo.exe
Uses 32bit PE files
Source: mvui1vY6Mo.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 2.2.mvui1vY6Mo.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.mvui1vY6Mo.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.mvui1vY6Mo.exe.2eb0000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.mvui1vY6Mo.exe.2eb0000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.mvui1vY6Mo.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.mvui1vY6Mo.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.mvui1vY6Mo.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.mvui1vY6Mo.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.745894672.0000000001B70000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.745894672.0000000001B70000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.915098041.0000000000B10000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.915098041.0000000000B10000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.660274297.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.660274297.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.745860975.0000000001B40000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.745860975.0000000001B40000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.744663875.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.744663875.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.914915179.00000000008A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.914915179.00000000008A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/0@7/5
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:120:WilError_01
Source: mvui1vY6Mo.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: mvui1vY6Mo.exe Virustotal: Detection: 58%
Source: mvui1vY6Mo.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe File read: C:\Users\user\Desktop\mvui1vY6Mo.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\mvui1vY6Mo.exe 'C:\Users\user\Desktop\mvui1vY6Mo.exe'
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Process created: C:\Users\user\Desktop\mvui1vY6Mo.exe 'C:\Users\user\Desktop\mvui1vY6Mo.exe'
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mvui1vY6Mo.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Process created: C:\Users\user\Desktop\mvui1vY6Mo.exe 'C:\Users\user\Desktop\mvui1vY6Mo.exe' Jump to behavior
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mvui1vY6Mo.exe' Jump to behavior
Source: mvui1vY6Mo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: mvui1vY6Mo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: mvui1vY6Mo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: mvui1vY6Mo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: mvui1vY6Mo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: mvui1vY6Mo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: mvui1vY6Mo.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: mvui1vY6Mo.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: cmmon32.pdb source: mvui1vY6Mo.exe, 00000002.00000002.746740818.0000000003890000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.708388219.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: C:\xampp\htdocs\Cryptor\0238f0732c6a40e5a54bccb37ef03c58\Loader\Project1\Release\Project1.pdb source: mvui1vY6Mo.exe
Source: Binary string: cmmon32.pdbGCTL source: mvui1vY6Mo.exe, 00000002.00000002.746740818.0000000003890000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: mvui1vY6Mo.exe, 00000000.00000003.655268474.0000000003240000.00000004.00000001.sdmp, mvui1vY6Mo.exe, 00000002.00000002.745274685.0000000001810000.00000040.00000001.sdmp, cmmon32.exe, 0000000B.00000002.915794120.0000000004810000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: mvui1vY6Mo.exe, cmmon32.exe
Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.708388219.0000000005A00000.00000002.00000001.sdmp
Source: mvui1vY6Mo.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: mvui1vY6Mo.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: mvui1vY6Mo.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: mvui1vY6Mo.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: mvui1vY6Mo.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 0_2_002F1816 push ecx; ret 0_2_002F1829
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_002F1816 push ecx; ret 2_2_002F1829
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0041B3C5 push eax; ret 2_2_0041B418
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0041B47C push eax; ret 2_2_0041B482
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0041B412 push eax; ret 2_2_0041B418
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0041B41B push eax; ret 2_2_0041B482
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_00414E34 push eax; iretd 2_2_00414E36
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_00414F6B push ebp; retf 2_2_00414F6C
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0188D0D1 push ecx; ret 2_2_0188D0E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0488D0D1 push ecx; ret 11_2_0488D0E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_008BB3C5 push eax; ret 11_2_008BB418
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_008BB41B push eax; ret 11_2_008BB482
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_008BB412 push eax; ret 11_2_008BB418
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_008BB47C push eax; ret 11_2_008BB482
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_008B4E34 push eax; iretd 11_2_008B4E36
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_008B4F6B push ebp; retf 11_2_008B4F6C
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 00000000008A85F4 second address: 00000000008A85FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 00000000008A898E second address: 00000000008A8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_004088C0 rdtsc 2_2_004088C0
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 6392 Thread sleep time: -32000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 0_2_002F431C FindFirstFileExW, 0_2_002F431C
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_002F431C FindFirstFileExW, 2_2_002F431C
Source: explorer.exe, 00000004.00000000.704668581.0000000004710000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.689957122.000000000FD60000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.674578676.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000004.00000000.680786469.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.675830821.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.680786469.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: cmmon32.exe, 0000000B.00000002.915231564.0000000000C47000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000004.00000000.680948462.000000000A716000.00000004.00000001.sdmp Binary or memory string: 0ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&[
Source: explorer.exe, 00000004.00000000.671975391.0000000004755000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000004.00000000.674578676.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000000.680948462.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000004.00000000.674578676.00000000058C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000004.00000000.681026627.000000000A784000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000004.00000000.674578676.00000000058C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_004088C0 rdtsc 2_2_004088C0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_00409B30 LdrLoadDll, 2_2_00409B30
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 0_2_002F3D62 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_002F3D62
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 0_2_00304C25 mov eax, dword ptr fs:[00000030h] 0_2_00304C25
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 0_2_002F2E0B mov eax, dword ptr fs:[00000030h] 0_2_002F2E0B
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 0_2_011306DA mov eax, dword ptr fs:[00000030h] 0_2_011306DA
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 0_2_0113099F mov eax, dword ptr fs:[00000030h] 0_2_0113099F
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 0_2_011309DE mov eax, dword ptr fs:[00000030h] 0_2_011309DE
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 0_2_011308EE mov eax, dword ptr fs:[00000030h] 0_2_011308EE
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 0_2_01130A1C mov eax, dword ptr fs:[00000030h] 0_2_01130A1C
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_002F2E0B mov eax, dword ptr fs:[00000030h] 2_2_002F2E0B
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186A185 mov eax, dword ptr fs:[00000030h] 2_2_0186A185
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0185C182 mov eax, dword ptr fs:[00000030h] 2_2_0185C182
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01862581 mov eax, dword ptr fs:[00000030h] 2_2_01862581
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01862581 mov eax, dword ptr fs:[00000030h] 2_2_01862581
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01862581 mov eax, dword ptr fs:[00000030h] 2_2_01862581
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01862581 mov eax, dword ptr fs:[00000030h] 2_2_01862581
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01832D8A mov eax, dword ptr fs:[00000030h] 2_2_01832D8A
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01832D8A mov eax, dword ptr fs:[00000030h] 2_2_01832D8A
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01832D8A mov eax, dword ptr fs:[00000030h] 2_2_01832D8A
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01832D8A mov eax, dword ptr fs:[00000030h] 2_2_01832D8A
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01832D8A mov eax, dword ptr fs:[00000030h] 2_2_01832D8A
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01862990 mov eax, dword ptr fs:[00000030h] 2_2_01862990
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186FD9B mov eax, dword ptr fs:[00000030h] 2_2_0186FD9B
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186FD9B mov eax, dword ptr fs:[00000030h] 2_2_0186FD9B
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018661A0 mov eax, dword ptr fs:[00000030h] 2_2_018661A0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018661A0 mov eax, dword ptr fs:[00000030h] 2_2_018661A0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018635A1 mov eax, dword ptr fs:[00000030h] 2_2_018635A1
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B69A6 mov eax, dword ptr fs:[00000030h] 2_2_018B69A6
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01861DB5 mov eax, dword ptr fs:[00000030h] 2_2_01861DB5
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01861DB5 mov eax, dword ptr fs:[00000030h] 2_2_01861DB5
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01861DB5 mov eax, dword ptr fs:[00000030h] 2_2_01861DB5
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B51BE mov eax, dword ptr fs:[00000030h] 2_2_018B51BE
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B51BE mov eax, dword ptr fs:[00000030h] 2_2_018B51BE
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B51BE mov eax, dword ptr fs:[00000030h] 2_2_018B51BE
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B51BE mov eax, dword ptr fs:[00000030h] 2_2_018B51BE
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_019005AC mov eax, dword ptr fs:[00000030h] 2_2_019005AC
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_019005AC mov eax, dword ptr fs:[00000030h] 2_2_019005AC
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B6DC9 mov eax, dword ptr fs:[00000030h] 2_2_018B6DC9
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B6DC9 mov eax, dword ptr fs:[00000030h] 2_2_018B6DC9
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B6DC9 mov eax, dword ptr fs:[00000030h] 2_2_018B6DC9
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B6DC9 mov ecx, dword ptr fs:[00000030h] 2_2_018B6DC9
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B6DC9 mov eax, dword ptr fs:[00000030h] 2_2_018B6DC9
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B6DC9 mov eax, dword ptr fs:[00000030h] 2_2_018B6DC9
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0183B1E1 mov eax, dword ptr fs:[00000030h] 2_2_0183B1E1
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0183B1E1 mov eax, dword ptr fs:[00000030h] 2_2_0183B1E1
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0183B1E1 mov eax, dword ptr fs:[00000030h] 2_2_0183B1E1
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018C41E8 mov eax, dword ptr fs:[00000030h] 2_2_018C41E8
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0184D5E0 mov eax, dword ptr fs:[00000030h] 2_2_0184D5E0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0184D5E0 mov eax, dword ptr fs:[00000030h] 2_2_0184D5E0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018FFDE2 mov eax, dword ptr fs:[00000030h] 2_2_018FFDE2
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018FFDE2 mov eax, dword ptr fs:[00000030h] 2_2_018FFDE2
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018FFDE2 mov eax, dword ptr fs:[00000030h] 2_2_018FFDE2
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018FFDE2 mov eax, dword ptr fs:[00000030h] 2_2_018FFDE2
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018E8DF1 mov eax, dword ptr fs:[00000030h] 2_2_018E8DF1
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01839100 mov eax, dword ptr fs:[00000030h] 2_2_01839100
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01839100 mov eax, dword ptr fs:[00000030h] 2_2_01839100
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01839100 mov eax, dword ptr fs:[00000030h] 2_2_01839100
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01908D34 mov eax, dword ptr fs:[00000030h] 2_2_01908D34
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01854120 mov eax, dword ptr fs:[00000030h] 2_2_01854120
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01854120 mov eax, dword ptr fs:[00000030h] 2_2_01854120
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01854120 mov eax, dword ptr fs:[00000030h] 2_2_01854120
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01854120 mov eax, dword ptr fs:[00000030h] 2_2_01854120
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01854120 mov ecx, dword ptr fs:[00000030h] 2_2_01854120
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h] 2_2_01843D34
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h] 2_2_01843D34
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h] 2_2_01843D34
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h] 2_2_01843D34
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h] 2_2_01843D34
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h] 2_2_01843D34
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h] 2_2_01843D34
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h] 2_2_01843D34
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h] 2_2_01843D34
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h] 2_2_01843D34
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h] 2_2_01843D34
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h] 2_2_01843D34
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h] 2_2_01843D34
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0183AD30 mov eax, dword ptr fs:[00000030h] 2_2_0183AD30
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018FE539 mov eax, dword ptr fs:[00000030h] 2_2_018FE539
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186513A mov eax, dword ptr fs:[00000030h] 2_2_0186513A
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186513A mov eax, dword ptr fs:[00000030h] 2_2_0186513A
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018BA537 mov eax, dword ptr fs:[00000030h] 2_2_018BA537
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01864D3B mov eax, dword ptr fs:[00000030h] 2_2_01864D3B
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01864D3B mov eax, dword ptr fs:[00000030h] 2_2_01864D3B
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01864D3B mov eax, dword ptr fs:[00000030h] 2_2_01864D3B
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0185B944 mov eax, dword ptr fs:[00000030h] 2_2_0185B944
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0185B944 mov eax, dword ptr fs:[00000030h] 2_2_0185B944
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01873D43 mov eax, dword ptr fs:[00000030h] 2_2_01873D43
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B3540 mov eax, dword ptr fs:[00000030h] 2_2_018B3540
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01857D50 mov eax, dword ptr fs:[00000030h] 2_2_01857D50
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0183C962 mov eax, dword ptr fs:[00000030h] 2_2_0183C962
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0183B171 mov eax, dword ptr fs:[00000030h] 2_2_0183B171
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0183B171 mov eax, dword ptr fs:[00000030h] 2_2_0183B171
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0185C577 mov eax, dword ptr fs:[00000030h] 2_2_0185C577
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0185C577 mov eax, dword ptr fs:[00000030h] 2_2_0185C577
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01839080 mov eax, dword ptr fs:[00000030h] 2_2_01839080
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B3884 mov eax, dword ptr fs:[00000030h] 2_2_018B3884
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B3884 mov eax, dword ptr fs:[00000030h] 2_2_018B3884
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0184849B mov eax, dword ptr fs:[00000030h] 2_2_0184849B
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018620A0 mov eax, dword ptr fs:[00000030h] 2_2_018620A0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018620A0 mov eax, dword ptr fs:[00000030h] 2_2_018620A0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018620A0 mov eax, dword ptr fs:[00000030h] 2_2_018620A0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018620A0 mov eax, dword ptr fs:[00000030h] 2_2_018620A0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018620A0 mov eax, dword ptr fs:[00000030h] 2_2_018620A0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018620A0 mov eax, dword ptr fs:[00000030h] 2_2_018620A0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018790AF mov eax, dword ptr fs:[00000030h] 2_2_018790AF
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186F0BF mov ecx, dword ptr fs:[00000030h] 2_2_0186F0BF
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186F0BF mov eax, dword ptr fs:[00000030h] 2_2_0186F0BF
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186F0BF mov eax, dword ptr fs:[00000030h] 2_2_0186F0BF
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01908CD6 mov eax, dword ptr fs:[00000030h] 2_2_01908CD6
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018CB8D0 mov eax, dword ptr fs:[00000030h] 2_2_018CB8D0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018CB8D0 mov ecx, dword ptr fs:[00000030h] 2_2_018CB8D0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018CB8D0 mov eax, dword ptr fs:[00000030h] 2_2_018CB8D0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018CB8D0 mov eax, dword ptr fs:[00000030h] 2_2_018CB8D0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018CB8D0 mov eax, dword ptr fs:[00000030h] 2_2_018CB8D0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018CB8D0 mov eax, dword ptr fs:[00000030h] 2_2_018CB8D0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018358EC mov eax, dword ptr fs:[00000030h] 2_2_018358EC
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018F14FB mov eax, dword ptr fs:[00000030h] 2_2_018F14FB
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B6CF0 mov eax, dword ptr fs:[00000030h] 2_2_018B6CF0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B6CF0 mov eax, dword ptr fs:[00000030h] 2_2_018B6CF0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B6CF0 mov eax, dword ptr fs:[00000030h] 2_2_018B6CF0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B6C0A mov eax, dword ptr fs:[00000030h] 2_2_018B6C0A
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B6C0A mov eax, dword ptr fs:[00000030h] 2_2_018B6C0A
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B6C0A mov eax, dword ptr fs:[00000030h] 2_2_018B6C0A
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B6C0A mov eax, dword ptr fs:[00000030h] 2_2_018B6C0A
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01904015 mov eax, dword ptr fs:[00000030h] 2_2_01904015
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01904015 mov eax, dword ptr fs:[00000030h] 2_2_01904015
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h] 2_2_018F1C06
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h] 2_2_018F1C06
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h] 2_2_018F1C06
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h] 2_2_018F1C06
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h] 2_2_018F1C06
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h] 2_2_018F1C06
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h] 2_2_018F1C06
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h] 2_2_018F1C06
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h] 2_2_018F1C06
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h] 2_2_018F1C06
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h] 2_2_018F1C06
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h] 2_2_018F1C06
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h] 2_2_018F1C06
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h] 2_2_018F1C06
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B7016 mov eax, dword ptr fs:[00000030h] 2_2_018B7016
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B7016 mov eax, dword ptr fs:[00000030h] 2_2_018B7016
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B7016 mov eax, dword ptr fs:[00000030h] 2_2_018B7016
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0190740D mov eax, dword ptr fs:[00000030h] 2_2_0190740D
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0190740D mov eax, dword ptr fs:[00000030h] 2_2_0190740D
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0190740D mov eax, dword ptr fs:[00000030h] 2_2_0190740D
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186BC2C mov eax, dword ptr fs:[00000030h] 2_2_0186BC2C
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186002D mov eax, dword ptr fs:[00000030h] 2_2_0186002D
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186002D mov eax, dword ptr fs:[00000030h] 2_2_0186002D
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186002D mov eax, dword ptr fs:[00000030h] 2_2_0186002D
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186002D mov eax, dword ptr fs:[00000030h] 2_2_0186002D
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186002D mov eax, dword ptr fs:[00000030h] 2_2_0186002D
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0184B02A mov eax, dword ptr fs:[00000030h] 2_2_0184B02A
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0184B02A mov eax, dword ptr fs:[00000030h] 2_2_0184B02A
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0184B02A mov eax, dword ptr fs:[00000030h] 2_2_0184B02A
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0184B02A mov eax, dword ptr fs:[00000030h] 2_2_0184B02A
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186A44B mov eax, dword ptr fs:[00000030h] 2_2_0186A44B
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01850050 mov eax, dword ptr fs:[00000030h] 2_2_01850050
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01850050 mov eax, dword ptr fs:[00000030h] 2_2_01850050
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018CC450 mov eax, dword ptr fs:[00000030h] 2_2_018CC450
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018CC450 mov eax, dword ptr fs:[00000030h] 2_2_018CC450
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01901074 mov eax, dword ptr fs:[00000030h] 2_2_01901074
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0185746D mov eax, dword ptr fs:[00000030h] 2_2_0185746D
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018F2073 mov eax, dword ptr fs:[00000030h] 2_2_018F2073
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018F138A mov eax, dword ptr fs:[00000030h] 2_2_018F138A
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01841B8F mov eax, dword ptr fs:[00000030h] 2_2_01841B8F
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01841B8F mov eax, dword ptr fs:[00000030h] 2_2_01841B8F
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018ED380 mov ecx, dword ptr fs:[00000030h] 2_2_018ED380
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01848794 mov eax, dword ptr fs:[00000030h] 2_2_01848794
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01862397 mov eax, dword ptr fs:[00000030h] 2_2_01862397
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186B390 mov eax, dword ptr fs:[00000030h] 2_2_0186B390
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B7794 mov eax, dword ptr fs:[00000030h] 2_2_018B7794
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B7794 mov eax, dword ptr fs:[00000030h] 2_2_018B7794
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B7794 mov eax, dword ptr fs:[00000030h] 2_2_018B7794
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01864BAD mov eax, dword ptr fs:[00000030h] 2_2_01864BAD
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01864BAD mov eax, dword ptr fs:[00000030h] 2_2_01864BAD
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01864BAD mov eax, dword ptr fs:[00000030h] 2_2_01864BAD
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01905BA5 mov eax, dword ptr fs:[00000030h] 2_2_01905BA5
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B53CA mov eax, dword ptr fs:[00000030h] 2_2_018B53CA
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B53CA mov eax, dword ptr fs:[00000030h] 2_2_018B53CA
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018603E2 mov eax, dword ptr fs:[00000030h] 2_2_018603E2
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018603E2 mov eax, dword ptr fs:[00000030h] 2_2_018603E2
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018603E2 mov eax, dword ptr fs:[00000030h] 2_2_018603E2
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018603E2 mov eax, dword ptr fs:[00000030h] 2_2_018603E2
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018603E2 mov eax, dword ptr fs:[00000030h] 2_2_018603E2
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018603E2 mov eax, dword ptr fs:[00000030h] 2_2_018603E2
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0185DBE9 mov eax, dword ptr fs:[00000030h] 2_2_0185DBE9
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018737F5 mov eax, dword ptr fs:[00000030h] 2_2_018737F5
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186A70E mov eax, dword ptr fs:[00000030h] 2_2_0186A70E
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186A70E mov eax, dword ptr fs:[00000030h] 2_2_0186A70E
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0185F716 mov eax, dword ptr fs:[00000030h] 2_2_0185F716
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018F131B mov eax, dword ptr fs:[00000030h] 2_2_018F131B
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018CFF10 mov eax, dword ptr fs:[00000030h] 2_2_018CFF10
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018CFF10 mov eax, dword ptr fs:[00000030h] 2_2_018CFF10
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0190070D mov eax, dword ptr fs:[00000030h] 2_2_0190070D
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0190070D mov eax, dword ptr fs:[00000030h] 2_2_0190070D
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01834F2E mov eax, dword ptr fs:[00000030h] 2_2_01834F2E
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01834F2E mov eax, dword ptr fs:[00000030h] 2_2_01834F2E
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186E730 mov eax, dword ptr fs:[00000030h] 2_2_0186E730
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0183DB40 mov eax, dword ptr fs:[00000030h] 2_2_0183DB40
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0184EF40 mov eax, dword ptr fs:[00000030h] 2_2_0184EF40
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01908B58 mov eax, dword ptr fs:[00000030h] 2_2_01908B58
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0183F358 mov eax, dword ptr fs:[00000030h] 2_2_0183F358
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0183DB60 mov ecx, dword ptr fs:[00000030h] 2_2_0183DB60
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0184FF60 mov eax, dword ptr fs:[00000030h] 2_2_0184FF60
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01908F6A mov eax, dword ptr fs:[00000030h] 2_2_01908F6A
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01863B7A mov eax, dword ptr fs:[00000030h] 2_2_01863B7A
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01863B7A mov eax, dword ptr fs:[00000030h] 2_2_01863B7A
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018CFE87 mov eax, dword ptr fs:[00000030h] 2_2_018CFE87
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186D294 mov eax, dword ptr fs:[00000030h] 2_2_0186D294
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186D294 mov eax, dword ptr fs:[00000030h] 2_2_0186D294
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018352A5 mov eax, dword ptr fs:[00000030h] 2_2_018352A5
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018352A5 mov eax, dword ptr fs:[00000030h] 2_2_018352A5
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018352A5 mov eax, dword ptr fs:[00000030h] 2_2_018352A5
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018352A5 mov eax, dword ptr fs:[00000030h] 2_2_018352A5
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018352A5 mov eax, dword ptr fs:[00000030h] 2_2_018352A5
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018B46A7 mov eax, dword ptr fs:[00000030h] 2_2_018B46A7
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0184AAB0 mov eax, dword ptr fs:[00000030h] 2_2_0184AAB0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0184AAB0 mov eax, dword ptr fs:[00000030h] 2_2_0184AAB0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01900EA5 mov eax, dword ptr fs:[00000030h] 2_2_01900EA5
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01900EA5 mov eax, dword ptr fs:[00000030h] 2_2_01900EA5
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01900EA5 mov eax, dword ptr fs:[00000030h] 2_2_01900EA5
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186FAB0 mov eax, dword ptr fs:[00000030h] 2_2_0186FAB0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01878EC7 mov eax, dword ptr fs:[00000030h] 2_2_01878EC7
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01908ED6 mov eax, dword ptr fs:[00000030h] 2_2_01908ED6
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018636CC mov eax, dword ptr fs:[00000030h] 2_2_018636CC
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01862ACB mov eax, dword ptr fs:[00000030h] 2_2_01862ACB
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018EFEC0 mov eax, dword ptr fs:[00000030h] 2_2_018EFEC0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01862AE4 mov eax, dword ptr fs:[00000030h] 2_2_01862AE4
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018616E0 mov ecx, dword ptr fs:[00000030h] 2_2_018616E0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018476E2 mov eax, dword ptr fs:[00000030h] 2_2_018476E2
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0183C600 mov eax, dword ptr fs:[00000030h] 2_2_0183C600
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0183C600 mov eax, dword ptr fs:[00000030h] 2_2_0183C600
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0183C600 mov eax, dword ptr fs:[00000030h] 2_2_0183C600
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01868E00 mov eax, dword ptr fs:[00000030h] 2_2_01868E00
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018F1608 mov eax, dword ptr fs:[00000030h] 2_2_018F1608
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01848A0A mov eax, dword ptr fs:[00000030h] 2_2_01848A0A
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01835210 mov eax, dword ptr fs:[00000030h] 2_2_01835210
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01835210 mov ecx, dword ptr fs:[00000030h] 2_2_01835210
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01835210 mov eax, dword ptr fs:[00000030h] 2_2_01835210
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01835210 mov eax, dword ptr fs:[00000030h] 2_2_01835210
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0183AA16 mov eax, dword ptr fs:[00000030h] 2_2_0183AA16
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0183AA16 mov eax, dword ptr fs:[00000030h] 2_2_0183AA16
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01853A1C mov eax, dword ptr fs:[00000030h] 2_2_01853A1C
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186A61C mov eax, dword ptr fs:[00000030h] 2_2_0186A61C
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0186A61C mov eax, dword ptr fs:[00000030h] 2_2_0186A61C
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0183E620 mov eax, dword ptr fs:[00000030h] 2_2_0183E620
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01874A2C mov eax, dword ptr fs:[00000030h] 2_2_01874A2C
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01874A2C mov eax, dword ptr fs:[00000030h] 2_2_01874A2C
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018EFE3F mov eax, dword ptr fs:[00000030h] 2_2_018EFE3F
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01839240 mov eax, dword ptr fs:[00000030h] 2_2_01839240
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01839240 mov eax, dword ptr fs:[00000030h] 2_2_01839240
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01839240 mov eax, dword ptr fs:[00000030h] 2_2_01839240
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01839240 mov eax, dword ptr fs:[00000030h] 2_2_01839240
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01847E41 mov eax, dword ptr fs:[00000030h] 2_2_01847E41
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01847E41 mov eax, dword ptr fs:[00000030h] 2_2_01847E41
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01847E41 mov eax, dword ptr fs:[00000030h] 2_2_01847E41
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01847E41 mov eax, dword ptr fs:[00000030h] 2_2_01847E41
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01847E41 mov eax, dword ptr fs:[00000030h] 2_2_01847E41
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01847E41 mov eax, dword ptr fs:[00000030h] 2_2_01847E41
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018FAE44 mov eax, dword ptr fs:[00000030h] 2_2_018FAE44
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018FAE44 mov eax, dword ptr fs:[00000030h] 2_2_018FAE44
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018FEA55 mov eax, dword ptr fs:[00000030h] 2_2_018FEA55
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018C4257 mov eax, dword ptr fs:[00000030h] 2_2_018C4257
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0184766D mov eax, dword ptr fs:[00000030h] 2_2_0184766D
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018EB260 mov eax, dword ptr fs:[00000030h] 2_2_018EB260
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_018EB260 mov eax, dword ptr fs:[00000030h] 2_2_018EB260
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_01908A62 mov eax, dword ptr fs:[00000030h] 2_2_01908A62
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0185AE73 mov eax, dword ptr fs:[00000030h] 2_2_0185AE73
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0185AE73 mov eax, dword ptr fs:[00000030h] 2_2_0185AE73
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0185AE73 mov eax, dword ptr fs:[00000030h] 2_2_0185AE73
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0185AE73 mov eax, dword ptr fs:[00000030h] 2_2_0185AE73
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0185AE73 mov eax, dword ptr fs:[00000030h] 2_2_0185AE73
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_0187927A mov eax, dword ptr fs:[00000030h] 2_2_0187927A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0484849B mov eax, dword ptr fs:[00000030h] 11_2_0484849B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04908CD6 mov eax, dword ptr fs:[00000030h] 11_2_04908CD6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048F14FB mov eax, dword ptr fs:[00000030h] 11_2_048F14FB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B6CF0 mov eax, dword ptr fs:[00000030h] 11_2_048B6CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B6CF0 mov eax, dword ptr fs:[00000030h] 11_2_048B6CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B6CF0 mov eax, dword ptr fs:[00000030h] 11_2_048B6CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B6C0A mov eax, dword ptr fs:[00000030h] 11_2_048B6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B6C0A mov eax, dword ptr fs:[00000030h] 11_2_048B6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B6C0A mov eax, dword ptr fs:[00000030h] 11_2_048B6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B6C0A mov eax, dword ptr fs:[00000030h] 11_2_048B6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h] 11_2_048F1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h] 11_2_048F1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h] 11_2_048F1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h] 11_2_048F1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h] 11_2_048F1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h] 11_2_048F1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h] 11_2_048F1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h] 11_2_048F1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h] 11_2_048F1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h] 11_2_048F1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h] 11_2_048F1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h] 11_2_048F1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h] 11_2_048F1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h] 11_2_048F1C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0490740D mov eax, dword ptr fs:[00000030h] 11_2_0490740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0490740D mov eax, dword ptr fs:[00000030h] 11_2_0490740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0490740D mov eax, dword ptr fs:[00000030h] 11_2_0490740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486BC2C mov eax, dword ptr fs:[00000030h] 11_2_0486BC2C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486A44B mov eax, dword ptr fs:[00000030h] 11_2_0486A44B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048CC450 mov eax, dword ptr fs:[00000030h] 11_2_048CC450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048CC450 mov eax, dword ptr fs:[00000030h] 11_2_048CC450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0485746D mov eax, dword ptr fs:[00000030h] 11_2_0485746D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04862581 mov eax, dword ptr fs:[00000030h] 11_2_04862581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04862581 mov eax, dword ptr fs:[00000030h] 11_2_04862581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04862581 mov eax, dword ptr fs:[00000030h] 11_2_04862581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04862581 mov eax, dword ptr fs:[00000030h] 11_2_04862581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04832D8A mov eax, dword ptr fs:[00000030h] 11_2_04832D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04832D8A mov eax, dword ptr fs:[00000030h] 11_2_04832D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04832D8A mov eax, dword ptr fs:[00000030h] 11_2_04832D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04832D8A mov eax, dword ptr fs:[00000030h] 11_2_04832D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04832D8A mov eax, dword ptr fs:[00000030h] 11_2_04832D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486FD9B mov eax, dword ptr fs:[00000030h] 11_2_0486FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486FD9B mov eax, dword ptr fs:[00000030h] 11_2_0486FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048635A1 mov eax, dword ptr fs:[00000030h] 11_2_048635A1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04861DB5 mov eax, dword ptr fs:[00000030h] 11_2_04861DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04861DB5 mov eax, dword ptr fs:[00000030h] 11_2_04861DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04861DB5 mov eax, dword ptr fs:[00000030h] 11_2_04861DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_049005AC mov eax, dword ptr fs:[00000030h] 11_2_049005AC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_049005AC mov eax, dword ptr fs:[00000030h] 11_2_049005AC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B6DC9 mov eax, dword ptr fs:[00000030h] 11_2_048B6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B6DC9 mov eax, dword ptr fs:[00000030h] 11_2_048B6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B6DC9 mov eax, dword ptr fs:[00000030h] 11_2_048B6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B6DC9 mov ecx, dword ptr fs:[00000030h] 11_2_048B6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B6DC9 mov eax, dword ptr fs:[00000030h] 11_2_048B6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B6DC9 mov eax, dword ptr fs:[00000030h] 11_2_048B6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0484D5E0 mov eax, dword ptr fs:[00000030h] 11_2_0484D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0484D5E0 mov eax, dword ptr fs:[00000030h] 11_2_0484D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048FFDE2 mov eax, dword ptr fs:[00000030h] 11_2_048FFDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048FFDE2 mov eax, dword ptr fs:[00000030h] 11_2_048FFDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048FFDE2 mov eax, dword ptr fs:[00000030h] 11_2_048FFDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048FFDE2 mov eax, dword ptr fs:[00000030h] 11_2_048FFDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048E8DF1 mov eax, dword ptr fs:[00000030h] 11_2_048E8DF1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04908D34 mov eax, dword ptr fs:[00000030h] 11_2_04908D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h] 11_2_04843D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h] 11_2_04843D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h] 11_2_04843D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h] 11_2_04843D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h] 11_2_04843D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h] 11_2_04843D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h] 11_2_04843D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h] 11_2_04843D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h] 11_2_04843D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h] 11_2_04843D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h] 11_2_04843D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h] 11_2_04843D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h] 11_2_04843D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0483AD30 mov eax, dword ptr fs:[00000030h] 11_2_0483AD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048FE539 mov eax, dword ptr fs:[00000030h] 11_2_048FE539
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048BA537 mov eax, dword ptr fs:[00000030h] 11_2_048BA537
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04864D3B mov eax, dword ptr fs:[00000030h] 11_2_04864D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04864D3B mov eax, dword ptr fs:[00000030h] 11_2_04864D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04864D3B mov eax, dword ptr fs:[00000030h] 11_2_04864D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04873D43 mov eax, dword ptr fs:[00000030h] 11_2_04873D43
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B3540 mov eax, dword ptr fs:[00000030h] 11_2_048B3540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04857D50 mov eax, dword ptr fs:[00000030h] 11_2_04857D50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0485C577 mov eax, dword ptr fs:[00000030h] 11_2_0485C577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0485C577 mov eax, dword ptr fs:[00000030h] 11_2_0485C577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048CFE87 mov eax, dword ptr fs:[00000030h] 11_2_048CFE87
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B46A7 mov eax, dword ptr fs:[00000030h] 11_2_048B46A7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04900EA5 mov eax, dword ptr fs:[00000030h] 11_2_04900EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04900EA5 mov eax, dword ptr fs:[00000030h] 11_2_04900EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04900EA5 mov eax, dword ptr fs:[00000030h] 11_2_04900EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04878EC7 mov eax, dword ptr fs:[00000030h] 11_2_04878EC7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04908ED6 mov eax, dword ptr fs:[00000030h] 11_2_04908ED6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048636CC mov eax, dword ptr fs:[00000030h] 11_2_048636CC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048EFEC0 mov eax, dword ptr fs:[00000030h] 11_2_048EFEC0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048616E0 mov ecx, dword ptr fs:[00000030h] 11_2_048616E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048476E2 mov eax, dword ptr fs:[00000030h] 11_2_048476E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0483C600 mov eax, dword ptr fs:[00000030h] 11_2_0483C600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0483C600 mov eax, dword ptr fs:[00000030h] 11_2_0483C600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0483C600 mov eax, dword ptr fs:[00000030h] 11_2_0483C600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04868E00 mov eax, dword ptr fs:[00000030h] 11_2_04868E00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048F1608 mov eax, dword ptr fs:[00000030h] 11_2_048F1608
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486A61C mov eax, dword ptr fs:[00000030h] 11_2_0486A61C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486A61C mov eax, dword ptr fs:[00000030h] 11_2_0486A61C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0483E620 mov eax, dword ptr fs:[00000030h] 11_2_0483E620
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048EFE3F mov eax, dword ptr fs:[00000030h] 11_2_048EFE3F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04847E41 mov eax, dword ptr fs:[00000030h] 11_2_04847E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04847E41 mov eax, dword ptr fs:[00000030h] 11_2_04847E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04847E41 mov eax, dword ptr fs:[00000030h] 11_2_04847E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04847E41 mov eax, dword ptr fs:[00000030h] 11_2_04847E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04847E41 mov eax, dword ptr fs:[00000030h] 11_2_04847E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04847E41 mov eax, dword ptr fs:[00000030h] 11_2_04847E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048FAE44 mov eax, dword ptr fs:[00000030h] 11_2_048FAE44
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048FAE44 mov eax, dword ptr fs:[00000030h] 11_2_048FAE44
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0484766D mov eax, dword ptr fs:[00000030h] 11_2_0484766D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0485AE73 mov eax, dword ptr fs:[00000030h] 11_2_0485AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0485AE73 mov eax, dword ptr fs:[00000030h] 11_2_0485AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0485AE73 mov eax, dword ptr fs:[00000030h] 11_2_0485AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0485AE73 mov eax, dword ptr fs:[00000030h] 11_2_0485AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0485AE73 mov eax, dword ptr fs:[00000030h] 11_2_0485AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04848794 mov eax, dword ptr fs:[00000030h] 11_2_04848794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B7794 mov eax, dword ptr fs:[00000030h] 11_2_048B7794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B7794 mov eax, dword ptr fs:[00000030h] 11_2_048B7794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B7794 mov eax, dword ptr fs:[00000030h] 11_2_048B7794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048737F5 mov eax, dword ptr fs:[00000030h] 11_2_048737F5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486A70E mov eax, dword ptr fs:[00000030h] 11_2_0486A70E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486A70E mov eax, dword ptr fs:[00000030h] 11_2_0486A70E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0485F716 mov eax, dword ptr fs:[00000030h] 11_2_0485F716
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048CFF10 mov eax, dword ptr fs:[00000030h] 11_2_048CFF10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048CFF10 mov eax, dword ptr fs:[00000030h] 11_2_048CFF10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0490070D mov eax, dword ptr fs:[00000030h] 11_2_0490070D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0490070D mov eax, dword ptr fs:[00000030h] 11_2_0490070D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04834F2E mov eax, dword ptr fs:[00000030h] 11_2_04834F2E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04834F2E mov eax, dword ptr fs:[00000030h] 11_2_04834F2E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486E730 mov eax, dword ptr fs:[00000030h] 11_2_0486E730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0484EF40 mov eax, dword ptr fs:[00000030h] 11_2_0484EF40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0484FF60 mov eax, dword ptr fs:[00000030h] 11_2_0484FF60
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04908F6A mov eax, dword ptr fs:[00000030h] 11_2_04908F6A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04839080 mov eax, dword ptr fs:[00000030h] 11_2_04839080
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B3884 mov eax, dword ptr fs:[00000030h] 11_2_048B3884
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B3884 mov eax, dword ptr fs:[00000030h] 11_2_048B3884
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048620A0 mov eax, dword ptr fs:[00000030h] 11_2_048620A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048620A0 mov eax, dword ptr fs:[00000030h] 11_2_048620A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048620A0 mov eax, dword ptr fs:[00000030h] 11_2_048620A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048620A0 mov eax, dword ptr fs:[00000030h] 11_2_048620A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048620A0 mov eax, dword ptr fs:[00000030h] 11_2_048620A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048620A0 mov eax, dword ptr fs:[00000030h] 11_2_048620A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048790AF mov eax, dword ptr fs:[00000030h] 11_2_048790AF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486F0BF mov ecx, dword ptr fs:[00000030h] 11_2_0486F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486F0BF mov eax, dword ptr fs:[00000030h] 11_2_0486F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486F0BF mov eax, dword ptr fs:[00000030h] 11_2_0486F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048CB8D0 mov eax, dword ptr fs:[00000030h] 11_2_048CB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048CB8D0 mov ecx, dword ptr fs:[00000030h] 11_2_048CB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048CB8D0 mov eax, dword ptr fs:[00000030h] 11_2_048CB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048CB8D0 mov eax, dword ptr fs:[00000030h] 11_2_048CB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048CB8D0 mov eax, dword ptr fs:[00000030h] 11_2_048CB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048CB8D0 mov eax, dword ptr fs:[00000030h] 11_2_048CB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048358EC mov eax, dword ptr fs:[00000030h] 11_2_048358EC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04904015 mov eax, dword ptr fs:[00000030h] 11_2_04904015
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04904015 mov eax, dword ptr fs:[00000030h] 11_2_04904015
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B7016 mov eax, dword ptr fs:[00000030h] 11_2_048B7016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B7016 mov eax, dword ptr fs:[00000030h] 11_2_048B7016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B7016 mov eax, dword ptr fs:[00000030h] 11_2_048B7016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486002D mov eax, dword ptr fs:[00000030h] 11_2_0486002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486002D mov eax, dword ptr fs:[00000030h] 11_2_0486002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486002D mov eax, dword ptr fs:[00000030h] 11_2_0486002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486002D mov eax, dword ptr fs:[00000030h] 11_2_0486002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486002D mov eax, dword ptr fs:[00000030h] 11_2_0486002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0484B02A mov eax, dword ptr fs:[00000030h] 11_2_0484B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0484B02A mov eax, dword ptr fs:[00000030h] 11_2_0484B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0484B02A mov eax, dword ptr fs:[00000030h] 11_2_0484B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0484B02A mov eax, dword ptr fs:[00000030h] 11_2_0484B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04850050 mov eax, dword ptr fs:[00000030h] 11_2_04850050
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04850050 mov eax, dword ptr fs:[00000030h] 11_2_04850050
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04901074 mov eax, dword ptr fs:[00000030h] 11_2_04901074
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048F2073 mov eax, dword ptr fs:[00000030h] 11_2_048F2073
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486A185 mov eax, dword ptr fs:[00000030h] 11_2_0486A185
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0485C182 mov eax, dword ptr fs:[00000030h] 11_2_0485C182
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04862990 mov eax, dword ptr fs:[00000030h] 11_2_04862990
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048661A0 mov eax, dword ptr fs:[00000030h] 11_2_048661A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048661A0 mov eax, dword ptr fs:[00000030h] 11_2_048661A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B69A6 mov eax, dword ptr fs:[00000030h] 11_2_048B69A6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B51BE mov eax, dword ptr fs:[00000030h] 11_2_048B51BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B51BE mov eax, dword ptr fs:[00000030h] 11_2_048B51BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B51BE mov eax, dword ptr fs:[00000030h] 11_2_048B51BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048B51BE mov eax, dword ptr fs:[00000030h] 11_2_048B51BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0483B1E1 mov eax, dword ptr fs:[00000030h] 11_2_0483B1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0483B1E1 mov eax, dword ptr fs:[00000030h] 11_2_0483B1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0483B1E1 mov eax, dword ptr fs:[00000030h] 11_2_0483B1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048C41E8 mov eax, dword ptr fs:[00000030h] 11_2_048C41E8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04839100 mov eax, dword ptr fs:[00000030h] 11_2_04839100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04839100 mov eax, dword ptr fs:[00000030h] 11_2_04839100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04839100 mov eax, dword ptr fs:[00000030h] 11_2_04839100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04854120 mov eax, dword ptr fs:[00000030h] 11_2_04854120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04854120 mov eax, dword ptr fs:[00000030h] 11_2_04854120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04854120 mov eax, dword ptr fs:[00000030h] 11_2_04854120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04854120 mov eax, dword ptr fs:[00000030h] 11_2_04854120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04854120 mov ecx, dword ptr fs:[00000030h] 11_2_04854120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486513A mov eax, dword ptr fs:[00000030h] 11_2_0486513A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486513A mov eax, dword ptr fs:[00000030h] 11_2_0486513A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0485B944 mov eax, dword ptr fs:[00000030h] 11_2_0485B944
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0485B944 mov eax, dword ptr fs:[00000030h] 11_2_0485B944
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0483C962 mov eax, dword ptr fs:[00000030h] 11_2_0483C962
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0483B171 mov eax, dword ptr fs:[00000030h] 11_2_0483B171
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0483B171 mov eax, dword ptr fs:[00000030h] 11_2_0483B171
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486D294 mov eax, dword ptr fs:[00000030h] 11_2_0486D294
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486D294 mov eax, dword ptr fs:[00000030h] 11_2_0486D294
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048352A5 mov eax, dword ptr fs:[00000030h] 11_2_048352A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048352A5 mov eax, dword ptr fs:[00000030h] 11_2_048352A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048352A5 mov eax, dword ptr fs:[00000030h] 11_2_048352A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048352A5 mov eax, dword ptr fs:[00000030h] 11_2_048352A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_048352A5 mov eax, dword ptr fs:[00000030h] 11_2_048352A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0484AAB0 mov eax, dword ptr fs:[00000030h] 11_2_0484AAB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0484AAB0 mov eax, dword ptr fs:[00000030h] 11_2_0484AAB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0486FAB0 mov eax, dword ptr fs:[00000030h] 11_2_0486FAB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04862ACB mov eax, dword ptr fs:[00000030h] 11_2_04862ACB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04862AE4 mov eax, dword ptr fs:[00000030h] 11_2_04862AE4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04848A0A mov eax, dword ptr fs:[00000030h] 11_2_04848A0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04835210 mov eax, dword ptr fs:[00000030h] 11_2_04835210
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04835210 mov ecx, dword ptr fs:[00000030h] 11_2_04835210
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04835210 mov eax, dword ptr fs:[00000030h] 11_2_04835210
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04835210 mov eax, dword ptr fs:[00000030h] 11_2_04835210
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0483AA16 mov eax, dword ptr fs:[00000030h] 11_2_0483AA16
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_0483AA16 mov eax, dword ptr fs:[00000030h] 11_2_0483AA16
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04853A1C mov eax, dword ptr fs:[00000030h] 11_2_04853A1C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04874A2C mov eax, dword ptr fs:[00000030h] 11_2_04874A2C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 11_2_04874A2C mov eax, dword ptr fs:[00000030h] 11_2_04874A2C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 0_2_002F60F1 GetProcessHeap, 0_2_002F60F1
Enables debug privileges
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 0_2_002F171B SetUnhandledExceptionFilter, 0_2_002F171B
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 0_2_002F3D62 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_002F3D62
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 0_2_002F19E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_002F19E2
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 0_2_002F15CD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_002F15CD
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_002F3D62 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_002F3D62
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_002F19E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_002F19E2
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_002F15CD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_002F15CD
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 2_2_002F171B SetUnhandledExceptionFilter, 2_2_002F171B

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 52.58.78.16 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 103.88.34.80 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.ejsuniqueclasses.com
Source: C:\Windows\explorer.exe Domain query: www.856380062.xyz
Source: C:\Windows\explorer.exe Network Connect: 198.74.106.237 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 163.123.204.26 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 164.68.104.58 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.466se.com
Source: C:\Windows\explorer.exe Domain query: www.circusocks.com
Source: C:\Windows\explorer.exe Domain query: www.healthpragency.com
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Section loaded: unknown target: C:\Users\user\Desktop\mvui1vY6Mo.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Thread register set: target process: 3424 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 1250000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Process created: C:\Users\user\Desktop\mvui1vY6Mo.exe 'C:\Users\user\Desktop\mvui1vY6Mo.exe' Jump to behavior
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mvui1vY6Mo.exe' Jump to behavior
Source: explorer.exe, 00000004.00000000.694405409.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000004.00000000.694780872.0000000001080000.00000002.00000001.sdmp, cmmon32.exe, 0000000B.00000002.915643403.0000000003260000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.675806448.0000000005E50000.00000004.00000001.sdmp, cmmon32.exe, 0000000B.00000002.915643403.0000000003260000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.694780872.0000000001080000.00000002.00000001.sdmp, cmmon32.exe, 0000000B.00000002.915643403.0000000003260000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.694780872.0000000001080000.00000002.00000001.sdmp, cmmon32.exe, 0000000B.00000002.915643403.0000000003260000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.680948462.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 0_2_002F182B cpuid 0_2_002F182B
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe Code function: 0_2_002F14B5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_002F14B5

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 2.2.mvui1vY6Mo.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mvui1vY6Mo.exe.2eb0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mvui1vY6Mo.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.mvui1vY6Mo.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.745894672.0000000001B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.915098041.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.660274297.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.745860975.0000000001B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.744663875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.914915179.00000000008A0000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 2.2.mvui1vY6Mo.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mvui1vY6Mo.exe.2eb0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.mvui1vY6Mo.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.mvui1vY6Mo.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.745894672.0000000001B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.915098041.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.660274297.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.745860975.0000000001B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.744663875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.914915179.00000000008A0000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 458944 Sample: mvui1vY6Mo Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 32 www.comparaca.com 2->32 34 shops.myshopify.com 2->34 36 comparaca.myshopify.com 2->36 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 4 other signatures 2->54 10 mvui1vY6Mo.exe 2->10         started        signatures3 process4 signatures5 56 Maps a DLL or memory area into another process 10->56 58 Tries to detect virtualization through RDTSC time measurements 10->58 13 mvui1vY6Mo.exe 10->13         started        process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 13->60 62 Maps a DLL or memory area into another process 13->62 64 Sample uses process hollowing technique 13->64 66 Queues an APC in another process (thread injection) 13->66 16 cmmon32.exe 12 13->16         started        20 explorer.exe 13->20 injected process8 dnsIp9 38 Performs DNS queries to domains with low reputation 16->38 40 Modifies the context of a thread in another process (thread injection) 16->40 42 Maps a DLL or memory area into another process 16->42 44 Tries to detect virtualization through RDTSC time measurements 16->44 22 cmd.exe 1 16->22         started        26 www.466se.com 198.74.106.237, 49755, 80 MULTA-ASN1US United States 20->26 28 circusocks.com 163.123.204.26, 49754, 80 ILIGHT-NETUS Reserved 20->28 30 5 other IPs or domains 20->30 46 System process connects to network (likely due to code injection or exploit) 20->46 signatures10 process11 process12 24 conhost.exe 22->24         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.58.78.16
 www.healthpragency.com United States
16509 AMAZON-02US true
163.123.204.26
 circusocks.com Reserved
1767 ILIGHT-NETUS true
164.68.104.58
 ejsuniqueclasses.com Germany
51167 CONTABODE true
103.88.34.80
 www.856380062.xyz China
136188 CHINATELECOM-ZHEJIANG-NINGBO-IDCNINGBOZHEJIANGProvince true
198.74.106.237
 www.466se.com United States
35916 MULTA-ASN1US true

Contacted Domains

Name IP Active
ejsuniqueclasses.com 164.68.104.58 true
www.466se.com 198.74.106.237 true
www.healthpragency.com 52.58.78.16 true
www.856380062.xyz 103.88.34.80 true
shops.myshopify.com 23.227.38.74 true
circusocks.com 163.123.204.26 true
www.comparaca.com unknown unknown
www.circusocks.com unknown unknown
www.ejsuniqueclasses.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.circusocks.com/ehp9/?zZbXur=fPkLdxO&0vrPA=oRr9ZXza/sqKFb1a4cLVquMpSAfNXH/ZGOEKtA079HuOHtafooLLPyAXrAQLja/+16Ky true
  • Avira URL Cloud: safe
 unknown
www.ejsuniqueclasses.com/ehp9/ true
  • Avira URL Cloud: safe
 low
http://www.466se.com/ehp9/?0vrPA=UsPTfcJ0BZ5q3mR+pFMXthX3126RUWmODdEpc4rh++F4qt19VniXLc7dOQb8qNRTbKnv&zZbXur=fPkLdxO true
  • Avira URL Cloud: safe
 unknown
http://www.healthpragency.com/ehp9/?0vrPA=5Xsjz7+Z5WLh89j81EYl3Aroso+z/qN2CpRl0IKGrQQKTktOwLuaqldWAZoOLzUBzR5Q&zZbXur=fPkLdxO true
  • Avira URL Cloud: safe
 unknown
http://www.ejsuniqueclasses.com/ehp9/?zZbXur=fPkLdxO&0vrPA=8c/5QoMWiMUW3SjDqDOgvqNfypt6IHckOwJjeT/c3u4BTCnBI4ecsnyb0a1UBRXLCY1T true
  • Avira URL Cloud: safe
 unknown