Play interactive tour

Edit tour

Windows Analysis Report mvui1vY6Mo

Overview

General Information

Sample Name:	mvui1vY6Mo (renamed file extension from none to exe)
Analysis ID:	458944
MD5:	059b1244ac9fda54de086692db4b5a08
SHA1:	6e5f6326bd9da7e5d9c70b3e4491d308eb7f842b
SHA256:	abb29be2c1eccd851bdb99b126e822a8cf0f57be95e9b71a921aa703b2c285be
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

mvui1vY6Mo.exe (PID: 6656 cmdline: 'C:\Users\user\Desktop\mvui1vY6Mo.exe' MD5: 059B1244AC9FDA54DE086692DB4B5A08)

mvui1vY6Mo.exe (PID: 6704 cmdline: 'C:\Users\user\Desktop\mvui1vY6Mo.exe' MD5: 059B1244AC9FDA54DE086692DB4B5A08)

explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cmmon32.exe (PID: 6336 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)

cmd.exe (PID: 6380 cmdline: /c del 'C:\Users\user\Desktop\mvui1vY6Mo.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.ejsuniqueclasses.com/ehp9/"], "decoy": ["kebao100.com", "telco360.com", "gilleyaviation.com", "thedangleman.com", "kmpetersonphoto.com", "bykjsz.com", "comparaca.com", "wlalumsforantiracism.com", "razerzonr.com", "856380062.xyz", "cubesoftwaresolution.com", "atokastore.com", "joinlashedbyjamie.com", "azcorra.com", "lilys-galaxy.com", "wheretheresaytheresaway.com", "avantix-colts.com", "pornsitehub.com", "jagoviral.com", "loansforgiven.com", "bainrix.com", "jesuschrist.care", "gunvue.com", "ijajs.com", "gee825.com", "runninghogfarm.com", "zotaac-ee.com", "secretholeagency.com", "maakapforgoodhealth.com", "lovebodystyles.com", "macrovigilance.com", "attractanygirl.com", "ingawellinc.com", "bet365q8.com", "globalmillionairessclub.com", "marcellaandann.com", "cmnkt-byem.xyz", "wolfzoom.net", "laura-claim.com", "tunnurl.com", "twinedinmagic.com", "libertybaptistchurchmedia.com", "pureembryo.com", "ssdigitaltirunelveli.com", "skiphirescunthorpe.com", "displashop.com", "whitebylole.com", "eggplantreport.com", "rje3.net", "healthpragency.com", "dxdoors.com", "blissbunnyworld.com", "ifn.xyz", "nationalurc.info", "designcumbriauk.com", "sonchirraiyya.com", "466se.com", "bombayy.com", "mairaalves.art", "nazarppe.com", "smokinskiing.com", "redwhitescrewed.com", "quantumnepal.codes", "circusocks.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.745894672.0000000001B70000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.745894672.0000000001B70000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.745894672.0000000001B70000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.915098041.0000000000B10000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.915098041.0000000000B10000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.915098041.0000000000B10000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.660274297.0000000002EB0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.660274297.0000000002EB0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.660274297.0000000002EB0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.745860975.0000000001B40000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.745860975.0000000001B40000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.745860975.0000000001B40000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.744663875.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.744663875.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.744663875.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.914915179.00000000008A0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.914915179.00000000008A0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.914915179.00000000008A0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 16 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.mvui1vY6Mo.exe.400000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.mvui1vY6Mo.exe.400000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.mvui1vY6Mo.exe.400000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
0.2.mvui1vY6Mo.exe.2eb0000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.mvui1vY6Mo.exe.2eb0000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.mvui1vY6Mo.exe.2eb0000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
0.2.mvui1vY6Mo.exe.2eb0000.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.mvui1vY6Mo.exe.2eb0000.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.mvui1vY6Mo.exe.2eb0000.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166c9:$sqlite3step: 68 34 1C 7B E1 0x167dc:$sqlite3step: 68 34 1C 7B E1 0x166f8:$sqlite3text: 68 38 2A 90 C5 0x1681d:$sqlite3text: 68 38 2A 90 C5 0x1670b:$sqlite3blob: 68 53 D8 7F 8C 0x16833:$sqlite3blob: 68 53 D8 7F 8C
2.2.mvui1vY6Mo.exe.400000.1.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.mvui1vY6Mo.exe.400000.1.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.mvui1vY6Mo.exe.400000.1.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x158c9:$sqlite3step: 68 34 1C 7B E1 0x159dc:$sqlite3step: 68 34 1C 7B E1 0x158f8:$sqlite3text: 68 38 2A 90 C5 0x15a1d:$sqlite3text: 68 38 2A 90 C5 0x1590b:$sqlite3blob: 68 53 D8 7F 8C 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 7 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.ejsuniqueclasses.com/ehp9/"], "decoy": ["kebao100.com", "telco360.com", "gilleyaviation.com", "thedangleman.com", "kmpetersonphoto.com", "bykjsz.com", "comparaca.com", "wlalumsforantiracism.com", "razerzonr.com", "856380062.xyz", "cubesoftwaresolution.com", "atokastore.com", "joinlashedbyjamie.com", "azcorra.com", "lilys-galaxy.com", "wheretheresaytheresaway.com", "avantix-colts.com", "pornsitehub.com", "jagoviral.com", "loansforgiven.com", "bainrix.com", "jesuschrist.care", "gunvue.com", "ijajs.com", "gee825.com", "runninghogfarm.com", "zotaac-ee.com", "secretholeagency.com", "maakapforgoodhealth.com", "lovebodystyles.com", "macrovigilance.com", "attractanygirl.com", "ingawellinc.com", "bet365q8.com", "globalmillionairessclub.com", "marcellaandann.com", "cmnkt-byem.xyz", "wolfzoom.net", "laura-claim.com", "tunnurl.com", "twinedinmagic.com", "libertybaptistchurchmedia.com", "pureembryo.com", "ssdigitaltirunelveli.com", "skiphirescunthorpe.com", "displashop.com", "whitebylole.com", "eggplantreport.com", "rje3.net", "healthpragency.com", "dxdoors.com", "blissbunnyworld.com", "ifn.xyz", "nationalurc.info", "designcumbriauk.com", "sonchirraiyya.com", "466se.com", "bombayy.com", "mairaalves.art", "nazarppe.com", "smokinskiing.com", "redwhitescrewed.com", "quantumnepal.codes", "circusocks.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: mvui1vY6Mo.exe	Virustotal: Detection: 58%			Perma Link
Source: mvui1vY6Mo.exe	ReversingLabs: Detection: 60%

Yara detected FormBook

Show sources

Source: Yara match	File source: 2.2.mvui1vY6Mo.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mvui1vY6Mo.exe.2eb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mvui1vY6Mo.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.mvui1vY6Mo.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.745894672.0000000001B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.915098041.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.660274297.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.745860975.0000000001B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.744663875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.914915179.00000000008A0000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for sample

Show sources

Source: mvui1vY6Mo.exe

Joe Sandbox ML: detected

Source: 0.2.mvui1vY6Mo.exe.2eb0000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.mvui1vY6Mo.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: mvui1vY6Mo.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: mvui1vY6Mo.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cmmon32.pdb source: mvui1vY6Mo.exe, 00000002.00000002.746740818.0000000003890000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.708388219.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: C:\xampp\htdocs\Cryptor\0238f0732c6a40e5a54bccb37ef03c58\Loader\Project1\Release\Project1.pdb source: mvui1vY6Mo.exe
Source:	Binary string: cmmon32.pdbGCTL source: mvui1vY6Mo.exe, 00000002.00000002.746740818.0000000003890000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: mvui1vY6Mo.exe, 00000000.00000003.655268474.0000000003240000.00000004.00000001.sdmp, mvui1vY6Mo.exe, 00000002.00000002.745274685.0000000001810000.00000040.00000001.sdmp, cmmon32.exe, 0000000B.00000002.915794120.0000000004810000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: mvui1vY6Mo.exe, cmmon32.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.708388219.0000000005A00000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 0_2_002F431C FindFirstFileExW,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_002F431C FindFirstFileExW,

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 4x nop then pop esi
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 4x nop then pop ebx
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 4x nop then pop ebx
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4x nop then pop esi
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4x nop then pop ebx
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4x nop then pop ebx

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49747 -> 164.68.104.58:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49747 -> 164.68.104.58:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49747 -> 164.68.104.58:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.ejsuniqueclasses.com/ehp9/

Performs DNS queries to domains with low reputation

Show sources

Source: C:\Windows\explorer.exe	DNS query: www.856380062.xyz
Source: C:\Windows\SysWOW64\cmmon32.exe	DNS query: www.856380062.xyz

Source: global traffic	HTTP traffic detected: GET /ehp9/?zZbXur=fPkLdxO&0vrPA=8c/5QoMWiMUW3SjDqDOgvqNfypt6IHckOwJjeT/c3u4BTCnBI4ecsnyb0a1UBRXLCY1T HTTP/1.1Host: www.ejsuniqueclasses.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ehp9/?0vrPA=5Xsjz7+Z5WLh89j81EYl3Aroso+z/qN2CpRl0IKGrQQKTktOwLuaqldWAZoOLzUBzR5Q&zZbXur=fPkLdxO HTTP/1.1Host: www.healthpragency.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ehp9/?zZbXur=fPkLdxO&0vrPA=oRr9ZXza/sqKFb1a4cLVquMpSAfNXH/ZGOEKtA079HuOHtafooLLPyAXrAQLja/+16Ky HTTP/1.1Host: www.circusocks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ehp9/?0vrPA=UsPTfcJ0BZ5q3mR+pFMXthX3126RUWmODdEpc4rh++F4qt19VniXLc7dOQb8qNRTbKnv&zZbXur=fPkLdxO HTTP/1.1Host: www.466se.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 52.58.78.16 52.58.78.16

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: ILIGHT-NETUS ILIGHT-NETUS

Source: global traffic	HTTP traffic detected: GET /ehp9/?zZbXur=fPkLdxO&0vrPA=8c/5QoMWiMUW3SjDqDOgvqNfypt6IHckOwJjeT/c3u4BTCnBI4ecsnyb0a1UBRXLCY1T HTTP/1.1Host: www.ejsuniqueclasses.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ehp9/?0vrPA=5Xsjz7+Z5WLh89j81EYl3Aroso+z/qN2CpRl0IKGrQQKTktOwLuaqldWAZoOLzUBzR5Q&zZbXur=fPkLdxO HTTP/1.1Host: www.healthpragency.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ehp9/?zZbXur=fPkLdxO&0vrPA=oRr9ZXza/sqKFb1a4cLVquMpSAfNXH/ZGOEKtA079HuOHtafooLLPyAXrAQLja/+16Ky HTTP/1.1Host: www.circusocks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ehp9/?0vrPA=UsPTfcJ0BZ5q3mR+pFMXthX3126RUWmODdEpc4rh++F4qt19VniXLc7dOQb8qNRTbKnv&zZbXur=fPkLdxO HTTP/1.1Host: www.466se.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.ejsuniqueclasses.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 03 Aug 2021 20:19:35 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000004.00000000.663579400.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: cmmon32.exe, 0000000B.00000002.915247011.0000000000C60000.00000004.00000020.sdmp	String found in binary or memory: http://www.856380062.xyz/ehp9/?zZbXur=fPkLdxO&0vrPA=sBJ6lOoTYYoNcaluCGHxKraeNDG0llcp1STurr5zu7Kck/pV
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 2.2.mvui1vY6Mo.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mvui1vY6Mo.exe.2eb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mvui1vY6Mo.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.mvui1vY6Mo.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.745894672.0000000001B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.915098041.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.660274297.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.745860975.0000000001B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.744663875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.914915179.00000000008A0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 2.2.mvui1vY6Mo.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.mvui1vY6Mo.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.mvui1vY6Mo.exe.2eb0000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.mvui1vY6Mo.exe.2eb0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.mvui1vY6Mo.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.mvui1vY6Mo.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.mvui1vY6Mo.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.mvui1vY6Mo.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.745894672.0000000001B70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.745894672.0000000001B70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.915098041.0000000000B10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.915098041.0000000000B10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.660274297.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.660274297.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.745860975.0000000001B40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.745860975.0000000001B40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.744663875.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.744663875.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.914915179.00000000008A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.914915179.00000000008A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_004181D0 NtCreateFile,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_00418280 NtReadFile,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_00418300 NtClose,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_004183B0 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_004183AB NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018799A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018795D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018798F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018797A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018796E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018799D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018795F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0187AD30 NtSetContextThread,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879950 NtQueueApcThread,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879560 NtWriteFile,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018798A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879820 NtEnumerateKey,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0187B040 NtSuspendThread,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0187A3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879B00 NtSetValueKey,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0187A710 NtOpenProcessToken,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879730 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879760 NtOpenProcess,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879770 NtSetInformationFile,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0187A770 NtOpenThread,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018796D0 NtCreateKey,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879A10 NtQuerySection,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879650 NtQueryValueKey,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01879670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048795D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048796D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048796E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048799A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048795F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0487AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879560 NtWriteFile,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048797A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0487A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879760 NtOpenProcess,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0487A770 NtOpenThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048798A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048798F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0487B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048799D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879A10 NtQuerySection,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879A20 NtResumeThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0487A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04879B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_008B81D0 NtCreateFile,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_008B8280 NtReadFile,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_008B83B0 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_008B8300 NtClose,
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_008B83AB NtAllocateVirtualMemory,

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 0_2_00304C25
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 0_2_002F9B35
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_002F9B35
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_00401027
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_00401030
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_00408C6D
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_00408C70
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0041C497
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0041B4B3
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0041C506
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_00402D87
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_00402D90
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0041BE70
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0041BE00
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0041C771
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0041BF09
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_00402FB0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01862581
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_019025DD
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0184D5E0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0183F900
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01902D07
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01830D20
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01854120
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01901D55
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0184B090
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018620A0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_019020A8
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_019028EC
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018F1002
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0184841F
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186EBB0
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018FDBD2
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01901FF1
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01902B28
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_019022AE
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01902EF7
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01856E30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0484841F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048FD466
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04862581
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_049025DD
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0484D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04902D07
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04830D20
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04901D55
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04902EF7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04856E30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04901FF1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0484B090
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048620A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_049020A8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_049028EC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048F1002
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0483F900
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04854120
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_049022AE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486EBB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048FDBD2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04902B28
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_008BC497
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_008BB4B3
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_008A8C6D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_008A8C70
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_008A2D87
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_008A2D90
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_008BC506
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_008BBEF9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_008BBE00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_008A2FB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_008BC771

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: String function: 0183B150 appears 35 times
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: String function: 002F17D0 appears 46 times
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: String function: 002F4F91 appears 36 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 0483B150 appears 35 times

Source: mvui1vY6Mo.exe, 00000000.00000003.651762525.00000000031C6000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs mvui1vY6Mo.exe
Source: mvui1vY6Mo.exe, 00000002.00000002.746750846.0000000003899000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCMMON32.exe` vs mvui1vY6Mo.exe
Source: mvui1vY6Mo.exe, 00000002.00000002.745559030.000000000192F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs mvui1vY6Mo.exe

Source: mvui1vY6Mo.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 2.2.mvui1vY6Mo.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.mvui1vY6Mo.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.mvui1vY6Mo.exe.2eb0000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.mvui1vY6Mo.exe.2eb0000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.mvui1vY6Mo.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.mvui1vY6Mo.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.mvui1vY6Mo.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.mvui1vY6Mo.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.745894672.0000000001B70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.745894672.0000000001B70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.915098041.0000000000B10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.915098041.0000000000B10000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.660274297.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.660274297.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.745860975.0000000001B40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.745860975.0000000001B40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.744663875.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.744663875.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.914915179.00000000008A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.914915179.00000000008A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/0@7/5

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6400:120:WilError_01

Source: mvui1vY6Mo.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: mvui1vY6Mo.exe	Virustotal: Detection: 58%
Source: mvui1vY6Mo.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe

File read: C:\Users\user\Desktop\mvui1vY6Mo.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\mvui1vY6Mo.exe 'C:\Users\user\Desktop\mvui1vY6Mo.exe'
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Process created: C:\Users\user\Desktop\mvui1vY6Mo.exe 'C:\Users\user\Desktop\mvui1vY6Mo.exe'
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mvui1vY6Mo.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Process created: C:\Users\user\Desktop\mvui1vY6Mo.exe 'C:\Users\user\Desktop\mvui1vY6Mo.exe'
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mvui1vY6Mo.exe'

Source: mvui1vY6Mo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: mvui1vY6Mo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: mvui1vY6Mo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: mvui1vY6Mo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: mvui1vY6Mo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: mvui1vY6Mo.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: mvui1vY6Mo.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: mvui1vY6Mo.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: cmmon32.pdb source: mvui1vY6Mo.exe, 00000002.00000002.746740818.0000000003890000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.708388219.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: C:\xampp\htdocs\Cryptor\0238f0732c6a40e5a54bccb37ef03c58\Loader\Project1\Release\Project1.pdb source: mvui1vY6Mo.exe
Source:	Binary string: cmmon32.pdbGCTL source: mvui1vY6Mo.exe, 00000002.00000002.746740818.0000000003890000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: mvui1vY6Mo.exe, 00000000.00000003.655268474.0000000003240000.00000004.00000001.sdmp, mvui1vY6Mo.exe, 00000002.00000002.745274685.0000000001810000.00000040.00000001.sdmp, cmmon32.exe, 0000000B.00000002.915794120.0000000004810000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: mvui1vY6Mo.exe, cmmon32.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.708388219.0000000005A00000.00000002.00000001.sdmp

Source: mvui1vY6Mo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: mvui1vY6Mo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: mvui1vY6Mo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: mvui1vY6Mo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: mvui1vY6Mo.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 0_2_002F1816 push ecx; ret
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_002F1816 push ecx; ret
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0041B3C5 push eax; ret
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0041B47C push eax; ret
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0041B412 push eax; ret
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0041B41B push eax; ret
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_00414E34 push eax; iretd
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_00414F6B push ebp; retf
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0188D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0488D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_008BB3C5 push eax; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_008BB41B push eax; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_008BB412 push eax; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_008BB47C push eax; ret
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_008B4E34 push eax; iretd
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_008B4F6B push ebp; retf

Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	RDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 00000000008A85F4 second address: 00000000008A85FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 00000000008A898E second address: 00000000008A8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe

Code function: 2_2_004088C0 rdtsc

Source: C:\Windows\SysWOW64\cmmon32.exe TID: 6392

Thread sleep time: -32000s >= -30000s

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 0_2_002F431C FindFirstFileExW,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_002F431C FindFirstFileExW,

Source: explorer.exe, 00000004.00000000.704668581.0000000004710000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.689957122.000000000FD60000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.674578676.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000004.00000000.680786469.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.675830821.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.680786469.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: cmmon32.exe, 0000000B.00000002.915231564.0000000000C47000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000004.00000000.680948462.000000000A716000.00000004.00000001.sdmp	Binary or memory string: 0ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&[
Source: explorer.exe, 00000004.00000000.671975391.0000000004755000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000004.00000000.674578676.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000000.680948462.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000004.00000000.674578676.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000004.00000000.681026627.000000000A784000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000004.00000000.674578676.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\cmmon32.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe

Code function: 2_2_004088C0 rdtsc

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe

Code function: 2_2_00409B30 LdrLoadDll,

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe

Code function: 0_2_002F3D62 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 0_2_00304C25 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 0_2_002F2E0B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 0_2_011306DA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 0_2_0113099F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 0_2_011309DE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 0_2_011308EE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 0_2_01130A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_002F2E0B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0185C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01862581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01862581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01862581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01862581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01832D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01832D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01832D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01832D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01832D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01862990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018661A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018661A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018635A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01861DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01861DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01861DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_019005AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_019005AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0183B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0183B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0183B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018C41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0184D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0184D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018FFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018FFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018FFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018FFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018E8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01839100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01839100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01839100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01908D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01854120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01854120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01854120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01854120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01854120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0183AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018FE539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018BA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01864D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01864D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01864D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0185B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0185B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01873D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01857D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0183C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0183B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0183B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0185C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0185C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01839080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0184849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018790AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01908CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018CB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018358EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018F14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01904015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01904015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0190740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0190740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0190740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0184B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0184B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0184B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0184B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01850050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01850050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018CC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018CC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01901074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0185746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018F2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018F138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01841B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01841B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018ED380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01848794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01862397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01864BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01864BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01864BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01905BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0185DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018737F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0185F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018F131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018CFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018CFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0190070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0190070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01834F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01834F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0183DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0184EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01908B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0183F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0183DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0184FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01908F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01863B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01863B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018CFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018B46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0184AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0184AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01900EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01900EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01900EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01878EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01908ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018636CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01862ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018EFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01862AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018616E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018476E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0183C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0183C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0183C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01868E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018F1608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01848A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01835210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01835210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01835210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01835210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0183AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0183AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01853A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0186A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0183E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01874A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01874A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018EFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01839240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01839240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01839240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01839240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01847E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01847E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01847E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01847E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01847E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01847E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018FAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018FAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018FEA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018C4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0184766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018EB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_018EB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_01908A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0185AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0185AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0185AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0185AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0185AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_0187927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0484849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04908CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048F14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048F1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0490740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0490740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0490740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048CC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048CC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0485746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04862581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04862581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04862581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04862581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04832D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04832D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04832D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04832D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04832D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048635A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04861DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04861DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04861DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_049005AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_049005AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0484D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0484D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048FFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048FFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048FFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048FFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048E8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04908D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04843D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0483AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048FE539 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048BA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04864D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04864D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04864D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04873D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04857D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0485C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0485C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048CFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04900EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04900EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04900EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04878EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04908ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048636CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048EFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048616E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048476E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0483C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0483C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0483C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04868E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048F1608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0483E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048EFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04847E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04847E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04847E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04847E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04847E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04847E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048FAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048FAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0484766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0485AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0485AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0485AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0485AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0485AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04848794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048737F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0485F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048CFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048CFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0490070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0490070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04834F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04834F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0484EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0484FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04908F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04839080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048790AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048CB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048CB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048358EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04904015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04904015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0484B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0484B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0484B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0484B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04850050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04850050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04901074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048F2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0485C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04862990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048661A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048661A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048B51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0483B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0483B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0483B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048C41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04839100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04839100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04839100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04854120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04854120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04854120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04854120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04854120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0485B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0485B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0483C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0483B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0483B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_048352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0484AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0484AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0486FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04862ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04862AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04848A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04835210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04835210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04835210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04835210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0483AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0483AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04853A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04874A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04874A2C mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe

Code function: 0_2_002F60F1 GetProcessHeap,

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\cmmon32.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 0_2_002F171B SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 0_2_002F3D62 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 0_2_002F19E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 0_2_002F15CD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_002F3D62 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_002F19E2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_002F15CD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Code function: 2_2_002F171B SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 52.58.78.16 80
Source: C:\Windows\explorer.exe	Network Connect: 103.88.34.80 80
Source: C:\Windows\explorer.exe	Domain query: www.ejsuniqueclasses.com
Source: C:\Windows\explorer.exe	Domain query: www.856380062.xyz
Source: C:\Windows\explorer.exe	Network Connect: 198.74.106.237 80
Source: C:\Windows\explorer.exe	Network Connect: 163.123.204.26 80
Source: C:\Windows\explorer.exe	Network Connect: 164.68.104.58 80
Source: C:\Windows\explorer.exe	Domain query: www.466se.com
Source: C:\Windows\explorer.exe	Domain query: www.circusocks.com
Source: C:\Windows\explorer.exe	Domain query: www.healthpragency.com

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Section loaded: unknown target: C:\Users\user\Desktop\mvui1vY6Mo.exe protection: execute and read and write
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Thread register set: target process: 3424
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Thread register set: target process: 3424
Source: C:\Windows\SysWOW64\cmmon32.exe	Thread register set: target process: 3424

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe

Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 1250000

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Process created: C:\Users\user\Desktop\mvui1vY6Mo.exe 'C:\Users\user\Desktop\mvui1vY6Mo.exe'
Source: C:\Users\user\Desktop\mvui1vY6Mo.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mvui1vY6Mo.exe'

Source: explorer.exe, 00000004.00000000.694405409.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000004.00000000.694780872.0000000001080000.00000002.00000001.sdmp, cmmon32.exe, 0000000B.00000002.915643403.0000000003260000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.675806448.0000000005E50000.00000004.00000001.sdmp, cmmon32.exe, 0000000B.00000002.915643403.0000000003260000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.694780872.0000000001080000.00000002.00000001.sdmp, cmmon32.exe, 0000000B.00000002.915643403.0000000003260000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.694780872.0000000001080000.00000002.00000001.sdmp, cmmon32.exe, 0000000B.00000002.915643403.0000000003260000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.680948462.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe

Code function: 0_2_002F182B cpuid

Source: C:\Users\user\Desktop\mvui1vY6Mo.exe

Code function: 0_2_002F14B5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 2.2.mvui1vY6Mo.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mvui1vY6Mo.exe.2eb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mvui1vY6Mo.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.mvui1vY6Mo.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.745894672.0000000001B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.915098041.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.660274297.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.745860975.0000000001B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.744663875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.914915179.00000000008A0000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 2.2.mvui1vY6Mo.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mvui1vY6Mo.exe.2eb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.mvui1vY6Mo.exe.2eb0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.mvui1vY6Mo.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.745894672.0000000001B70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.915098041.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.660274297.0000000002EB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.745860975.0000000001B40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.744663875.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.914915179.00000000008A0000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection512	Virtualization/Sandbox Evasion2	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection512	LSASS Memory	Security Software Discovery141	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information3	NTDS	Process Discovery2	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery112	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mvui1vY6Mo.exe	59%	Virustotal		Browse
mvui1vY6Mo.exe	61%	ReversingLabs	Win32.Trojan.FormBook
mvui1vY6Mo.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.mvui1vY6Mo.exe.2eb0000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File
2.2.mvui1vY6Mo.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
ejsuniqueclasses.com	2%	Virustotal		Browse
www.466se.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.circusocks.com/ehp9/?zZbXur=fPkLdxO&0vrPA=oRr9ZXza/sqKFb1a4cLVquMpSAfNXH/ZGOEKtA079HuOHtafooLLPyAXrAQLja/+16Ky	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
www.ejsuniqueclasses.com/ehp9/	0%	Avira URL Cloud	safe
http://www.466se.com/ehp9/?0vrPA=UsPTfcJ0BZ5q3mR+pFMXthX3126RUWmODdEpc4rh++F4qt19VniXLc7dOQb8qNRTbKnv&zZbXur=fPkLdxO	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.856380062.xyz/ehp9/?zZbXur=fPkLdxO&0vrPA=sBJ6lOoTYYoNcaluCGHxKraeNDG0llcp1STurr5zu7Kck/pV	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.healthpragency.com/ehp9/?0vrPA=5Xsjz7+Z5WLh89j81EYl3Aroso+z/qN2CpRl0IKGrQQKTktOwLuaqldWAZoOLzUBzR5Q&zZbXur=fPkLdxO	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.ejsuniqueclasses.com/ehp9/?zZbXur=fPkLdxO&0vrPA=8c/5QoMWiMUW3SjDqDOgvqNfypt6IHckOwJjeT/c3u4BTCnBI4ecsnyb0a1UBRXLCY1T	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ejsuniqueclasses.com	164.68.104.58	true	true	2%, Virustotal, Browse	unknown
www.466se.com	198.74.106.237	true	true	0%, Virustotal, Browse	unknown
www.healthpragency.com	52.58.78.16	true	true		unknown
www.856380062.xyz	103.88.34.80	true	true		unknown
shops.myshopify.com	23.227.38.74	true	false		unknown
circusocks.com	163.123.204.26	true	true		unknown
www.comparaca.com	unknown	unknown	true		unknown
www.circusocks.com	unknown	unknown	true		unknown
www.ejsuniqueclasses.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.circusocks.com/ehp9/?zZbXur=fPkLdxO&0vrPA=oRr9ZXza/sqKFb1a4cLVquMpSAfNXH/ZGOEKtA079HuOHtafooLLPyAXrAQLja/+16Ky	true	Avira URL Cloud: safe	unknown
www.ejsuniqueclasses.com/ehp9/	true	Avira URL Cloud: safe	low
http://www.466se.com/ehp9/?0vrPA=UsPTfcJ0BZ5q3mR+pFMXthX3126RUWmODdEpc4rh++F4qt19VniXLc7dOQb8qNRTbKnv&zZbXur=fPkLdxO	true	Avira URL Cloud: safe	unknown
http://www.healthpragency.com/ehp9/?0vrPA=5Xsjz7+Z5WLh89j81EYl3Aroso+z/qN2CpRl0IKGrQQKTktOwLuaqldWAZoOLzUBzR5Q&zZbXur=fPkLdxO	true	Avira URL Cloud: safe	unknown
http://www.ejsuniqueclasses.com/ehp9/?zZbXur=fPkLdxO&0vrPA=8c/5QoMWiMUW3SjDqDOgvqNfypt6IHckOwJjeT/c3u4BTCnBI4ecsnyb0a1UBRXLCY1T	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.856380062.xyz/ehp9/?zZbXur=fPkLdxO&0vrPA=sBJ6lOoTYYoNcaluCGHxKraeNDG0llcp1STurr5zu7Kck/pV	cmmon32.exe, 0000000B.00000002.915247011.0000000000C60000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false		high
http://www.%s.comPA	explorer.exe, 00000004.00000000.663579400.0000000002B50000.00000002.00000001.sdmp	false	URL Reputation: safe	low
http://www.fonts.com	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 00000004.00000000.684876231.000000000B976000.00000002.00000001.sdmp	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
52.58.78.16	www.healthpragency.com	United States	16509	AMAZON-02US	true
163.123.204.26	circusocks.com	Reserved	1767	ILIGHT-NETUS	true
164.68.104.58	ejsuniqueclasses.com	Germany	51167	CONTABODE	true
103.88.34.80	www.856380062.xyz	China	136188	CHINATELECOM-ZHEJIANG-NINGBO-IDCNINGBOZHEJIANGProvince	true
198.74.106.237	www.466se.com	United States	35916	MULTA-ASN1US	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458944
Start date:	03.08.2021
Start time:	22:17:20
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 40s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	mvui1vY6Mo (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/0@7/5
EGA Information:	Failed
HDC Information:	Successful, ratio: 35.2% (good quality ratio 32.2%) Quality average: 75.4% Quality standard deviation: 31.2%
HCA Information:	Successful, ratio: 94% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.211.5.146, 40.88.32.150, 168.61.161.212, 23.211.6.115, 20.82.209.183, 93.184.221.240, 20.82.210.154, 80.67.82.211, 80.67.82.235, 40.112.88.60 Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, storeedgefd.xbetservices.akadns.net, arc.msn.com, wu.azureedge.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, storeedgefd.dsx.mp.microsoft.com, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, wu.ec.azureedge.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, storeedgefd.dsx.mp.microsoft.com.edgekey.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, e16646.dscg.akamaiedge.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
52.58.78.16	Form_TT_EUR57,890.exe	Get hash	malicious	Browse	www.mobiessence.com/6mam/?wbYpSP=KE8gpfUEuqRqMBWGFV5goIwNmc44LE6Oi+PTcRo4vEp3RirjZlcD1GLbPH2NA5fTW+Y3K/xiNw==&PJEt=HRR0_XgHGBD8
	NEW ORDER.xlsx	Get hash	malicious	Browse	www.legifo.com/n84e/?Mr08h0L=KHFThDJ3uNdvz4VUDR+6bS8SYcpLrpRC8lOMf3TlZ3PS/XcNx/3d4GJoUukLL5LRpfRfOA==&zVopsT=6lRxBfwpGVRluDfp
	Payment confirmation.exe	Get hash	malicious	Browse	www.simplenorwegian.com/iq3g/?IrK=CZ/yXVcNRdC6FvxinIXGrVmHiuR1WjT6SNukwgkxBNtmMQmyCWCLRoMj7G3k0Wznru0p&U0GD=nTvlUPapR
	DHL Shipment Notification,PDF.exe	Get hash	malicious	Browse	www.crosschainconsulting.com/d8ak/?l8zt=jDth58DB5imLqUkIs94ZrvJvWs5Ik/QXC2wgF4rLpwBCIv0jyvuCPBHay7TuoSVne/lyNJlz0g==&GT=8pBhLdXXedUx8
	RhalEFwYre.exe	Get hash	malicious	Browse	www.mobiessence.com/6mam/?7nZp_P=KE8gpfUEuqRqMBWGFV5goIwNmc44LE6Oi+PTcRo4vEp3RirjZlcD1GLbPH6NTpTQPuYh&l48tB=-ZYD52r
	RYP-210712.xlsx	Get hash	malicious	Browse	www.threatprotection.net/6mam/?O2M0W=yVJpjpi8601X&TP=5U63IG+7yBTG2LU/sbhPJsaYeNu0pzfei2tMILncnfG3lfTZPYhqam4eeguQu/uCp/fddQ==
	sMpEuBRc2t.exe	Get hash	malicious	Browse	www.ecofingers.com/dy8g/?OR-TuR7X=X9Az7RthaT8xdqkxQ6tJRjQeFUHqBPh6fb7YU5dnwYv1rghxnAYW3P4f0knK24QskGlt&aPpl=k0DD1ZKh
	INV NO-1820000514 USD 270,294.pdf.exe	Get hash	malicious	Browse	www.midgefly.com/vtg0/?8pcx=sCrA+W5O6oNqspHIzbx/VoZ2gHLngFo2bTHVR61MqOIzfC7Xnf47aZIrFlXsjUrU46mf&b8Zd=YdoHsDD
	6al00IjI6j.exe	Get hash	malicious	Browse	www.walkonhome.com/p1nr/?EVL=7zqpjNgTocuQEZ/7cot9yzbg96wEePlUEUbJytYr6EKC6aCaKn2SKTFFolhpeAkAzVfO4NkQJQ==&YTOx3p=8pgHdZbp
	RYP-210629.xlsx	Get hash	malicious	Browse	www.mobiessence.com/6mam/?8pWX_=KE8gpfUButRuMRaKHV5goIwNmc44LE6Oi+XDAS05rkp2RTHle1NPjCzZMh2LYYHbaIsWTA==&YH=c8zlrpFp7PZpmtep
	Invoice Amount 14980.exe	Get hash	malicious	Browse	www.bvlesty.com/p4se/?7npd928=bQMAraj1xKdOkCzLuHERhNooHK+QGPNFLNpMJV9bH8WlaoVv6+ueUmNZD2UWSIOcTisLluXEOQ==&U2M=m0GHc
	moni 33.exe	Get hash	malicious	Browse	www.kathyharvey.com/weni/?eB2=SZj8b&9rjDM4rH=7yHtpb+g0rUXbgxV21t9L0ENNL4bw8lTqOTLyZUlhT1yXa0UMrAsRH4DxLIXKzBvV8Hk
	ORDER -ASLF1SR00116-PDF.doc	Get hash	malicious	Browse	www.alorve.com/b8eu/?ezr8A=fO29zInUMKyU3b+KsEdF7DM9YDGDqhkmHUf250wyCdvZQv4CxZtnkbBczt1PyCe3FLSzQg==&9rXX=a0DtZFt
	PO#2005042020.exe	Get hash	malicious	Browse	www.ameri.loans/dt9v/?gHX8R=3f94lB&1b=43H5ZqapR2U2c+53UedyyCnf/tAQMSihskCSywJ+5iH1soBQckHw2KLaysybCXDa0Ipi
	Tvpsqjokvrkkjtpqmbrrbdjuamqgumvxld.exe	Get hash	malicious	Browse	www.midtransport.com/bsk9/?i2MTzj=e6Ad4DCXPNMpz&R6ALR=nGfZtT9z8NqeTucFxi+gOh3uBJjOp6VLDHhxDth/dQigt4sUKXTHk5a7oDAXiSxv27Tv
	shipping documents pdf.exe	Get hash	malicious	Browse	www.unitedold.com/h388/?tXPL5r6=HeOxd3fTK3emeSZhIcEHyZUbH5pi5uzRBKaOyXjbbuHI/gxjF5X3QotEpSoKmdp15nJu&3fVtLD=R62l7bm8DvSh1
	6WCqIIE3Lr.exe	Get hash	malicious	Browse	www.walkonhome.com/p1nr/?dF=7zqpjNgTocuQEZ/7cot9yzbg96wEePlUEUbJytYr6EKC6aCaKn2SKTFFomNTdBI7wi+f&3fd=t0DXgf78DRWhP
	Order600567.exe	Get hash	malicious	Browse	www.nyprfirm.com/dt9v/?9r=KpNyOXsodBFrYFoEJWESYJ8j+xdDddhLA6DxFp7h+PiJibU+kgoAhy+eZziY74LDARZk&yt=WN9pTDLhcH
	PYY74882220#.exe	Get hash	malicious	Browse	www.jayhoudontcy.com/uts2/?DJBpbT=eq1DVE9pIkM/j+XzQEEtVvuS45EQn6ChhwPxb1E+vp9zidYYg0/iq0gGrr3/IXwpgX+z&bPw0=RjQtV0Ip1lbh
	v8kZUFgdD4.exe	Get hash	malicious	Browse	www.ecofingers.com/dy8g/?i0GDM=X9Az7RthaT8xdqkxQ6tJRjQeFUHqBPh6fb7YU5dnwYv1rghxnAYW3P4f0krKlocv9Wl7uwWiww==&0X=C6Ah3vPx
164.68.104.58	wMqdemYyHm.exe	Get hash	malicious	Browse	www.ejsuniqueclasses.com/f0sg/?7n0lqHm=RD2tywN0qen0MznjTH5w58f8vni0uSDATZhtlh9xAz/QS3pDgsNhlBhKQDKwaal1DgGG&CP=chrxU

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
shops.myshopify.com	Nouveau bon de commande. 3007021_pdf.exe	Get hash	malicious	Browse	23.227.38.74
	Purchase Requirements.exe	Get hash	malicious	Browse	23.227.38.74
	Form_TT_EUR57,890.exe	Get hash	malicious	Browse	23.227.38.74
	INV NO-1820000514 USD 270,294.pdf.exe	Get hash	malicious	Browse	23.227.38.74
	payment copy.exe	Get hash	malicious	Browse	23.227.38.74
	PO_0008.exe	Get hash	malicious	Browse	23.227.38.74
	i9Na8iof4G.exe	Get hash	malicious	Browse	23.227.38.74
	bin.exe	Get hash	malicious	Browse	23.227.38.74
	Payment For Invoice 321-1005703.exe	Get hash	malicious	Browse	23.227.38.74
	RYP-210712.xlsx	Get hash	malicious	Browse	23.227.38.74
	INV NO-1820000514 USD 270,294.pdf.exe	Get hash	malicious	Browse	23.227.38.74
	auhToVTQTs.exe	Get hash	malicious	Browse	23.227.38.74
	kKTeUAtiIP.exe	Get hash	malicious	Browse	23.227.38.74
	Invoice Amount 14980.exe	Get hash	malicious	Browse	23.227.38.74
	W7f.PDF.exe	Get hash	malicious	Browse	23.227.38.74
	Order Signed PEARLTECH contract and PO.exe	Get hash	malicious	Browse	23.227.38.74
	MR# RFx 21-2034021.exe	Get hash	malicious	Browse	23.227.38.74
	AWB & Shipping Tracking Details.exe	Get hash	malicious	Browse	23.227.38.74
	ORDER -RFQ#-TEOS1909061 40HC 21T05 DALIAN.doc	Get hash	malicious	Browse	23.227.38.74
	Nsda7LTM1x.exe	Get hash	malicious	Browse	23.227.38.74

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ILIGHT-NETUS	SARS_DOCUMENT - Copy.html	Get hash	malicious	Browse	152.228.223.13
	w4DEaimFEt	Get hash	malicious	Browse	199.13.204.199
	w4MaMzd0i1	Get hash	malicious	Browse	199.14.229.225
	Loader.exe	Get hash	malicious	Browse	152.228.150.198
	EM7kj9300x	Get hash	malicious	Browse	152.228.110.191
	MMrfxxpTLP	Get hash	malicious	Browse	137.114.114.119
	6HAisf3waN	Get hash	malicious	Browse	157.91.133.210
	c51w5YSYdO	Get hash	malicious	Browse	159.218.155.213
	u47x3rc20t	Get hash	malicious	Browse	159.218.253.86
	zhPAQB7FPV	Get hash	malicious	Browse	161.33.66.54
	BWG6npgduP	Get hash	malicious	Browse	199.13.163.48
	jEbpttXKCa	Get hash	malicious	Browse	159.218.253.96
	0aC0TBcdxb	Get hash	malicious	Browse	152.228.110.163
	#Ud83d#Udd0ajs_msg_ 3pm.html	Get hash	malicious	Browse	152.228.223.13
	#Ud83d#Udd0aMsg_ 3pm.html	Get hash	malicious	Browse	152.228.223.13
	INV_RECON_72919_81821.html	Get hash	malicious	Browse	152.228.223.13
	__-joerg.mathieu.htm	Get hash	malicious	Browse	152.228.223.13
	KHv0I3XdY6.exe	Get hash	malicious	Browse	152.228.150.198
	sample_payment.html	Get hash	malicious	Browse	152.228.223.13
	Injector.exe	Get hash	malicious	Browse	152.228.150.205
AMAZON-02US	ctapp_230720_b1nt12.zip	Get hash	malicious	Browse	54.70.175.13
	Dosusign_Na_Sign.htm	Get hash	malicious	Browse	54.200.233.179
	document.xlsm	Get hash	malicious	Browse	65.9.71.95
	document.xlsm	Get hash	malicious	Browse	65.9.71.119
	InNXA1LFMy	Get hash	malicious	Browse	52.24.2.19
	Z06maMhQlw.exe	Get hash	malicious	Browse	104.192.141.1
	OJYNvmFRjr	Get hash	malicious	Browse	54.117.189.7
	AEOjFHGJAr	Get hash	malicious	Browse	44.246.15.55
	oustanding 03082921.xlsx	Get hash	malicious	Browse	13.229.216.142
	1ashnfHZve.exe	Get hash	malicious	Browse	54.94.248.37
	U2AHuu893x.exe	Get hash	malicious	Browse	54.94.248.37
	w7DRtI5vjJ	Get hash	malicious	Browse	34.221.177.96
	xl2TVqLo6S	Get hash	malicious	Browse	13.50.207.75
	Form_TT_EUR57,890.exe	Get hash	malicious	Browse	52.58.78.16
	Amaury.vanvinckenroye-AudioMessage_520498.htm	Get hash	malicious	Browse	13.224.96.22
	INV NO-1820000514 USD 270,294.pdf.exe	Get hash	malicious	Browse	13.233.152.221
	CyLELjM5zk.exe	Get hash	malicious	Browse	52.219.8.114
	gunzipped.exe	Get hash	malicious	Browse	3.142.167.4
	NEW ORDER.xlsx	Get hash	malicious	Browse	52.58.78.16
	Click_me_to_install_SnapTube_tube_apkpure_dl.apk	Get hash	malicious	Browse	52.222.158.105

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.1527685601415545
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mvui1vY6Mo.exe
File size:	367359
MD5:	059b1244ac9fda54de086692db4b5a08
SHA1:	6e5f6326bd9da7e5d9c70b3e4491d308eb7f842b
SHA256:	abb29be2c1eccd851bdb99b126e822a8cf0f57be95e9b71a921aa703b2c285be
SHA512:	513dabdcc13cd81b8be8cf9076862c5f0418d267ed7f6d9e1b7f008aa2f5cb7928ad8fc8a41b69a872d516f771098bd1d83eca86b9dd61b49332527d43e8427f
SSDEEP:	6144:GCeJWu3gGB7g1TaqXp/bTLwlLGX7lQtbzRuYqCRxPi4f+99:uWcgGCTaqXhKLGEvRrnm99
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T7`=.V.n.V.n.V.n...n.V.n...njV.n...n.V.n+..o.V.n+..o.V.n+..o.V.n...n.V.n.V.nmV.n...o.V.n...n.V.n.V.n.V.n...o.V.nRich.V.n.......

File Icon


Icon Hash:	16232b2b33313300

Static PE Info

General
Entrypoint:	0x401226
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x610728B8 [Sun Aug 1 23:05:28 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	589aee860f84814af33b4e1068b97d01

Entrypoint Preview

Instruction
call 00007F8888C3355Fh
jmp 00007F8888C33163h
push ebp
mov ebp, esp
mov eax, dword ptr [00414018h]
and eax, 1Fh
push 00000020h
pop ecx
sub ecx, eax
mov eax, dword ptr [ebp+08h]
ror eax, cl
xor eax, dword ptr [00414018h]
pop ebp
ret
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
push esi
mov ecx, dword ptr [eax+3Ch]
add ecx, eax
movzx eax, word ptr [ecx+14h]
lea edx, dword ptr [ecx+18h]
add edx, eax
movzx eax, word ptr [ecx+06h]
imul esi, eax, 28h
add esi, edx
cmp edx, esi
je 00007F8888C332EBh
mov ecx, dword ptr [ebp+0Ch]
cmp ecx, dword ptr [edx+0Ch]
jc 00007F8888C332DCh
mov eax, dword ptr [edx+08h]
add eax, dword ptr [edx+0Ch]
cmp ecx, eax
jc 00007F8888C332DEh
add edx, 28h
cmp edx, esi
jne 00007F8888C332BCh
xor eax, eax
pop esi
pop ebp
ret
mov eax, edx
jmp 00007F8888C332CBh
call 00007F8888C33A04h
test eax, eax
jne 00007F8888C332D5h
xor al, al
ret
mov eax, dword ptr fs:[00000018h]
push esi
mov esi, 00414E24h
mov edx, dword ptr [eax+04h]
jmp 00007F8888C332D6h
cmp edx, eax
je 00007F8888C332E2h
xor eax, eax
mov ecx, edx
lock cmpxchg dword ptr [esi], ecx
test eax, eax
jne 00007F8888C332C2h
xor al, al
pop esi
ret
mov al, 01h
pop esi
ret
push ebp
mov ebp, esp
cmp dword ptr [ebp+08h], 00000000h
jne 00007F8888C332D9h
mov byte ptr [00414E40h], 00000001h
call 00007F8888C33825h
call 00007F8888C33CABh
test al, al
jne 00007F8888C332D6h
xor al, al
pop ebp
ret
call 00007F8888C35585h

Rich Headers

Programming Language:

[LNK] VS2015 UPD3.1 build 24215
[RES] VS2015 UPD3 build 24213

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1318c	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0xeb38	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x26000	0x107c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x12a30	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x12a88	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xe000	0x1a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xc727	0xc800	False	0.55521484375	data	6.58406005162	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0xe000	0x5ac6	0x5c00	False	0.422299592391	data	4.93015425606	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x14000	0x19c8	0x1000	False	0.313232421875	DOS executable (block device driver \277DN)	3.41532208548	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.gfids	0x16000	0xac	0x200	False	0.28125	data	1.44064934011	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x17000	0xeb38	0xec00	False	0.0876423463983	data	1.8711448419	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x26000	0x107c	0x1200	False	0.769097222222	data	6.36802237044	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x170f0	0xe8ac	data	English	United States
RT_GROUP_ICON	0x259a0	0x14	data	English	United States
RT_MANIFEST	0x259b8	0x17d	XML 1.0 document text	English	United States

Imports

DLL	Import
KERNEL32.dll	SetStdHandle, GetFileType, GetStringTypeW, GetProcessHeap, HeapSize, FlushFileBuffers, GetConsoleCP, GetConsoleMode, SetFilePointerEx, WriteConsoleW, DecodePointer, VirtualProtect, CloseHandle, EnumLanguageGroupLocalesW, CreateFileW, LCMapStringW, WriteFile, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, IsProcessorFeaturePresent, GetModuleHandleW, GetCurrentProcess, TerminateProcess, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, GetModuleFileNameW, MultiByteToWideChar, WideCharToMultiByte, ExitProcess, GetModuleHandleExW, GetACP, HeapFree, HeapAlloc, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, RaiseException
USER32.dll	GetMessageW, DefWindowProcW, DestroyWindow, DispatchMessageW, TranslateMessage, LoadCursorW, GetClientRect, PostQuitMessage, InvalidateRect, BeginPaint, EndPaint, CreateWindowExW, RegisterClassExW, RegisterClassW, SetMenu, AppendMenuW, GetSysColorBrush, CreateMenu, GetDC, ReleaseDC
GDI32.dll	CreateCompatibleBitmap, CreateCompatibleDC, SetBkColor, SetROP2, ExtTextOutW, GetStockObject, SelectObject, SetPixel, ExtFloodFill, GetDIBits, GetPixel, GetObjectW, DeleteObject, CreateSolidBrush, BitBlt
COMDLG32.dll	ChooseColorW, GetOpenFileNameW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/03/21-22:19:24.418538	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49747	80	192.168.2.4	164.68.104.58
08/03/21-22:19:24.418538	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49747	80	192.168.2.4	164.68.104.58
08/03/21-22:19:24.418538	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49747	80	192.168.2.4	164.68.104.58
08/03/21-22:20:17.186369	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49760	23.227.38.74	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 22:19:24.390264034 CEST	49747	80	192.168.2.4	164.68.104.58
Aug 3, 2021 22:19:24.418199062 CEST	80	49747	164.68.104.58	192.168.2.4
Aug 3, 2021 22:19:24.418390036 CEST	49747	80	192.168.2.4	164.68.104.58
Aug 3, 2021 22:19:24.418538094 CEST	49747	80	192.168.2.4	164.68.104.58
Aug 3, 2021 22:19:24.449351072 CEST	80	49747	164.68.104.58	192.168.2.4
Aug 3, 2021 22:19:24.652371883 CEST	80	49747	164.68.104.58	192.168.2.4
Aug 3, 2021 22:19:24.652398109 CEST	80	49747	164.68.104.58	192.168.2.4
Aug 3, 2021 22:19:24.652532101 CEST	49747	80	192.168.2.4	164.68.104.58
Aug 3, 2021 22:19:24.652604103 CEST	49747	80	192.168.2.4	164.68.104.58
Aug 3, 2021 22:19:24.680361986 CEST	80	49747	164.68.104.58	192.168.2.4
Aug 3, 2021 22:19:29.706634998 CEST	49748	80	192.168.2.4	52.58.78.16
Aug 3, 2021 22:19:29.724163055 CEST	80	49748	52.58.78.16	192.168.2.4
Aug 3, 2021 22:19:29.724359989 CEST	49748	80	192.168.2.4	52.58.78.16
Aug 3, 2021 22:19:29.724525928 CEST	49748	80	192.168.2.4	52.58.78.16
Aug 3, 2021 22:19:29.741926908 CEST	80	49748	52.58.78.16	192.168.2.4
Aug 3, 2021 22:19:29.741950989 CEST	80	49748	52.58.78.16	192.168.2.4
Aug 3, 2021 22:19:29.741966009 CEST	80	49748	52.58.78.16	192.168.2.4
Aug 3, 2021 22:19:29.742088079 CEST	49748	80	192.168.2.4	52.58.78.16
Aug 3, 2021 22:19:29.742151976 CEST	49748	80	192.168.2.4	52.58.78.16
Aug 3, 2021 22:19:29.759646893 CEST	80	49748	52.58.78.16	192.168.2.4
Aug 3, 2021 22:19:34.796736956 CEST	49754	80	192.168.2.4	163.123.204.26
Aug 3, 2021 22:19:34.934947968 CEST	80	49754	163.123.204.26	192.168.2.4
Aug 3, 2021 22:19:34.935086012 CEST	49754	80	192.168.2.4	163.123.204.26
Aug 3, 2021 22:19:34.935245991 CEST	49754	80	192.168.2.4	163.123.204.26
Aug 3, 2021 22:19:35.073268890 CEST	80	49754	163.123.204.26	192.168.2.4
Aug 3, 2021 22:19:35.076021910 CEST	80	49754	163.123.204.26	192.168.2.4
Aug 3, 2021 22:19:35.076055050 CEST	80	49754	163.123.204.26	192.168.2.4
Aug 3, 2021 22:19:35.076257944 CEST	49754	80	192.168.2.4	163.123.204.26
Aug 3, 2021 22:19:35.076282024 CEST	49754	80	192.168.2.4	163.123.204.26
Aug 3, 2021 22:19:35.214565992 CEST	80	49754	163.123.204.26	192.168.2.4
Aug 3, 2021 22:19:40.149452925 CEST	49755	80	192.168.2.4	198.74.106.237
Aug 3, 2021 22:19:40.323643923 CEST	80	49755	198.74.106.237	192.168.2.4
Aug 3, 2021 22:19:40.323803902 CEST	49755	80	192.168.2.4	198.74.106.237
Aug 3, 2021 22:19:40.323954105 CEST	49755	80	192.168.2.4	198.74.106.237
Aug 3, 2021 22:19:40.497961998 CEST	80	49755	198.74.106.237	192.168.2.4
Aug 3, 2021 22:19:40.547720909 CEST	80	49755	198.74.106.237	192.168.2.4
Aug 3, 2021 22:19:40.547755003 CEST	80	49755	198.74.106.237	192.168.2.4
Aug 3, 2021 22:19:40.547775030 CEST	80	49755	198.74.106.237	192.168.2.4
Aug 3, 2021 22:19:40.547797918 CEST	80	49755	198.74.106.237	192.168.2.4
Aug 3, 2021 22:19:40.547816038 CEST	80	49755	198.74.106.237	192.168.2.4
Aug 3, 2021 22:19:40.547830105 CEST	80	49755	198.74.106.237	192.168.2.4
Aug 3, 2021 22:19:40.547919035 CEST	49755	80	192.168.2.4	198.74.106.237
Aug 3, 2021 22:19:40.548029900 CEST	49755	80	192.168.2.4	198.74.106.237
Aug 3, 2021 22:19:40.548136950 CEST	49755	80	192.168.2.4	198.74.106.237
Aug 3, 2021 22:19:40.723388910 CEST	80	49755	198.74.106.237	192.168.2.4
Aug 3, 2021 22:19:45.980710030 CEST	49756	80	192.168.2.4	103.88.34.80
Aug 3, 2021 22:19:48.990536928 CEST	49756	80	192.168.2.4	103.88.34.80
Aug 3, 2021 22:19:55.006757021 CEST	49756	80	192.168.2.4	103.88.34.80
Aug 3, 2021 22:20:08.798780918 CEST	49759	80	192.168.2.4	103.88.34.80
Aug 3, 2021 22:20:11.804847002 CEST	49759	80	192.168.2.4	103.88.34.80
Aug 3, 2021 22:20:17.805396080 CEST	49759	80	192.168.2.4	103.88.34.80

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 3, 2021 22:18:02.405987024 CEST	53	49714	8.8.8.8	192.168.2.4
Aug 3, 2021 22:18:02.449356079 CEST	58028	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:18:02.476893902 CEST	53	58028	8.8.8.8	192.168.2.4
Aug 3, 2021 22:18:03.138885021 CEST	53097	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:18:03.171201944 CEST	53	53097	8.8.8.8	192.168.2.4
Aug 3, 2021 22:18:03.955722094 CEST	49257	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:18:03.991257906 CEST	53	49257	8.8.8.8	192.168.2.4
Aug 3, 2021 22:18:04.248619080 CEST	62389	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:18:04.286288977 CEST	53	62389	8.8.8.8	192.168.2.4
Aug 3, 2021 22:18:04.579786062 CEST	49910	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:18:04.604487896 CEST	53	49910	8.8.8.8	192.168.2.4
Aug 3, 2021 22:18:05.596151114 CEST	55854	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:18:05.624344110 CEST	53	55854	8.8.8.8	192.168.2.4
Aug 3, 2021 22:18:06.369427919 CEST	64549	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:18:06.396821022 CEST	53	64549	8.8.8.8	192.168.2.4
Aug 3, 2021 22:18:07.410661936 CEST	63153	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:18:07.438966990 CEST	53	63153	8.8.8.8	192.168.2.4
Aug 3, 2021 22:18:08.119298935 CEST	52991	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:18:08.144279957 CEST	53	52991	8.8.8.8	192.168.2.4
Aug 3, 2021 22:18:08.962778091 CEST	53700	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:18:08.988687992 CEST	53	53700	8.8.8.8	192.168.2.4
Aug 3, 2021 22:18:10.738295078 CEST	51726	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:18:10.763365030 CEST	53	51726	8.8.8.8	192.168.2.4
Aug 3, 2021 22:18:11.391449928 CEST	56794	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:18:11.418932915 CEST	53	56794	8.8.8.8	192.168.2.4
Aug 3, 2021 22:18:12.993232012 CEST	56534	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:18:13.025767088 CEST	53	56534	8.8.8.8	192.168.2.4
Aug 3, 2021 22:18:15.728723049 CEST	56627	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:18:15.763833046 CEST	53	56627	8.8.8.8	192.168.2.4
Aug 3, 2021 22:18:16.562700987 CEST	56621	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:18:16.587393999 CEST	53	56621	8.8.8.8	192.168.2.4
Aug 3, 2021 22:18:18.197205067 CEST	63116	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:18:18.232480049 CEST	53	63116	8.8.8.8	192.168.2.4
Aug 3, 2021 22:18:19.041738033 CEST	64078	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:18:19.069494009 CEST	53	64078	8.8.8.8	192.168.2.4
Aug 3, 2021 22:18:19.759186983 CEST	64801	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:18:19.784358978 CEST	53	64801	8.8.8.8	192.168.2.4
Aug 3, 2021 22:18:20.471590042 CEST	61721	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:18:20.500682116 CEST	53	61721	8.8.8.8	192.168.2.4
Aug 3, 2021 22:18:38.410734892 CEST	51255	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:18:38.452064991 CEST	53	51255	8.8.8.8	192.168.2.4
Aug 3, 2021 22:18:57.129854918 CEST	61522	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:18:57.165270090 CEST	53	61522	8.8.8.8	192.168.2.4
Aug 3, 2021 22:19:22.344090939 CEST	52337	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:19:22.389576912 CEST	53	52337	8.8.8.8	192.168.2.4
Aug 3, 2021 22:19:24.335433006 CEST	55046	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:19:24.385238886 CEST	53	55046	8.8.8.8	192.168.2.4
Aug 3, 2021 22:19:29.665224075 CEST	49612	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:19:29.705188990 CEST	53	49612	8.8.8.8	192.168.2.4
Aug 3, 2021 22:19:31.378773928 CEST	49285	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:19:31.414267063 CEST	53	49285	8.8.8.8	192.168.2.4
Aug 3, 2021 22:19:34.758735895 CEST	50601	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:19:34.795322895 CEST	53	50601	8.8.8.8	192.168.2.4
Aug 3, 2021 22:19:40.112061024 CEST	60875	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:19:40.148045063 CEST	53	60875	8.8.8.8	192.168.2.4
Aug 3, 2021 22:19:45.557126045 CEST	56448	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:19:45.978787899 CEST	53	56448	8.8.8.8	192.168.2.4
Aug 3, 2021 22:19:57.383922100 CEST	59172	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:19:57.420855045 CEST	53	59172	8.8.8.8	192.168.2.4
Aug 3, 2021 22:19:58.751995087 CEST	62420	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:19:58.800821066 CEST	53	62420	8.8.8.8	192.168.2.4
Aug 3, 2021 22:20:08.440460920 CEST	60579	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:20:08.782097101 CEST	53	60579	8.8.8.8	192.168.2.4
Aug 3, 2021 22:20:17.044122934 CEST	50183	53	192.168.2.4	8.8.8.8
Aug 3, 2021 22:20:17.088299990 CEST	53	50183	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 3, 2021 22:19:24.335433006 CEST	192.168.2.4	8.8.8.8	0xec26	Standard query (0)	www.ejsuniqueclasses.com	A (IP address)	IN (0x0001)
Aug 3, 2021 22:19:29.665224075 CEST	192.168.2.4	8.8.8.8	0x749f	Standard query (0)	www.healthpragency.com	A (IP address)	IN (0x0001)
Aug 3, 2021 22:19:34.758735895 CEST	192.168.2.4	8.8.8.8	0x1331	Standard query (0)	www.circusocks.com	A (IP address)	IN (0x0001)
Aug 3, 2021 22:19:40.112061024 CEST	192.168.2.4	8.8.8.8	0x7a36	Standard query (0)	www.466se.com	A (IP address)	IN (0x0001)
Aug 3, 2021 22:19:45.557126045 CEST	192.168.2.4	8.8.8.8	0x74b5	Standard query (0)	www.856380062.xyz	A (IP address)	IN (0x0001)
Aug 3, 2021 22:20:08.440460920 CEST	192.168.2.4	8.8.8.8	0x915	Standard query (0)	www.856380062.xyz	A (IP address)	IN (0x0001)
Aug 3, 2021 22:20:17.044122934 CEST	192.168.2.4	8.8.8.8	0xb21e	Standard query (0)	www.comparaca.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 3, 2021 22:19:24.385238886 CEST	8.8.8.8	192.168.2.4	0xec26	No error (0)	www.ejsuniqueclasses.com	ejsuniqueclasses.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 22:19:24.385238886 CEST	8.8.8.8	192.168.2.4	0xec26	No error (0)	ejsuniqueclasses.com		164.68.104.58	A (IP address)	IN (0x0001)
Aug 3, 2021 22:19:29.705188990 CEST	8.8.8.8	192.168.2.4	0x749f	No error (0)	www.healthpragency.com		52.58.78.16	A (IP address)	IN (0x0001)
Aug 3, 2021 22:19:34.795322895 CEST	8.8.8.8	192.168.2.4	0x1331	No error (0)	www.circusocks.com	circusocks.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 22:19:34.795322895 CEST	8.8.8.8	192.168.2.4	0x1331	No error (0)	circusocks.com		163.123.204.26	A (IP address)	IN (0x0001)
Aug 3, 2021 22:19:40.148045063 CEST	8.8.8.8	192.168.2.4	0x7a36	No error (0)	www.466se.com		198.74.106.237	A (IP address)	IN (0x0001)
Aug 3, 2021 22:19:45.978787899 CEST	8.8.8.8	192.168.2.4	0x74b5	No error (0)	www.856380062.xyz		103.88.34.80	A (IP address)	IN (0x0001)
Aug 3, 2021 22:20:08.782097101 CEST	8.8.8.8	192.168.2.4	0x915	No error (0)	www.856380062.xyz		103.88.34.80	A (IP address)	IN (0x0001)
Aug 3, 2021 22:20:17.088299990 CEST	8.8.8.8	192.168.2.4	0xb21e	No error (0)	www.comparaca.com	comparaca.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 22:20:17.088299990 CEST	8.8.8.8	192.168.2.4	0xb21e	No error (0)	comparaca.myshopify.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)
Aug 3, 2021 22:20:17.088299990 CEST	8.8.8.8	192.168.2.4	0xb21e	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.ejsuniqueclasses.com

www.healthpragency.com

www.circusocks.com

www.466se.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49747	164.68.104.58	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 22:19:24.418538094 CEST	1218	OUT	GET /ehp9/?zZbXur=fPkLdxO&0vrPA=8c/5QoMWiMUW3SjDqDOgvqNfypt6IHckOwJjeT/c3u4BTCnBI4ecsnyb0a1UBRXLCY1T HTTP/1.1 Host: www.ejsuniqueclasses.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 22:19:24.652371883 CEST	1219	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 03 Aug 2021 20:19:24 GMT Server: Apache Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://ejsuniqueclasses.com/ehp9/?zZbXur=fPkLdxO&0vrPA=8c/5QoMWiMUW3SjDqDOgvqNfypt6IHckOwJjeT/c3u4BTCnBI4ecsnyb0a1UBRXLCY1T Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49748	52.58.78.16	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 22:19:29.724525928 CEST	1220	OUT	GET /ehp9/?0vrPA=5Xsjz7+Z5WLh89j81EYl3Aroso+z/qN2CpRl0IKGrQQKTktOwLuaqldWAZoOLzUBzR5Q&zZbXur=fPkLdxO HTTP/1.1 Host: www.healthpragency.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 22:19:29.741950989 CEST	1220	IN	HTTP/1.1 410 Gone Server: openresty Date: Tue, 03 Aug 2021 20:19:22 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 37 0d 0a 3c 68 74 6d 6c 3e 0a 0d 0a 39 0d 0a 20 20 3c 68 65 61 64 3e 0a 0d 0a 35 32 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 72 65 66 72 65 73 68 27 20 63 6f 6e 74 65 6e 74 3d 27 35 3b 20 75 72 6c 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 68 65 61 6c 74 68 70 72 61 67 65 6e 63 79 2e 63 6f 6d 2f 27 20 2f 3e 0a 0d 0a 61 0d 0a 20 20 3c 2f 68 65 61 64 3e 0a 0d 0a 39 0d 0a 20 20 3c 62 6f 64 79 3e 0a 0d 0a 33 65 0d 0a 20 20 20 20 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 72 65 64 69 72 65 63 74 65 64 20 74 6f 20 68 74 74 70 3a 2f 2f 77 77 77 2e 68 65 61 6c 74 68 70 72 61 67 65 6e 63 79 2e 63 6f 6d 0a 0d 0a 61 0d 0a 20 20 3c 2f 62 6f 64 79 3e 0a 0d 0a 38 0d 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 7<html>9 <head>52 <meta http-equiv='refresh' content='5; url=http://www.healthpragency.com/' />a </head>9 <body>3e You are being redirected to http://www.healthpragency.coma </body>8</html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49754	163.123.204.26	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 22:19:34.935245991 CEST	4475	OUT	GET /ehp9/?zZbXur=fPkLdxO&0vrPA=oRr9ZXza/sqKFb1a4cLVquMpSAfNXH/ZGOEKtA079HuOHtafooLLPyAXrAQLja/+16Ky HTTP/1.1 Host: www.circusocks.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 22:19:35.076021910 CEST	4476	IN	HTTP/1.1 404 Not Found Server: nginx/1.18.0 Date: Tue, 03 Aug 2021 20:19:35 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 196 Connection: close X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49755	198.74.106.237	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Aug 3, 2021 22:19:40.323954105 CEST	4476	OUT	GET /ehp9/?0vrPA=UsPTfcJ0BZ5q3mR+pFMXthX3126RUWmODdEpc4rh++F4qt19VniXLc7dOQb8qNRTbKnv&zZbXur=fPkLdxO HTTP/1.1 Host: www.466se.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Aug 3, 2021 22:19:40.547720909 CEST	4478	IN	HTTP/1.1 404 Not Found Server: nginx Date: Tue, 03 Aug 2021 20:01:44 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Data Raw: 31 63 31 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 79 73 74 65 6d 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 34 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 31 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 32 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 33 2e 73 75 62 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 68 33 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 32 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 36 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 61 62 62 72 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 75 72 73 6f 72 3a 20 68 65 6c 70 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d Data Ascii: 1c1f<!DOCTYPE html><html><head> <meta charset="UTF-8"> <title>System Error</title> <meta name="robots" content="noindex,nofollow" /> <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no"> <style> /* Base */ body { color: #333; font: 14px Verdana, "Helvetica Neue", helvetica, Arial, 'Microsoft YaHei', sans-serif; margin: 0; padding: 0 20px 20px; word-break: break-word; } h1{ margin: 10px 0 0; font-size: 28px; font-weight: 500; line-height: 32px; } h2{ color: #4288ce; font-weight: 400; padding: 6px 0; margin: 6px 0 0; font-size: 18px; border-bottom: 1px solid #eee; } h3.subheading { color: #4288ce; margin: 6px 0 0; font-weight: 400; } h3{ margin: 12px; font-size: 16px; font-weight: bold; } abbr{ cursor: help; text-

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: mvui1vY6Mo.exe PID: 6656 Parent PID: 5764

General

Start time:	22:18:09
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\mvui1vY6Mo.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\mvui1vY6Mo.exe'
Imagebase:	0x2f0000
File size:	367359 bytes
MD5 hash:	059B1244AC9FDA54DE086692DB4B5A08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.660274297.0000000002EB0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.660274297.0000000002EB0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.660274297.0000000002EB0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: mvui1vY6Mo.exe PID: 6704 Parent PID: 6656

General

Start time:	22:18:10
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\mvui1vY6Mo.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\mvui1vY6Mo.exe'
Imagebase:	0x2f0000
File size:	367359 bytes
MD5 hash:	059B1244AC9FDA54DE086692DB4B5A08
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.745894672.0000000001B70000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.745894672.0000000001B70000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.745894672.0000000001B70000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.745860975.0000000001B40000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.745860975.0000000001B40000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.745860975.0000000001B40000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.744663875.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.744663875.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.744663875.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Analysis Process: explorer.exe PID: 3424 Parent PID: 6704

General

Start time:	22:18:15
Start date:	03/08/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmmon32.exe PID: 6336 Parent PID: 6704

General

Start time:	22:18:52
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\cmmon32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmmon32.exe
Imagebase:	0x1250000
File size:	36864 bytes
MD5 hash:	2879B30A164B9F7671B5E6B2E9F8DFDA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.915140274.0000000000B70000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.915098041.0000000000B10000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.915098041.0000000000B10000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.915098041.0000000000B10000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.914915179.00000000008A0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.914915179.00000000008A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.914915179.00000000008A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 6380 Parent PID: 6336

General

Start time:	22:18:54
Start date:	03/08/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\mvui1vY6Mo.exe'
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 6400 Parent PID: 6380

General

Start time:	22:18:54
Start date:	03/08/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report mvui1vY6Mo

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries