Windows Analysis Report MGoJ7XfFzA

Overview

General Information

Sample Name: MGoJ7XfFzA (renamed file extension from none to exe)
Analysis ID: 448831
MD5: 4d80ba34b2d38dd92c36bb9b2057f890
SHA1: f2bc31f7b0420b2ebe02f577837e855b2678e949
SHA256: e96f510044e2be6e588df6baf04b49ee09a0b96404e79623cafba8465c4e24a8
Tags: 32exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection:

barindex
Found malware configuration
Source: 0000000D.00000002.514835894.0000000000E40000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.inspiredpractice.net/csls/"], "decoy": ["jizengzaoshu.com", "ponpesnurululum.com", "tendoncomfort.com", "m3gallery.net", "mobiledisco.tel", "blackroseboxers.com", "invout.com", "cubskw.com", "hbpro2.com", "ninkatsu-stepbystep.com", "eximportadora.com", "minimizestudentdebt.com", "loveonfloor.com", "bellaspetwear.com", "ramandakamarga.com", "refundoftaxsurplus.com", "gkminimart.com", "scottlobadii.com", "maraging-trade.com", "coachgregclink.com", "lprun.com", "procrafthomesolutions.com", "decorhomestyle.info", "equestriatales.online", "smartscienceeu.com", "checkaa.com", "wii2review20.club", "danielandtanyaswedding.com", "delkim.online", "bettereveryquarter.com", "skellingtonparanormal.com", "emailmagic.online", "borderlesstrade.info", "szbhbbs.com", "emilymawer.com", "roadtoyourcity.com", "esogeo.com", "erubysboutique.com", "zookiescoffee.com", "ultimatesoftwaretesting.com", "ojniche.com", "nia-now.com", "mirabalgroup.com", "wpfco.com", "studioonone.com", "section6racing.com", "grainsleys.com", "dl521v.com", "ghostgraphicphoto.com", "w4d-8u86x.net", "hack-cloud.icu", "goodtimesskateshop.com", "acoustic42.com", "vibeprintcompany.com", "fisticuffstattoos.com", "hollisterrebajas.com", "areyouokryk.com", "darwinesssay.com", "gealevati.com", "fussycrew.com", "freivavna.com", "v-mapcorporation.com", "aslanperu.com", "cenfoxy.com"]}
Yara detected FormBook
Source: Yara match File source: 2.2.MGoJ7XfFzA.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MGoJ7XfFzA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.514835894.0000000000E40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.332334332.00000000015B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.514535940.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.332270155.0000000001580000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.509680725.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.331373793.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.262180459.0000000004089000.00000004.00000001.sdmp, type: MEMORY
Machine Learning detection for sample
Source: MGoJ7XfFzA.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.MGoJ7XfFzA.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 13.2.cmmon32.exe.4baf834.4.unpack Avira: Label: TR/ATRAPS.Gen5

Compliance:

barindex
Uses 32bit PE files
Source: MGoJ7XfFzA.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: MGoJ7XfFzA.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cmmon32.pdb source: MGoJ7XfFzA.exe, 00000002.00000002.332180437.00000000012E0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.296521434.000000000E180000.00000002.00000001.sdmp
Source: Binary string: cmmon32.pdbGCTL source: MGoJ7XfFzA.exe, 00000002.00000002.332180437.00000000012E0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: MGoJ7XfFzA.exe, 00000002.00000002.332480761.0000000001640000.00000040.00000001.sdmp, cmmon32.exe, 0000000D.00000002.515909983.0000000004680000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: MGoJ7XfFzA.exe, 00000002.00000002.332480761.0000000001640000.00000040.00000001.sdmp, cmmon32.exe
Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.296521434.000000000E180000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 4x nop then pop ebx 2_2_00407AFF
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 4x nop then pop edi 2_2_0040E446
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 4x nop then pop edi 2_2_00417D68
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then pop ebx 13_2_00607AFF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then pop edi 13_2_0060E446
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then pop edi 13_2_00617D68

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.inspiredpractice.net/csls/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /csls/?4hEp3=5jOTrpsh4f&TF=Bw0tng6Txqvt50irwndWij3VFW/axM5Oqr/32SulX3hoPWAUYVOGcLCMkn+lfNh5wYKHhf7w6A== HTTP/1.1Host: www.danielandtanyaswedding.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csls/?TF=AA0fyBWZEga4qdBKI0jA8QbX+M95wQKAQ1mAilVom1Vuw05GTURTt5L/csoETBCAz87VsV938g==&4hEp3=5jOTrpsh4f HTTP/1.1Host: www.inspiredpractice.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 160.153.136.3 160.153.136.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GODADDY-AMSDE GODADDY-AMSDE
Source: global traffic HTTP traffic detected: GET /csls/?4hEp3=5jOTrpsh4f&TF=Bw0tng6Txqvt50irwndWij3VFW/axM5Oqr/32SulX3hoPWAUYVOGcLCMkn+lfNh5wYKHhf7w6A== HTTP/1.1Host: www.danielandtanyaswedding.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csls/?TF=AA0fyBWZEga4qdBKI0jA8QbX+M95wQKAQ1mAilVom1Vuw05GTURTt5L/csoETBCAz87VsV938g==&4hEp3=5jOTrpsh4f HTTP/1.1Host: www.inspiredpractice.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.danielandtanyaswedding.com
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: MGoJ7XfFzA.exe, 00000000.00000002.259550640.0000000003081000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.285649641.0000000006840000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.294642551.000000000BE76000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: cmmon32.exe, 0000000D.00000002.518405162.000000000509F000.00000004.00000001.sdmp String found in binary or memory: https://cdn.segment.com/analytics.js/v1/
Source: cmmon32.exe, 0000000D.00000002.518405162.000000000509F000.00000004.00000001.sdmp String found in binary or memory: https://cdn.segment.com/v1/projects/
Source: cmmon32.exe, 0000000D.00000002.518405162.000000000509F000.00000004.00000001.sdmp String found in binary or memory: https://static.theknot.com/wws-guest-view/_next/static/chunks/1a315c15a13fed08c83a7623d996d48e437839
Source: cmmon32.exe, 0000000D.00000002.518405162.000000000509F000.00000004.00000001.sdmp String found in binary or memory: https://static.theknot.com/wws-guest-view/_next/static/chunks/29107295.9bfd529e3423c89519ae.js
Source: cmmon32.exe, 0000000D.00000002.518405162.000000000509F000.00000004.00000001.sdmp String found in binary or memory: https://static.theknot.com/wws-guest-view/_next/static/chunks/8e131c8851dfc0e2121930b9e0443eadd3e2b4
Source: cmmon32.exe, 0000000D.00000002.518405162.000000000509F000.00000004.00000001.sdmp String found in binary or memory: https://static.theknot.com/wws-guest-view/_next/static/chunks/b5d9182fe27958a87aeb8cde66a6d0f7ed6e8b
Source: cmmon32.exe, 0000000D.00000002.518405162.000000000509F000.00000004.00000001.sdmp String found in binary or memory: https://static.theknot.com/wws-guest-view/_next/static/chunks/commons.e8825c204e22661c36e1.js
Source: cmmon32.exe, 0000000D.00000002.518405162.000000000509F000.00000004.00000001.sdmp String found in binary or memory: https://static.theknot.com/wws-guest-view/_next/static/chunks/framework.92982bd08c20a57f256c.js
Source: cmmon32.exe, 0000000D.00000002.518405162.000000000509F000.00000004.00000001.sdmp String found in binary or memory: https://static.theknot.com/wws-guest-view/_next/static/chunks/main-6cf424dc656e4cce3a97.js
Source: cmmon32.exe, 0000000D.00000002.518405162.000000000509F000.00000004.00000001.sdmp String found in binary or memory: https://static.theknot.com/wws-guest-view/_next/static/chunks/pages/%5BpathPrefix%5D/%5Bslug%5D/%5B%
Source: cmmon32.exe, 0000000D.00000002.518405162.000000000509F000.00000004.00000001.sdmp String found in binary or memory: https://static.theknot.com/wws-guest-view/_next/static/chunks/pages/_app-51e404d2a46892f63a7e.js
Source: cmmon32.exe, 0000000D.00000002.518405162.000000000509F000.00000004.00000001.sdmp String found in binary or memory: https://static.theknot.com/wws-guest-view/_next/static/chunks/webpack-7675728062cc2e40daca.js
Source: cmmon32.exe, 0000000D.00000002.518405162.000000000509F000.00000004.00000001.sdmp String found in binary or memory: https://static.theknot.com/wws-guest-view/_next/static/pages/_app.f3a493ad7cd1be131c9c.css
Source: cmmon32.exe, 0000000D.00000002.518405162.000000000509F000.00000004.00000001.sdmp String found in binary or memory: https://www.theknot.com/us/tanya-singh-and-daniel-johansson-sep-2020

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 2.2.MGoJ7XfFzA.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MGoJ7XfFzA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.514835894.0000000000E40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.332334332.00000000015B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.514535940.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.332270155.0000000001580000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.509680725.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.331373793.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.262180459.0000000004089000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.MGoJ7XfFzA.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.MGoJ7XfFzA.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.MGoJ7XfFzA.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.MGoJ7XfFzA.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.514835894.0000000000E40000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.514835894.0000000000E40000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.332334332.00000000015B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.332334332.00000000015B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.514535940.0000000000E10000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.514535940.0000000000E10000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.332270155.0000000001580000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.332270155.0000000001580000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.509680725.0000000000600000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.509680725.0000000000600000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.331373793.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.331373793.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.262180459.0000000004089000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.262180459.0000000004089000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
.NET source code contains very large strings
Source: MGoJ7XfFzA.exe, Account.cs Long String: Length: 76338
Source: 0.2.MGoJ7XfFzA.exe.cd0000.0.unpack, Account.cs Long String: Length: 76338
Source: 0.0.MGoJ7XfFzA.exe.cd0000.0.unpack, Account.cs Long String: Length: 76338
Source: 2.2.MGoJ7XfFzA.exe.bf0000.1.unpack, Account.cs Long String: Length: 76338
Source: 2.0.MGoJ7XfFzA.exe.bf0000.0.unpack, Account.cs Long String: Length: 76338
Contains functionality to call native functions
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_00419D60 NtCreateFile, 2_2_00419D60
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_00419E10 NtReadFile, 2_2_00419E10
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_00419E90 NtClose, 2_2_00419E90
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_00419F40 NtAllocateVirtualMemory, 2_2_00419F40
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_00419D1A NtCreateFile, 2_2_00419D1A
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_00419E0A NtReadFile, 2_2_00419E0A
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_00419E8B NtClose, 2_2_00419E8B
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_00419F3A NtAllocateVirtualMemory, 2_2_00419F3A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9860 NtQuerySystemInformation,LdrInitializeThunk, 13_2_046E9860
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9840 NtDelayExecution,LdrInitializeThunk, 13_2_046E9840
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9540 NtReadFile,LdrInitializeThunk, 13_2_046E9540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 13_2_046E9910
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E95D0 NtClose,LdrInitializeThunk, 13_2_046E95D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E99A0 NtCreateSection,LdrInitializeThunk, 13_2_046E99A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9660 NtAllocateVirtualMemory,LdrInitializeThunk, 13_2_046E9660
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9650 NtQueryValueKey,LdrInitializeThunk, 13_2_046E9650
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9A50 NtCreateFile,LdrInitializeThunk, 13_2_046E9A50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E96E0 NtFreeVirtualMemory,LdrInitializeThunk, 13_2_046E96E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E96D0 NtCreateKey,LdrInitializeThunk, 13_2_046E96D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9710 NtQueryInformationToken,LdrInitializeThunk, 13_2_046E9710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9FE0 NtCreateMutant,LdrInitializeThunk, 13_2_046E9FE0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9780 NtMapViewOfSection,LdrInitializeThunk, 13_2_046E9780
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046EB040 NtSuspendThread, 13_2_046EB040
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9820 NtEnumerateKey, 13_2_046E9820
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E98F0 NtReadVirtualMemory, 13_2_046E98F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E98A0 NtWriteVirtualMemory, 13_2_046E98A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9560 NtWriteFile, 13_2_046E9560
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9950 NtQueueApcThread, 13_2_046E9950
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9520 NtWaitForSingleObject, 13_2_046E9520
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046EAD30 NtSetContextThread, 13_2_046EAD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E95F0 NtQueryInformationFile, 13_2_046E95F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E99D0 NtCreateProcessEx, 13_2_046E99D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9670 NtQueryInformationProcess, 13_2_046E9670
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9A20 NtResumeThread, 13_2_046E9A20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9A00 NtProtectVirtualMemory, 13_2_046E9A00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9610 NtEnumerateValueKey, 13_2_046E9610
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9A10 NtQuerySection, 13_2_046E9A10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9A80 NtOpenDirectoryObject, 13_2_046E9A80
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9760 NtOpenProcess, 13_2_046E9760
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9770 NtSetInformationFile, 13_2_046E9770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046EA770 NtOpenThread, 13_2_046EA770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9730 NtQueryVirtualMemory, 13_2_046E9730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E9B00 NtSetValueKey, 13_2_046E9B00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046EA710 NtOpenProcessToken, 13_2_046EA710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E97A0 NtUnmapViewOfSection, 13_2_046E97A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046EA3B0 NtGetContextThread, 13_2_046EA3B0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_00619D60 NtCreateFile, 13_2_00619D60
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_00619E10 NtReadFile, 13_2_00619E10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_00619E90 NtClose, 13_2_00619E90
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_00619F40 NtAllocateVirtualMemory, 13_2_00619F40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_00619D1A NtCreateFile, 13_2_00619D1A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_00619E0A NtReadFile, 13_2_00619E0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_00619E8B NtClose, 13_2_00619E8B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_00619F3A NtAllocateVirtualMemory, 13_2_00619F3A
Detected potential crypto function
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 0_2_00CD5202 0_2_00CD5202
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 0_2_02E9C2B0 0_2_02E9C2B0
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_0041E1E4 2_2_0041E1E4
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_0041D189 2_2_0041D189
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_0041D514 2_2_0041D514
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_0041E5E1 2_2_0041E5E1
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_0041E5E4 2_2_0041E5E4
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_00402D87 2_2_00402D87
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_00409E40 2_2_00409E40
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_00409E3B 2_2_00409E3B
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_00BF5202 2_2_00BF5202
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04761002 13_2_04761002
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B841F 13_2_046B841F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D20A0 13_2_046D20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_047720A8 13_2_047720A8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046BB090 13_2_046BB090
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04771D55 13_2_04771D55
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A0D20 13_2_046A0D20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046C4120 13_2_046C4120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046AF900 13_2_046AF900
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04772D07 13_2_04772D07
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046BD5E0 13_2_046BD5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D2581 13_2_046D2581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046C6E30 13_2_046C6E30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04772EF7 13_2_04772EF7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04771FF1 13_2_04771FF1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046DEBB0 13_2_046DEBB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0061E1E4 13_2_0061E1E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0061E5E1 13_2_0061E5E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0061E5E4 13_2_0061E5E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_00602D87 13_2_00602D87
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_00602D90 13_2_00602D90
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_00609E40 13_2_00609E40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_00609E3B 13_2_00609E3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_00602FB0 13_2_00602FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: String function: 046AB150 appears 35 times
PE file contains strange resources
Source: MGoJ7XfFzA.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: MGoJ7XfFzA.exe Binary or memory string: OriginalFilename vs MGoJ7XfFzA.exe
Source: MGoJ7XfFzA.exe, 00000000.00000002.268397215.0000000006280000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSinkProvider.dllB vs MGoJ7XfFzA.exe
Source: MGoJ7XfFzA.exe, 00000000.00000002.259628846.00000000030B0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameTimeSpan.dll2 vs MGoJ7XfFzA.exe
Source: MGoJ7XfFzA.exe, 00000000.00000000.242030005.0000000000CD2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFieldMetada.exe8 vs MGoJ7XfFzA.exe
Source: MGoJ7XfFzA.exe Binary or memory string: OriginalFilename vs MGoJ7XfFzA.exe
Source: MGoJ7XfFzA.exe, 00000002.00000002.332200671.00000000012E9000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCMMON32.exe` vs MGoJ7XfFzA.exe
Source: MGoJ7XfFzA.exe, 00000002.00000000.256714037.0000000000BF2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameFieldMetada.exe8 vs MGoJ7XfFzA.exe
Source: MGoJ7XfFzA.exe, 00000002.00000002.332888692.000000000175F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs MGoJ7XfFzA.exe
Source: MGoJ7XfFzA.exe Binary or memory string: OriginalFilenameFieldMetada.exe8 vs MGoJ7XfFzA.exe
Uses 32bit PE files
Source: MGoJ7XfFzA.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 2.2.MGoJ7XfFzA.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.MGoJ7XfFzA.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.MGoJ7XfFzA.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.MGoJ7XfFzA.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.514835894.0000000000E40000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.514835894.0000000000E40000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.332334332.00000000015B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.332334332.00000000015B0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.514535940.0000000000E10000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.514535940.0000000000E10000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.332270155.0000000001580000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.332270155.0000000001580000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.509680725.0000000000600000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.509680725.0000000000600000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.331373793.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.331373793.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.262180459.0000000004089000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.262180459.0000000004089000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: MGoJ7XfFzA.exe PID: 5928, type: MEMORY Matched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
Source: MGoJ7XfFzA.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@2/2
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MGoJ7XfFzA.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5780:120:WilError_01
Source: MGoJ7XfFzA.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\MGoJ7XfFzA.exe 'C:\Users\user\Desktop\MGoJ7XfFzA.exe'
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process created: C:\Users\user\Desktop\MGoJ7XfFzA.exe C:\Users\user\Desktop\MGoJ7XfFzA.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\MGoJ7XfFzA.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process created: C:\Users\user\Desktop\MGoJ7XfFzA.exe C:\Users\user\Desktop\MGoJ7XfFzA.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\MGoJ7XfFzA.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: MGoJ7XfFzA.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: MGoJ7XfFzA.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cmmon32.pdb source: MGoJ7XfFzA.exe, 00000002.00000002.332180437.00000000012E0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.296521434.000000000E180000.00000002.00000001.sdmp
Source: Binary string: cmmon32.pdbGCTL source: MGoJ7XfFzA.exe, 00000002.00000002.332180437.00000000012E0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: MGoJ7XfFzA.exe, 00000002.00000002.332480761.0000000001640000.00000040.00000001.sdmp, cmmon32.exe, 0000000D.00000002.515909983.0000000004680000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: MGoJ7XfFzA.exe, 00000002.00000002.332480761.0000000001640000.00000040.00000001.sdmp, cmmon32.exe
Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.296521434.000000000E180000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 0_2_00CDEE67 pushad ; retf 0_2_00CDF2D9
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 0_2_00CDD0BB push es; iretd 0_2_00CDD0C8
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_00417973 push FFFFFFAAh; ret 2_2_00417975
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_00416B52 push dword ptr [edx-11h]; iretd 2_2_00416B65
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_0041DB87 push cs; ret 2_2_0041DB89
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_0040E40A pushad ; retf 2_2_0040E40B
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_0041E437 push 8059C30Ah; ret 2_2_0041E458
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_0041CEB5 push eax; ret 2_2_0041CF08
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_0041CF6C push eax; ret 2_2_0041CF72
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_0041CF02 push eax; ret 2_2_0041CF08
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_0041CF0B push eax; ret 2_2_0041CF72
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_00BFD0BB push es; iretd 2_2_00BFD0C8
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_00BFEE67 pushad ; retf 2_2_00BFF2D9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046FD0D1 push ecx; ret 13_2_046FD0E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0061D8BD push ebx; retf 13_2_0061D8BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_00617973 push FFFFFFAAh; ret 13_2_00617975
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0061D2FD pushad ; iretd 13_2_0061D300
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_00616B52 push dword ptr [edx-11h]; iretd 13_2_00616B65
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0061DB87 push cs; ret 13_2_0061DB89
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0061E437 push 8059C30Ah; ret 13_2_0061E458
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0060E40A pushad ; retf 13_2_0060E40B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0061CEB5 push eax; ret 13_2_0061CF08
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0061CF6C push eax; ret 13_2_0061CF72
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0061CF02 push eax; ret 13_2_0061CF08
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0061CF0B push eax; ret 13_2_0061CF72
Source: initial sample Static PE information: section name: .text entropy: 7.46948510171

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xE5
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.259628846.00000000030B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: MGoJ7XfFzA.exe PID: 5928, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: MGoJ7XfFzA.exe, 00000000.00000002.259628846.00000000030B0000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: MGoJ7XfFzA.exe, 00000000.00000002.259628846.00000000030B0000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 00000000006098E4 second address: 00000000006098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 0000000000609B5E second address: 0000000000609B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_00409A90 rdtsc 2_2_00409A90
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe TID: 3588 Thread sleep time: -54374s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe TID: 5976 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 1752 Thread sleep time: -42000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 4416 Thread sleep time: -50000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Thread delayed: delay time: 54374 Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000004.00000000.297472689.000000000EC32000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}1
Source: explorer.exe, 00000004.00000000.292989109.0000000008A32000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000004.00000000.292989109.0000000008A32000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: MGoJ7XfFzA.exe, 00000000.00000002.259628846.00000000030B0000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000000.297472689.000000000EC32000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.293251349.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.322197161.00000000059C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: MGoJ7XfFzA.exe, 00000000.00000002.259628846.00000000030B0000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000004.00000000.293251349.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000004.00000000.320106990.00000000048E0000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.293251349.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000004.00000000.293099117.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000004.00000000.293099117.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.285863562.00000000069DA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD002
Source: MGoJ7XfFzA.exe Binary or memory string: esUKgoQ4[3Y5]DTKe4Ip]oUHD[UIDOMID}jIDnYphs85e|k5\xo6XDX5fkM3fq8Zd3U[]WETU}EDgvY[\pYJUiU[]qET]m8Z\3QqeMUKe4Ip]oUJD]gKD}{Z\4I[UoQpeo
Source: explorer.exe, 00000004.00000000.322197161.00000000059C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000000.293251349.0000000008B88000.00000004.00000001.sdmp Binary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.322197161.00000000059C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: MGoJ7XfFzA.exe, 00000000.00000002.259628846.00000000030B0000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: MGoJ7XfFzA.exe, 00000000.00000002.259628846.00000000030B0000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000004.00000000.322197161.00000000059C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_00409A90 rdtsc 2_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Code function: 2_2_0040ACD0 LdrLoadDll, 2_2_0040ACD0
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046C746D mov eax, dword ptr fs:[00000030h] 13_2_046C746D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04771074 mov eax, dword ptr fs:[00000030h] 13_2_04771074
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04762073 mov eax, dword ptr fs:[00000030h] 13_2_04762073
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0473C450 mov eax, dword ptr fs:[00000030h] 13_2_0473C450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0473C450 mov eax, dword ptr fs:[00000030h] 13_2_0473C450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046DA44B mov eax, dword ptr fs:[00000030h] 13_2_046DA44B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046C0050 mov eax, dword ptr fs:[00000030h] 13_2_046C0050
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046C0050 mov eax, dword ptr fs:[00000030h] 13_2_046C0050
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D002D mov eax, dword ptr fs:[00000030h] 13_2_046D002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D002D mov eax, dword ptr fs:[00000030h] 13_2_046D002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D002D mov eax, dword ptr fs:[00000030h] 13_2_046D002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D002D mov eax, dword ptr fs:[00000030h] 13_2_046D002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D002D mov eax, dword ptr fs:[00000030h] 13_2_046D002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046BB02A mov eax, dword ptr fs:[00000030h] 13_2_046BB02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046BB02A mov eax, dword ptr fs:[00000030h] 13_2_046BB02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046BB02A mov eax, dword ptr fs:[00000030h] 13_2_046BB02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046BB02A mov eax, dword ptr fs:[00000030h] 13_2_046BB02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046DBC2C mov eax, dword ptr fs:[00000030h] 13_2_046DBC2C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04774015 mov eax, dword ptr fs:[00000030h] 13_2_04774015
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04774015 mov eax, dword ptr fs:[00000030h] 13_2_04774015
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04727016 mov eax, dword ptr fs:[00000030h] 13_2_04727016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04727016 mov eax, dword ptr fs:[00000030h] 13_2_04727016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04727016 mov eax, dword ptr fs:[00000030h] 13_2_04727016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h] 13_2_04761C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h] 13_2_04761C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h] 13_2_04761C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h] 13_2_04761C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h] 13_2_04761C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h] 13_2_04761C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h] 13_2_04761C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h] 13_2_04761C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h] 13_2_04761C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h] 13_2_04761C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h] 13_2_04761C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h] 13_2_04761C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h] 13_2_04761C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04761C06 mov eax, dword ptr fs:[00000030h] 13_2_04761C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04726C0A mov eax, dword ptr fs:[00000030h] 13_2_04726C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04726C0A mov eax, dword ptr fs:[00000030h] 13_2_04726C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04726C0A mov eax, dword ptr fs:[00000030h] 13_2_04726C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04726C0A mov eax, dword ptr fs:[00000030h] 13_2_04726C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0477740D mov eax, dword ptr fs:[00000030h] 13_2_0477740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0477740D mov eax, dword ptr fs:[00000030h] 13_2_0477740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0477740D mov eax, dword ptr fs:[00000030h] 13_2_0477740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04726CF0 mov eax, dword ptr fs:[00000030h] 13_2_04726CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04726CF0 mov eax, dword ptr fs:[00000030h] 13_2_04726CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04726CF0 mov eax, dword ptr fs:[00000030h] 13_2_04726CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A58EC mov eax, dword ptr fs:[00000030h] 13_2_046A58EC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_047614FB mov eax, dword ptr fs:[00000030h] 13_2_047614FB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04778CD6 mov eax, dword ptr fs:[00000030h] 13_2_04778CD6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0473B8D0 mov eax, dword ptr fs:[00000030h] 13_2_0473B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0473B8D0 mov ecx, dword ptr fs:[00000030h] 13_2_0473B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0473B8D0 mov eax, dword ptr fs:[00000030h] 13_2_0473B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0473B8D0 mov eax, dword ptr fs:[00000030h] 13_2_0473B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0473B8D0 mov eax, dword ptr fs:[00000030h] 13_2_0473B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0473B8D0 mov eax, dword ptr fs:[00000030h] 13_2_0473B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E90AF mov eax, dword ptr fs:[00000030h] 13_2_046E90AF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D20A0 mov eax, dword ptr fs:[00000030h] 13_2_046D20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D20A0 mov eax, dword ptr fs:[00000030h] 13_2_046D20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D20A0 mov eax, dword ptr fs:[00000030h] 13_2_046D20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D20A0 mov eax, dword ptr fs:[00000030h] 13_2_046D20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D20A0 mov eax, dword ptr fs:[00000030h] 13_2_046D20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D20A0 mov eax, dword ptr fs:[00000030h] 13_2_046D20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046DF0BF mov ecx, dword ptr fs:[00000030h] 13_2_046DF0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046DF0BF mov eax, dword ptr fs:[00000030h] 13_2_046DF0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046DF0BF mov eax, dword ptr fs:[00000030h] 13_2_046DF0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A9080 mov eax, dword ptr fs:[00000030h] 13_2_046A9080
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B849B mov eax, dword ptr fs:[00000030h] 13_2_046B849B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04723884 mov eax, dword ptr fs:[00000030h] 13_2_04723884
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04723884 mov eax, dword ptr fs:[00000030h] 13_2_04723884
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046AC962 mov eax, dword ptr fs:[00000030h] 13_2_046AC962
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046AB171 mov eax, dword ptr fs:[00000030h] 13_2_046AB171
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046AB171 mov eax, dword ptr fs:[00000030h] 13_2_046AB171
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046CC577 mov eax, dword ptr fs:[00000030h] 13_2_046CC577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046CC577 mov eax, dword ptr fs:[00000030h] 13_2_046CC577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046CB944 mov eax, dword ptr fs:[00000030h] 13_2_046CB944
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046CB944 mov eax, dword ptr fs:[00000030h] 13_2_046CB944
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E3D43 mov eax, dword ptr fs:[00000030h] 13_2_046E3D43
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04723540 mov eax, dword ptr fs:[00000030h] 13_2_04723540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046C7D50 mov eax, dword ptr fs:[00000030h] 13_2_046C7D50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04778D34 mov eax, dword ptr fs:[00000030h] 13_2_04778D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0472A537 mov eax, dword ptr fs:[00000030h] 13_2_0472A537
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046C4120 mov eax, dword ptr fs:[00000030h] 13_2_046C4120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046C4120 mov eax, dword ptr fs:[00000030h] 13_2_046C4120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046C4120 mov eax, dword ptr fs:[00000030h] 13_2_046C4120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046C4120 mov eax, dword ptr fs:[00000030h] 13_2_046C4120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046C4120 mov ecx, dword ptr fs:[00000030h] 13_2_046C4120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D4D3B mov eax, dword ptr fs:[00000030h] 13_2_046D4D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D4D3B mov eax, dword ptr fs:[00000030h] 13_2_046D4D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D4D3B mov eax, dword ptr fs:[00000030h] 13_2_046D4D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D513A mov eax, dword ptr fs:[00000030h] 13_2_046D513A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D513A mov eax, dword ptr fs:[00000030h] 13_2_046D513A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046AAD30 mov eax, dword ptr fs:[00000030h] 13_2_046AAD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h] 13_2_046B3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h] 13_2_046B3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h] 13_2_046B3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h] 13_2_046B3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h] 13_2_046B3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h] 13_2_046B3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h] 13_2_046B3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h] 13_2_046B3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h] 13_2_046B3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h] 13_2_046B3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h] 13_2_046B3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h] 13_2_046B3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B3D34 mov eax, dword ptr fs:[00000030h] 13_2_046B3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A9100 mov eax, dword ptr fs:[00000030h] 13_2_046A9100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A9100 mov eax, dword ptr fs:[00000030h] 13_2_046A9100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A9100 mov eax, dword ptr fs:[00000030h] 13_2_046A9100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04758DF1 mov eax, dword ptr fs:[00000030h] 13_2_04758DF1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046AB1E1 mov eax, dword ptr fs:[00000030h] 13_2_046AB1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046AB1E1 mov eax, dword ptr fs:[00000030h] 13_2_046AB1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046AB1E1 mov eax, dword ptr fs:[00000030h] 13_2_046AB1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046BD5E0 mov eax, dword ptr fs:[00000030h] 13_2_046BD5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046BD5E0 mov eax, dword ptr fs:[00000030h] 13_2_046BD5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_047341E8 mov eax, dword ptr fs:[00000030h] 13_2_047341E8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04726DC9 mov eax, dword ptr fs:[00000030h] 13_2_04726DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04726DC9 mov eax, dword ptr fs:[00000030h] 13_2_04726DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04726DC9 mov eax, dword ptr fs:[00000030h] 13_2_04726DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04726DC9 mov ecx, dword ptr fs:[00000030h] 13_2_04726DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04726DC9 mov eax, dword ptr fs:[00000030h] 13_2_04726DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04726DC9 mov eax, dword ptr fs:[00000030h] 13_2_04726DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D35A1 mov eax, dword ptr fs:[00000030h] 13_2_046D35A1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_047251BE mov eax, dword ptr fs:[00000030h] 13_2_047251BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_047251BE mov eax, dword ptr fs:[00000030h] 13_2_047251BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_047251BE mov eax, dword ptr fs:[00000030h] 13_2_047251BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_047251BE mov eax, dword ptr fs:[00000030h] 13_2_047251BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D61A0 mov eax, dword ptr fs:[00000030h] 13_2_046D61A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D61A0 mov eax, dword ptr fs:[00000030h] 13_2_046D61A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_047269A6 mov eax, dword ptr fs:[00000030h] 13_2_047269A6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D1DB5 mov eax, dword ptr fs:[00000030h] 13_2_046D1DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D1DB5 mov eax, dword ptr fs:[00000030h] 13_2_046D1DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D1DB5 mov eax, dword ptr fs:[00000030h] 13_2_046D1DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_047705AC mov eax, dword ptr fs:[00000030h] 13_2_047705AC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_047705AC mov eax, dword ptr fs:[00000030h] 13_2_047705AC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A2D8A mov eax, dword ptr fs:[00000030h] 13_2_046A2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A2D8A mov eax, dword ptr fs:[00000030h] 13_2_046A2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A2D8A mov eax, dword ptr fs:[00000030h] 13_2_046A2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A2D8A mov eax, dword ptr fs:[00000030h] 13_2_046A2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A2D8A mov eax, dword ptr fs:[00000030h] 13_2_046A2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046DA185 mov eax, dword ptr fs:[00000030h] 13_2_046DA185
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D2581 mov eax, dword ptr fs:[00000030h] 13_2_046D2581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D2581 mov eax, dword ptr fs:[00000030h] 13_2_046D2581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D2581 mov eax, dword ptr fs:[00000030h] 13_2_046D2581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D2581 mov eax, dword ptr fs:[00000030h] 13_2_046D2581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046CC182 mov eax, dword ptr fs:[00000030h] 13_2_046CC182
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046DFD9B mov eax, dword ptr fs:[00000030h] 13_2_046DFD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046DFD9B mov eax, dword ptr fs:[00000030h] 13_2_046DFD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D2990 mov eax, dword ptr fs:[00000030h] 13_2_046D2990
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B766D mov eax, dword ptr fs:[00000030h] 13_2_046B766D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E927A mov eax, dword ptr fs:[00000030h] 13_2_046E927A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0475B260 mov eax, dword ptr fs:[00000030h] 13_2_0475B260
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0475B260 mov eax, dword ptr fs:[00000030h] 13_2_0475B260
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04778A62 mov eax, dword ptr fs:[00000030h] 13_2_04778A62
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046CAE73 mov eax, dword ptr fs:[00000030h] 13_2_046CAE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046CAE73 mov eax, dword ptr fs:[00000030h] 13_2_046CAE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046CAE73 mov eax, dword ptr fs:[00000030h] 13_2_046CAE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046CAE73 mov eax, dword ptr fs:[00000030h] 13_2_046CAE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046CAE73 mov eax, dword ptr fs:[00000030h] 13_2_046CAE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04734257 mov eax, dword ptr fs:[00000030h] 13_2_04734257
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A9240 mov eax, dword ptr fs:[00000030h] 13_2_046A9240
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A9240 mov eax, dword ptr fs:[00000030h] 13_2_046A9240
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A9240 mov eax, dword ptr fs:[00000030h] 13_2_046A9240
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A9240 mov eax, dword ptr fs:[00000030h] 13_2_046A9240
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B7E41 mov eax, dword ptr fs:[00000030h] 13_2_046B7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B7E41 mov eax, dword ptr fs:[00000030h] 13_2_046B7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B7E41 mov eax, dword ptr fs:[00000030h] 13_2_046B7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B7E41 mov eax, dword ptr fs:[00000030h] 13_2_046B7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B7E41 mov eax, dword ptr fs:[00000030h] 13_2_046B7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B7E41 mov eax, dword ptr fs:[00000030h] 13_2_046B7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E4A2C mov eax, dword ptr fs:[00000030h] 13_2_046E4A2C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E4A2C mov eax, dword ptr fs:[00000030h] 13_2_046E4A2C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0475FE3F mov eax, dword ptr fs:[00000030h] 13_2_0475FE3F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046AE620 mov eax, dword ptr fs:[00000030h] 13_2_046AE620
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B8A0A mov eax, dword ptr fs:[00000030h] 13_2_046B8A0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046AC600 mov eax, dword ptr fs:[00000030h] 13_2_046AC600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046AC600 mov eax, dword ptr fs:[00000030h] 13_2_046AC600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046AC600 mov eax, dword ptr fs:[00000030h] 13_2_046AC600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D8E00 mov eax, dword ptr fs:[00000030h] 13_2_046D8E00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046C3A1C mov eax, dword ptr fs:[00000030h] 13_2_046C3A1C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046DA61C mov eax, dword ptr fs:[00000030h] 13_2_046DA61C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046DA61C mov eax, dword ptr fs:[00000030h] 13_2_046DA61C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A5210 mov eax, dword ptr fs:[00000030h] 13_2_046A5210
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A5210 mov ecx, dword ptr fs:[00000030h] 13_2_046A5210
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A5210 mov eax, dword ptr fs:[00000030h] 13_2_046A5210
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A5210 mov eax, dword ptr fs:[00000030h] 13_2_046A5210
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046AAA16 mov eax, dword ptr fs:[00000030h] 13_2_046AAA16
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046AAA16 mov eax, dword ptr fs:[00000030h] 13_2_046AAA16
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04761608 mov eax, dword ptr fs:[00000030h] 13_2_04761608
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B76E2 mov eax, dword ptr fs:[00000030h] 13_2_046B76E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D2AE4 mov eax, dword ptr fs:[00000030h] 13_2_046D2AE4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D16E0 mov ecx, dword ptr fs:[00000030h] 13_2_046D16E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04778ED6 mov eax, dword ptr fs:[00000030h] 13_2_04778ED6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D36CC mov eax, dword ptr fs:[00000030h] 13_2_046D36CC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D2ACB mov eax, dword ptr fs:[00000030h] 13_2_046D2ACB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E8EC7 mov eax, dword ptr fs:[00000030h] 13_2_046E8EC7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0475FEC0 mov eax, dword ptr fs:[00000030h] 13_2_0475FEC0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A52A5 mov eax, dword ptr fs:[00000030h] 13_2_046A52A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A52A5 mov eax, dword ptr fs:[00000030h] 13_2_046A52A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A52A5 mov eax, dword ptr fs:[00000030h] 13_2_046A52A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A52A5 mov eax, dword ptr fs:[00000030h] 13_2_046A52A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A52A5 mov eax, dword ptr fs:[00000030h] 13_2_046A52A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04770EA5 mov eax, dword ptr fs:[00000030h] 13_2_04770EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04770EA5 mov eax, dword ptr fs:[00000030h] 13_2_04770EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04770EA5 mov eax, dword ptr fs:[00000030h] 13_2_04770EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_047246A7 mov eax, dword ptr fs:[00000030h] 13_2_047246A7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046BAAB0 mov eax, dword ptr fs:[00000030h] 13_2_046BAAB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046BAAB0 mov eax, dword ptr fs:[00000030h] 13_2_046BAAB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046DFAB0 mov eax, dword ptr fs:[00000030h] 13_2_046DFAB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0473FE87 mov eax, dword ptr fs:[00000030h] 13_2_0473FE87
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046DD294 mov eax, dword ptr fs:[00000030h] 13_2_046DD294
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046DD294 mov eax, dword ptr fs:[00000030h] 13_2_046DD294
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046ADB60 mov ecx, dword ptr fs:[00000030h] 13_2_046ADB60
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046BFF60 mov eax, dword ptr fs:[00000030h] 13_2_046BFF60
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D3B7A mov eax, dword ptr fs:[00000030h] 13_2_046D3B7A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D3B7A mov eax, dword ptr fs:[00000030h] 13_2_046D3B7A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04778F6A mov eax, dword ptr fs:[00000030h] 13_2_04778F6A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046ADB40 mov eax, dword ptr fs:[00000030h] 13_2_046ADB40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046BEF40 mov eax, dword ptr fs:[00000030h] 13_2_046BEF40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04778B58 mov eax, dword ptr fs:[00000030h] 13_2_04778B58
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046AF358 mov eax, dword ptr fs:[00000030h] 13_2_046AF358
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A4F2E mov eax, dword ptr fs:[00000030h] 13_2_046A4F2E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046A4F2E mov eax, dword ptr fs:[00000030h] 13_2_046A4F2E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046DE730 mov eax, dword ptr fs:[00000030h] 13_2_046DE730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0473FF10 mov eax, dword ptr fs:[00000030h] 13_2_0473FF10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0473FF10 mov eax, dword ptr fs:[00000030h] 13_2_0473FF10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046DA70E mov eax, dword ptr fs:[00000030h] 13_2_046DA70E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046DA70E mov eax, dword ptr fs:[00000030h] 13_2_046DA70E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0476131B mov eax, dword ptr fs:[00000030h] 13_2_0476131B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0477070D mov eax, dword ptr fs:[00000030h] 13_2_0477070D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0477070D mov eax, dword ptr fs:[00000030h] 13_2_0477070D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046CF716 mov eax, dword ptr fs:[00000030h] 13_2_046CF716
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046CDBE9 mov eax, dword ptr fs:[00000030h] 13_2_046CDBE9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D03E2 mov eax, dword ptr fs:[00000030h] 13_2_046D03E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D03E2 mov eax, dword ptr fs:[00000030h] 13_2_046D03E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D03E2 mov eax, dword ptr fs:[00000030h] 13_2_046D03E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D03E2 mov eax, dword ptr fs:[00000030h] 13_2_046D03E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D03E2 mov eax, dword ptr fs:[00000030h] 13_2_046D03E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D03E2 mov eax, dword ptr fs:[00000030h] 13_2_046D03E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046E37F5 mov eax, dword ptr fs:[00000030h] 13_2_046E37F5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_047253CA mov eax, dword ptr fs:[00000030h] 13_2_047253CA
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_047253CA mov eax, dword ptr fs:[00000030h] 13_2_047253CA
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D4BAD mov eax, dword ptr fs:[00000030h] 13_2_046D4BAD
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D4BAD mov eax, dword ptr fs:[00000030h] 13_2_046D4BAD
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D4BAD mov eax, dword ptr fs:[00000030h] 13_2_046D4BAD
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04775BA5 mov eax, dword ptr fs:[00000030h] 13_2_04775BA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B1B8F mov eax, dword ptr fs:[00000030h] 13_2_046B1B8F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B1B8F mov eax, dword ptr fs:[00000030h] 13_2_046B1B8F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04727794 mov eax, dword ptr fs:[00000030h] 13_2_04727794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04727794 mov eax, dword ptr fs:[00000030h] 13_2_04727794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_04727794 mov eax, dword ptr fs:[00000030h] 13_2_04727794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0475D380 mov ecx, dword ptr fs:[00000030h] 13_2_0475D380
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046D2397 mov eax, dword ptr fs:[00000030h] 13_2_046D2397
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_0476138A mov eax, dword ptr fs:[00000030h] 13_2_0476138A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046DB390 mov eax, dword ptr fs:[00000030h] 13_2_046DB390
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 13_2_046B8794 mov eax, dword ptr fs:[00000030h] 13_2_046B8794
Enables debug privileges
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 160.153.136.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.danielandtanyaswedding.com
Source: C:\Windows\explorer.exe Domain query: www.inspiredpractice.net
Source: C:\Windows\explorer.exe Network Connect: 3.226.199.169 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Thread register set: target process: 3292 Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Thread register set: target process: 3292 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 1260000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Process created: C:\Users\user\Desktop\MGoJ7XfFzA.exe C:\Users\user\Desktop\MGoJ7XfFzA.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\MGoJ7XfFzA.exe' Jump to behavior
Source: explorer.exe, 00000004.00000000.304395647.0000000001400000.00000002.00000001.sdmp, cmmon32.exe, 0000000D.00000002.515838881.0000000003270000.00000002.00000001.sdmp Binary or memory string: uProgram Manager
Source: explorer.exe, 00000004.00000000.304395647.0000000001400000.00000002.00000001.sdmp, cmmon32.exe, 0000000D.00000002.515838881.0000000003270000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.304395647.0000000001400000.00000002.00000001.sdmp, cmmon32.exe, 0000000D.00000002.515838881.0000000003270000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.304395647.0000000001400000.00000002.00000001.sdmp, cmmon32.exe, 0000000D.00000002.515838881.0000000003270000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.263486254.0000000000EB8000.00000004.00000020.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 00000004.00000000.293099117.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Queries volume information: C:\Users\user\Desktop\MGoJ7XfFzA.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\MGoJ7XfFzA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 2.2.MGoJ7XfFzA.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MGoJ7XfFzA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.514835894.0000000000E40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.332334332.00000000015B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.514535940.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.332270155.0000000001580000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.509680725.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.331373793.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.262180459.0000000004089000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 2.2.MGoJ7XfFzA.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.MGoJ7XfFzA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000D.00000002.514835894.0000000000E40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.332334332.00000000015B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.514535940.0000000000E10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.332270155.0000000001580000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.509680725.0000000000600000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.331373793.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.262180459.0000000004089000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 448831 Sample: MGoJ7XfFzA Startdate: 14/07/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Yara detected AntiVM3 2->40 42 6 other signatures 2->42 10 MGoJ7XfFzA.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\MGoJ7XfFzA.exe.log, ASCII 10->28 dropped 52 Tries to detect virtualization through RDTSC time measurements 10->52 14 MGoJ7XfFzA.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 dnsIp9 30 inspiredpractice.net 160.153.136.3, 49747, 80 GODADDY-AMSDE United States 17->30 32 www.inspiredpractice.net 17->32 34 3 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 cmmon32.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
3.226.199.169
 wws-proxy-prod.khuywee3xe.us-east-1.elasticbeanstalk.com United States
14618 AMAZON-AESUS false
160.153.136.3
 inspiredpractice.net United States
21501 GODADDY-AMSDE true

Contacted Domains

Name IP Active
inspiredpractice.net 160.153.136.3 true
wws-proxy-prod.khuywee3xe.us-east-1.elasticbeanstalk.com 3.226.199.169 true
www.inspiredpractice.net unknown unknown
www.danielandtanyaswedding.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.inspiredpractice.net/csls/ true
  • Avira URL Cloud: safe
 low
http://www.danielandtanyaswedding.com/csls/?4hEp3=5jOTrpsh4f&TF=Bw0tng6Txqvt50irwndWij3VFW/axM5Oqr/32SulX3hoPWAUYVOGcLCMkn+lfNh5wYKHhf7w6A== true
  • Avira URL Cloud: safe
 unknown
http://www.inspiredpractice.net/csls/?TF=AA0fyBWZEga4qdBKI0jA8QbX+M95wQKAQ1mAilVom1Vuw05GTURTt5L/csoETBCAz87VsV938g==&4hEp3=5jOTrpsh4f true
  • Avira URL Cloud: safe
 unknown