Windows Analysis Report
L3pFsxNFICpBGmi.exe

Overview

General Information

Sample name:	L3pFsxNFICpBGmi.exe
Analysis ID:	1482902
MD5:	24bb9c65918d0110cd3175a206ec1a4f
SHA1:	851184f625d91154bf84a37f6fce380ab96e1770
SHA256:	2ce56b77aff14fba64510a678e42154864d96f445f8fcb28a398fecb18b2d6d4
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe

ReversingLabs: Detection: 79%

Multi AV Scanner detection for submitted file

Source: L3pFsxNFICpBGmi.exe	Virustotal: Detection: 35%			Perma Link
Source: L3pFsxNFICpBGmi.exe	ReversingLabs: Detection: 83%

Yara detected FormBook

Source: Yara match	File source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2368050884.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2368458197.0000000000BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: L3pFsxNFICpBGmi.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: L3pFsxNFICpBGmi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: L3pFsxNFICpBGmi.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: qVcY.pdb- source: L3pFsxNFICpBGmi.exe, 00000000.00000002.2177605427.000000000703A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: L3pFsxNFICpBGmi.exe, 00000007.00000002.2369047392.00000000010B0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: L3pFsxNFICpBGmi.exe, L3pFsxNFICpBGmi.exe, 00000007.00000002.2369047392.00000000010B0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: qVcY.pdb source: L3pFsxNFICpBGmi.exe, VgPjxShbdbBH.exe.0.dr
Source:	Binary string: qVcY.pdbSHA256 source: L3pFsxNFICpBGmi.exe, VgPjxShbdbBH.exe.0.dr

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 4x nop then jmp 06E30D4Dh	0_2_06E30CE8
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 4x nop then jmp 06E30D4Dh	0_2_06E30CD8
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 4x nop then jmp 06E30D4Dh	0_2_06E30C91

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa

Source: L3pFsxNFICpBGmi.exe, 00000000.00000002.2160601217.0000000002861000.00000004.00000800.00020000.00000000.sdmp, VgPjxShbdbBH.exe, 00000009.00000002.2307859481.00000000033C4000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2368050884.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2368458197.0000000000BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.2368050884.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.2368458197.0000000000BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0042CA43 NtClose,	7_2_0042CA43
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0040AD92 NtDelayExecution,	7_2_0040AD92
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_01122DF0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_01122C70
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011235C0 NtCreateMutant,LdrInitializeThunk,	7_2_011235C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01124340 NtSetContextThread,	7_2_01124340
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01124650 NtSuspendThread,	7_2_01124650
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122B60 NtClose,	7_2_01122B60
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122B80 NtQueryInformationFile,	7_2_01122B80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122BA0 NtEnumerateValueKey,	7_2_01122BA0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122BF0 NtAllocateVirtualMemory,	7_2_01122BF0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122BE0 NtQueryValueKey,	7_2_01122BE0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122AB0 NtWaitForSingleObject,	7_2_01122AB0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122AD0 NtReadFile,	7_2_01122AD0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122AF0 NtWriteFile,	7_2_01122AF0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122D10 NtMapViewOfSection,	7_2_01122D10
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122D00 NtSetInformationFile,	7_2_01122D00
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122D30 NtUnmapViewOfSection,	7_2_01122D30
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122DB0 NtEnumerateKey,	7_2_01122DB0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122DD0 NtDelayExecution,	7_2_01122DD0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122C00 NtQueryInformationProcess,	7_2_01122C00
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122C60 NtCreateKey,	7_2_01122C60
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122CA0 NtQueryInformationToken,	7_2_01122CA0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122CC0 NtQueryVirtualMemory,	7_2_01122CC0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122CF0 NtOpenProcess,	7_2_01122CF0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122F30 NtCreateSection,	7_2_01122F30
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122F60 NtCreateProcessEx,	7_2_01122F60
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122F90 NtProtectVirtualMemory,	7_2_01122F90
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122FB0 NtResumeThread,	7_2_01122FB0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122FA0 NtQuerySection,	7_2_01122FA0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122FE0 NtCreateFile,	7_2_01122FE0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122E30 NtWriteVirtualMemory,	7_2_01122E30
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122E80 NtReadVirtualMemory,	7_2_01122E80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122EA0 NtAdjustPrivilegesToken,	7_2_01122EA0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122EE0 NtQueueApcThread,	7_2_01122EE0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01123010 NtOpenDirectoryObject,	7_2_01123010
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01123090 NtSetValueKey,	7_2_01123090
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011239B0 NtGetContextThread,	7_2_011239B0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01123D10 NtOpenProcessToken,	7_2_01123D10
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01123D70 NtOpenThread,	7_2_01123D70

Detected potential crypto function

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06E32E50	0_2_06E32E50
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06E34ADA	0_2_06E34ADA
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06FF0448	0_2_06FF0448
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06FFA2B8	0_2_06FFA2B8
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06FFE630	0_2_06FFE630
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06FFEEA0	0_2_06FFEEA0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06FF6FF8	0_2_06FF6FF8
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06FF6FCE	0_2_06FF6FCE
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06FFEA68	0_2_06FFEA68
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_07466F20	0_2_07466F20
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_07460478	0_2_07460478
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_07460040	0_2_07460040
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_07460006	0_2_07460006
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06E32278	0_2_06E32278
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06E33008	0_2_06E33008
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0042F063	7_2_0042F063
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00402990	7_2_00402990
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_004102EA	7_2_004102EA
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_004102F3	7_2_004102F3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00403320	7_2_00403320
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00416BC3	7_2_00416BC3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00416BBE	7_2_00416BBE
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00410513	7_2_00410513
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0040E593	7_2_0040E593
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00402610	7_2_00402610
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00402EC0	7_2_00402EC0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0040E76B	7_2_0040E76B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118A118	7_2_0118A118
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E0100	7_2_010E0100
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01178158	7_2_01178158
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B01AA	7_2_011B01AA
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A41A2	7_2_011A41A2
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A81CC	7_2_011A81CC
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01182000	7_2_01182000
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AA352	7_2_011AA352
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B03E6	7_2_011B03E6
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FE3F0	7_2_010FE3F0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011702C0	7_2_011702C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0535	7_2_010F0535
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B0591	7_2_011B0591
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01194420	7_2_01194420
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A2446	7_2_011A2446
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0119E4F6	7_2_0119E4F6
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01114750	7_2_01114750
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EC7C0	7_2_010EC7C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110C6E0	7_2_0110C6E0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01106962	7_2_01106962
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011BA9A6	7_2_011BA9A6
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F2840	7_2_010F2840
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FA840	7_2_010FA840
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010D68B8	7_2_010D68B8
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E8F0	7_2_0111E8F0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AAB40	7_2_011AAB40
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A6BD7	7_2_011A6BD7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EEA80	7_2_010EEA80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118CD1F	7_2_0118CD1F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FAD00	7_2_010FAD00
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01108DBF	7_2_01108DBF
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EADE0	7_2_010EADE0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0C00	7_2_010F0C00
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190CB5	7_2_01190CB5
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E0CF2	7_2_010E0CF2
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01110F30	7_2_01110F30
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01192F30	7_2_01192F30
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01132F28	7_2_01132F28
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01164F40	7_2_01164F40
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116EFA0	7_2_0116EFA0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E2FC8	7_2_010E2FC8
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FCFE0	7_2_010FCFE0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AEE26	7_2_011AEE26
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0E59	7_2_010F0E59
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01102E90	7_2_01102E90
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011ACE93	7_2_011ACE93
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AEEDB	7_2_011AEEDB
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011BB16B	7_2_011BB16B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0112516C	7_2_0112516C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DF172	7_2_010DF172
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FB1B0	7_2_010FB1B0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F70C0	7_2_010F70C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0119F0CC	7_2_0119F0CC
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A70E9	7_2_011A70E9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AF0E0	7_2_011AF0E0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A132D	7_2_011A132D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DD34C	7_2_010DD34C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0113739A	7_2_0113739A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F52A0	7_2_010F52A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110B2C0	7_2_0110B2C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011912ED	7_2_011912ED
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A7571	7_2_011A7571
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118D5B0	7_2_0118D5B0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B95C3	7_2_011B95C3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AF43F	7_2_011AF43F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E1460	7_2_010E1460
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AF7B0	7_2_011AF7B0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01135630	7_2_01135630
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A16CC	7_2_011A16CC
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01185910	7_2_01185910
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110B950	7_2_0110B950
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F9950	7_2_010F9950
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115D800	7_2_0115D800
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F38E0	7_2_010F38E0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AFB76	7_2_011AFB76
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110FB80	7_2_0110FB80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01165BF0	7_2_01165BF0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0112DBF9	7_2_0112DBF9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AFA49	7_2_011AFA49
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A7A46	7_2_011A7A46
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01163A6C	7_2_01163A6C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01135AA0	7_2_01135AA0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118DAAC	7_2_0118DAAC
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01191AA3	7_2_01191AA3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0119DAC6	7_2_0119DAC6
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A1D5A	7_2_011A1D5A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F3D40	7_2_010F3D40
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A7D73	7_2_011A7D73
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110FDC0	7_2_0110FDC0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01169C32	7_2_01169C32
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AFCF2	7_2_011AFCF2
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AFF09	7_2_011AFF09
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F1F92	7_2_010F1F92
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AFFB1	7_2_011AFFB1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010B3FD2	7_2_010B3FD2
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010B3FD5	7_2_010B3FD5
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F9EB0	7_2_010F9EB0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_07600448	9_2_07600448
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_0760A2B8	9_2_0760A2B8
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_0760E630	9_2_0760E630
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_07606FF7	9_2_07606FF7
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_07606FF8	9_2_07606FF8
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_0760EEA0	9_2_0760EEA0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_0760EA68	9_2_0760EA68
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_07A80478	9_2_07A80478
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_07A86250	9_2_07A86250
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_07A80040	9_2_07A80040
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01310100	13_2_01310100
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01366000	13_2_01366000
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_013A02C0	13_2_013A02C0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01320535	13_2_01320535
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01320770	13_2_01320770
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01344750	13_2_01344750
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0131C7C0	13_2_0131C7C0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0133C6E0	13_2_0133C6E0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01336962	13_2_01336962
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_013229A0	13_2_013229A0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0132A840	13_2_0132A840
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01322840	13_2_01322840
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_013068B8	13_2_013068B8
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01358890	13_2_01358890
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0134E8F0	13_2_0134E8F0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0131EA80	13_2_0131EA80
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0132AD00	13_2_0132AD00
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0132ED7A	13_2_0132ED7A
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01338DBF	13_2_01338DBF
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0131ADE0	13_2_0131ADE0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01328DC0	13_2_01328DC0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01320C00	13_2_01320C00
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01310CF2	13_2_01310CF2
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01340F30	13_2_01340F30
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01362F28	13_2_01362F28
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01394F40	13_2_01394F40
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0139EFA0	13_2_0139EFA0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01312FC8	13_2_01312FC8
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01320E59	13_2_01320E59
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01332E90	13_2_01332E90
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0130F172	13_2_0130F172
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0135516C	13_2_0135516C
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0132B1B0	13_2_0132B1B0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0130D34C	13_2_0130D34C
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_013233F3	13_2_013233F3
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_013252A0	13_2_013252A0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0133D2F0	13_2_0133D2F0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0133B2C0	13_2_0133B2C0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01311460	13_2_01311460
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01323497	13_2_01323497
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_013674E0	13_2_013674E0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0132B730	13_2_0132B730
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01329950	13_2_01329950
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0133B950	13_2_0133B950
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01325990	13_2_01325990
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0138D800	13_2_0138D800
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_013238E0	13_2_013238E0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0133FB80	13_2_0133FB80
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01395BF0	13_2_01395BF0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0135DBF9	13_2_0135DBF9
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01393A6C	13_2_01393A6C
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01323D40	13_2_01323D40
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0133FDC0	13_2_0133FDC0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01399C32	13_2_01399C32
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01339C20	13_2_01339C20
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01321F92	13_2_01321F92
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01329EB0	13_2_01329EB0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: String function: 01125130 appears 58 times
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: String function: 0116F290 appears 105 times
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: String function: 010DB970 appears 280 times
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: String function: 01137E54 appears 111 times
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: String function: 0115EA12 appears 86 times
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: String function: 01367E54 appears 97 times
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: String function: 0138EA12 appears 37 times

Sample file is different than original file name gathered from version info

Source: L3pFsxNFICpBGmi.exe, 00000000.00000002.2161205330.0000000003A3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs L3pFsxNFICpBGmi.exe
Source: L3pFsxNFICpBGmi.exe, 00000000.00000002.2159682582.00000000009EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs L3pFsxNFICpBGmi.exe
Source: L3pFsxNFICpBGmi.exe, 00000000.00000002.2179546143.0000000007280000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs L3pFsxNFICpBGmi.exe
Source: L3pFsxNFICpBGmi.exe, 00000000.00000002.2160601217.0000000002861000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs L3pFsxNFICpBGmi.exe
Source: L3pFsxNFICpBGmi.exe, 00000000.00000002.2178360469.0000000007200000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs L3pFsxNFICpBGmi.exe
Source: L3pFsxNFICpBGmi.exe, 00000000.00000000.2136997645.0000000000504000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameqVcY.exe2 vs L3pFsxNFICpBGmi.exe
Source: L3pFsxNFICpBGmi.exe, 00000007.00000002.2369047392.00000000011DD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs L3pFsxNFICpBGmi.exe
Source: L3pFsxNFICpBGmi.exe	Binary or memory string: OriginalFilenameqVcY.exe2 vs L3pFsxNFICpBGmi.exe

Uses 32bit PE files

Source: L3pFsxNFICpBGmi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.2368050884.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.2368458197.0000000000BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: L3pFsxNFICpBGmi.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: VgPjxShbdbBH.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, vRsUOtLODDDDFdDlot.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	Security API names: _0020.SetAccessControl
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	Security API names: _0020.AddAccessRule
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	Security API names: _0020.SetAccessControl
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	Security API names: _0020.AddAccessRule
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, vRsUOtLODDDDFdDlot.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	Security API names: _0020.SetAccessControl
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	Security API names: _0020.AddAccessRule
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, vRsUOtLODDDDFdDlot.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@18/11@1/0

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

File created: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_03

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

File created: C:\Users\user\AppData\Local\Temp\tmp4C43.tmp

Jump to behavior

Source: L3pFsxNFICpBGmi.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: L3pFsxNFICpBGmi.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: L3pFsxNFICpBGmi.exe	Virustotal: Detection: 35%
Source: L3pFsxNFICpBGmi.exe	ReversingLabs: Detection: 83%

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

File read: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe "C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe"
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VgPjxShbdbBH" /XML "C:\Users\user\AppData\Local\Temp\tmp4C43.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process created: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe "C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VgPjxShbdbBH" /XML "C:\Users\user\AppData\Local\Temp\tmp5CCE.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process created: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe "C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe"
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process created: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe "C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe"
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VgPjxShbdbBH" /XML "C:\Users\user\AppData\Local\Temp\tmp4C43.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process created: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe "C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VgPjxShbdbBH" /XML "C:\Users\user\AppData\Local\Temp\tmp5CCE.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process created: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe "C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process created: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe "C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe"	Jump to behavior

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: L3pFsxNFICpBGmi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: L3pFsxNFICpBGmi.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: L3pFsxNFICpBGmi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: qVcY.pdb- source: L3pFsxNFICpBGmi.exe, 00000000.00000002.2177605427.000000000703A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: L3pFsxNFICpBGmi.exe, 00000007.00000002.2369047392.00000000010B0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: L3pFsxNFICpBGmi.exe, L3pFsxNFICpBGmi.exe, 00000007.00000002.2369047392.00000000010B0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: qVcY.pdb source: L3pFsxNFICpBGmi.exe, VgPjxShbdbBH.exe.0.dr
Source:	Binary string: qVcY.pdbSHA256 source: L3pFsxNFICpBGmi.exe, VgPjxShbdbBH.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	.Net Code: oxCmLb4yxk System.Reflection.Assembly.Load(byte[])
Source: 0.2.L3pFsxNFICpBGmi.exe.7200000.3.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.L3pFsxNFICpBGmi.exe.7200000.3.raw.unpack, PingPong.cs	.Net Code: Justy
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	.Net Code: oxCmLb4yxk System.Reflection.Assembly.Load(byte[])
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	.Net Code: oxCmLb4yxk System.Reflection.Assembly.Load(byte[])
Source: 0.2.L3pFsxNFICpBGmi.exe.288a0e4.0.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.L3pFsxNFICpBGmi.exe.288a0e4.0.raw.unpack, PingPong.cs	.Net Code: Justy

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06E39801 push 9806E4BEh; iretd	0_2_06E3980D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06FFC8CB push esp; ret	0_2_06FFC8D1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06FFD9E8 push eax; iretd	0_2_06FFD9E9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0041F80D pushad ; iretd	7_2_0041F82A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0041F83A pushad ; iretd	7_2_0041F82A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0040D83D push 024B2A5Ch; iretd	7_2_0040D85E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00419287 push eax; iretd	7_2_00419288
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00423BE8 push ss; iretd	7_2_00423BEE
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00424397 push 00000068h; retf	7_2_00424399
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0040D473 push ebx; iretd	7_2_0040D475
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_004194AF push esi; iretd	7_2_004194B0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00403570 push eax; ret	7_2_00403572
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0040D64B push DD34D148h; ret	7_2_0040D650
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00414F0D push ss; iretd	7_2_00414F0E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010B225F pushad ; ret	7_2_010B27F9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010B27FA pushad ; ret	7_2_010B27F9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E09AD push ecx; mov dword ptr [esp], ecx	7_2_010E09B6
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010B283D push eax; iretd	7_2_010B2858
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010B1366 push eax; iretd	7_2_010B1369
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_0760D9E8 push eax; iretd	9_2_0760D9E9
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_0760C8CA push esp; ret	9_2_0760C8D1
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0135C54D pushfd ; ret	13_2_0135C54E
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0135C54F push 8B012E67h; ret	13_2_0135C554
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_013109AD push ecx; mov dword ptr [esp], ecx	13_2_013109B6
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0135C9D7 push edi; ret	13_2_0135C9D9
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_012E1368 push eax; iretd	13_2_012E1369
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_012E1FEC push eax; iretd	13_2_012E1FED
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01367E99 push ecx; ret	13_2_01367EAC

Source: L3pFsxNFICpBGmi.exe	Static PE information: section name: .text entropy: 7.92691719537184
Source: VgPjxShbdbBH.exe.0.dr	Static PE information: section name: .text entropy: 7.92691719537184

Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, Mf9fGZCUtxLE1lxTi2.cs	High entropy of concatenated method names: 'yfm4ZdOayl', 'WNT4KhmF0q', 'Jia426vlpP', 'hjp4QvqV0u', 'hhm4qJR8oa', 'cB743lsnZt', 'e0Q371GZHYDfaM4FCD', 'pXgPYJ4kvqCljDTQHc', 'wnYL6Z1pxqvdhkS9Q1', 'RX244dg40c'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, E0lA2XkHhq24UrfrL2S.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LfxbIj3oas', 'kkqbuQu0tE', 'oRLb9JMsc1', 'rFnb09dDp1', 'w2jbTrsBor', 'j8Ebh6CxvI', 's7xbgtNSqG'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, gAgUdLkkn3pE9McEd3O.cs	High entropy of concatenated method names: 'ToString', 'Xq0bVPhAIC', 'DrcbmkMGfJ', 'qjBbNxk0hH', 'afebPl1SXl', 'hfCbcCxrt3', 'oF1bYGlgQ4', 'Lx9bOBWiL6', 'cqeuQHrEGvW6Bc0Ky3c', 'RNQOFRrggq7GYEis471'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, o4jfPcyns5C1jwO5Ml.cs	High entropy of concatenated method names: 'kXfYiCie0T', 'aMuY5Wciyt', 'lhVYfj6xCh', 'MFYYF9Zllx', 'oH8YqJBpeM', 'evXY3Sf3jZ', 'KMnYMQEtKZ', 'yqLYvj5SKW', 'mJVYoecjLU', 'WtiYb5rg2r'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, WXZTa3wOMcwmvT2dy5.cs	High entropy of concatenated method names: 'HCqq8ky7V6', 'DxAq7yW6Js', 'wOjqISZm3m', 'HNequ25xgD', 'gRLqHlLXnm', 'FiEqdDUF69', 'HhgqDAOLul', 'kUsq1uOoXp', 'oIoqlLwcOA', 'Sr2qeAVSHw'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, m8imPH8RDiKdEpb5Cu.cs	High entropy of concatenated method names: 'tL0LBe6mU', 'SZfijWbpJ', 'UXe5KJUgq', 'Y8fUMcGEo', 'kFYFOrOtf', 'TCCCkve7s', 'UgOUDr899Ib6RMAy4C', 'akjlqxEDyPNdGo0mxs', 'pBrv4qT9V', 'jfLbPFsvJ'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, vRsUOtLODDDDFdDlot.cs	High entropy of concatenated method names: 'AZscItTqYL', 'cuccuGrhRr', 'sARc9yrEQi', 'kcuc0hVXYP', 'JOecTu1RfO', 'diDchjAeQj', 't85cg8UhVq', 'sLRcxFnGdA', 'iHfcRewb8Y', 'FZTcJmqnIp'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, hXOejlIqi6RstsrJkQ.cs	High entropy of concatenated method names: 'rAuZyCA1MO', 'XKhZXonxBk', 'IVjZLrpD8C', 'tkGZiA4sH5', 'OUrZ6XrXmg', 'zl7Z5s2VNW', 'UapZU3d8Gc', 'UntZfYph9G', 'fXsZFhbUXr', 'gDaZCXKkRR'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, OfEwCHr7TwVojPnX3J.cs	High entropy of concatenated method names: 'yQLrf6E2MW', 'cx1rFR89TO', 'VChrWEMaO8', 'ei5rHi7tFs', 'SBlrDuPVY2', 'IXsr1UlOIx', 'BnvreaEona', 'eCjrGAC6Xk', 'IElr8AIMfb', 'oNfrAPPXFv'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, rtN0ht0FqLVQlHkL8d.cs	High entropy of concatenated method names: 'uFTo4HEt5Z', 'o5NoVuyIU7', 'LJJom7YeC4', 'zAKoP0xojf', 'CCCocNf7xi', 'sFHoOKUlY9', 'xOWoSEq9fq', 'WpRvgJpJ8y', 'CYHvxBUEse', 'bQbvRr7wCc'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, dqL8rN4QOXDT7rVqEb.cs	High entropy of concatenated method names: 'x2WvW5Ugp0', 'hpbvH4GUFn', 'PbMvdjaKRo', 'K0EvDhcDcV', 'poCvIf1tva', 'OZTv1ZvVqZ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, MoCqVYkqqcmxrpVO3KG.cs	High entropy of concatenated method names: 'L8coyTQwgM', 'wHIoXfJNI2', 'NeLoLKyR5L', 'PKxoiFcKGB', 'f9ro6CCVpf', 'eUuo5oyvtS', 'EBqoUAoFRI', 'zSMoffv33Y', 'Y1yoFkqV3h', 'CYToCrNyyj'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, jGh0f6da7wPlrjUftu.cs	High entropy of concatenated method names: 's9vvPuDBap', 'VdXvcB9fXd', 'tFdvYuhD1t', 'iGMvOnOyrk', 'xvwvSqUol2', 'hiJvZW0goZ', 'oa8vKXRIwD', 'wAGvnOYAbO', 'QsNv2Hsj5l', 'jqovQi9GI8'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, MLZsOCVH9oEcSAMSXk.cs	High entropy of concatenated method names: 'LgPMxiL0AW', 'U15MJSnL4i', 'rNVvaJ4MXC', 'Ctkv4GGM7x', 'i3nMAEDlnh', 'iRbM7U6djy', 'XM8Mw8ZOlY', 'YZeMIh4HoV', 'EbUMu0gCOL', 'jtkM9Gvaaa'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	High entropy of concatenated method names: 'WGxVNL7rXJ', 'ibvVPh4U9s', 'PRjVcouqg0', 'FNdVYEe8qh', 'B8CVOfXgLu', 'iSPVS6lKoG', 'P1CVZ7S6Fx', 'rtjVKDsO94', 'aLKVnYAJRS', 'BdcV2F1fYS'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, lX8mGBzbZKqfy9eq3E.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IflorU8eu6', 'fn7oq2pcpi', 'VORo3DJRjS', 'g6woM50kpH', 'cSAov48fLs', 'ULaoo3maaX', 'NyEob1pJE4'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, lipLHQA0HXPkqBR4Xo.cs	High entropy of concatenated method names: 'tTfM2whN7w', 'x0lMQ0MlUu', 'ToString', 'DK0MPOMj8f', 'IhQMccvJ5y', 'QLCMYakgXx', 'mpLMOEA56i', 'GmrMSvSuqi', 'fP6MZW0Qqq', 'DgvMKIN1JH'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, KZBhJ4sOaOwuQCN5j1.cs	High entropy of concatenated method names: 'Dispose', 'Guj4RaYSGi', 'N3MpHjPej3', 'Xm8BBqHEC3', 'Cd74JxqlrQ', 'kM44zxs1qD', 'ProcessDialogKey', 'NB4pa6jTy7', 'c89p4jf46R', 'UaCppnCd07'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, PAdjSefqVd3d1MbrPP.cs	High entropy of concatenated method names: 'y4rZPNbbqR', 'yqqZYSsM6F', 'NE8ZSryJ1N', 'pOpSJycumZ', 'pmiSzluaOV', 'c7NZaqrIwW', 'HYYZ4nWFjV', 'KCJZpQY07w', 'N2XZVyX9vv', 'hcEZmklQib'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, bgWR3SlvGBnIBeVV8B.cs	High entropy of concatenated method names: 'ToString', 'lhu3AlUpI6', 'MG13HUCEKJ', 'ISJ3dtTTDW', 'XEi3D71vk3', 'rNx31IDaGC', 'MHG3lvuUl9', 'wdO3ekxdD2', 'qIt3GnFxMC', 'Mbm3t3XlFJ'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, U53nLycTvhMOpauPXv.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'CvspR2adLY', 'r6KpJF3alV', 'c5npzYdEow', 'bVoVamUGym', 'Ne5V4ry4Tr', 'njpVpRE06m', 'PhCVVjCdXU', 's13t5AHlJmIc2coLvXi'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, qBl9b0GxTlxFFuCRK2.cs	High entropy of concatenated method names: 'KfpSNjMeG7', 'OnaScBadpM', 'G5xSOUX7vH', 'eOUSZ8EbGD', 'AHFSK2xpUH', 'gnkOTPa7Br', 'hL6Ohhp91e', 'y7bOgNVkGW', 'sGMOxRP4GS', 'wLoORbLJ8X'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, Mf9fGZCUtxLE1lxTi2.cs	High entropy of concatenated method names: 'yfm4ZdOayl', 'WNT4KhmF0q', 'Jia426vlpP', 'hjp4QvqV0u', 'hhm4qJR8oa', 'cB743lsnZt', 'e0Q371GZHYDfaM4FCD', 'pXgPYJ4kvqCljDTQHc', 'wnYL6Z1pxqvdhkS9Q1', 'RX244dg40c'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, E0lA2XkHhq24UrfrL2S.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LfxbIj3oas', 'kkqbuQu0tE', 'oRLb9JMsc1', 'rFnb09dDp1', 'w2jbTrsBor', 'j8Ebh6CxvI', 's7xbgtNSqG'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, gAgUdLkkn3pE9McEd3O.cs	High entropy of concatenated method names: 'ToString', 'Xq0bVPhAIC', 'DrcbmkMGfJ', 'qjBbNxk0hH', 'afebPl1SXl', 'hfCbcCxrt3', 'oF1bYGlgQ4', 'Lx9bOBWiL6', 'cqeuQHrEGvW6Bc0Ky3c', 'RNQOFRrggq7GYEis471'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, o4jfPcyns5C1jwO5Ml.cs	High entropy of concatenated method names: 'kXfYiCie0T', 'aMuY5Wciyt', 'lhVYfj6xCh', 'MFYYF9Zllx', 'oH8YqJBpeM', 'evXY3Sf3jZ', 'KMnYMQEtKZ', 'yqLYvj5SKW', 'mJVYoecjLU', 'WtiYb5rg2r'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, WXZTa3wOMcwmvT2dy5.cs	High entropy of concatenated method names: 'HCqq8ky7V6', 'DxAq7yW6Js', 'wOjqISZm3m', 'HNequ25xgD', 'gRLqHlLXnm', 'FiEqdDUF69', 'HhgqDAOLul', 'kUsq1uOoXp', 'oIoqlLwcOA', 'Sr2qeAVSHw'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, m8imPH8RDiKdEpb5Cu.cs	High entropy of concatenated method names: 'tL0LBe6mU', 'SZfijWbpJ', 'UXe5KJUgq', 'Y8fUMcGEo', 'kFYFOrOtf', 'TCCCkve7s', 'UgOUDr899Ib6RMAy4C', 'akjlqxEDyPNdGo0mxs', 'pBrv4qT9V', 'jfLbPFsvJ'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, vRsUOtLODDDDFdDlot.cs	High entropy of concatenated method names: 'AZscItTqYL', 'cuccuGrhRr', 'sARc9yrEQi', 'kcuc0hVXYP', 'JOecTu1RfO', 'diDchjAeQj', 't85cg8UhVq', 'sLRcxFnGdA', 'iHfcRewb8Y', 'FZTcJmqnIp'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, hXOejlIqi6RstsrJkQ.cs	High entropy of concatenated method names: 'rAuZyCA1MO', 'XKhZXonxBk', 'IVjZLrpD8C', 'tkGZiA4sH5', 'OUrZ6XrXmg', 'zl7Z5s2VNW', 'UapZU3d8Gc', 'UntZfYph9G', 'fXsZFhbUXr', 'gDaZCXKkRR'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, OfEwCHr7TwVojPnX3J.cs	High entropy of concatenated method names: 'yQLrf6E2MW', 'cx1rFR89TO', 'VChrWEMaO8', 'ei5rHi7tFs', 'SBlrDuPVY2', 'IXsr1UlOIx', 'BnvreaEona', 'eCjrGAC6Xk', 'IElr8AIMfb', 'oNfrAPPXFv'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, rtN0ht0FqLVQlHkL8d.cs	High entropy of concatenated method names: 'uFTo4HEt5Z', 'o5NoVuyIU7', 'LJJom7YeC4', 'zAKoP0xojf', 'CCCocNf7xi', 'sFHoOKUlY9', 'xOWoSEq9fq', 'WpRvgJpJ8y', 'CYHvxBUEse', 'bQbvRr7wCc'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, dqL8rN4QOXDT7rVqEb.cs	High entropy of concatenated method names: 'x2WvW5Ugp0', 'hpbvH4GUFn', 'PbMvdjaKRo', 'K0EvDhcDcV', 'poCvIf1tva', 'OZTv1ZvVqZ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, MoCqVYkqqcmxrpVO3KG.cs	High entropy of concatenated method names: 'L8coyTQwgM', 'wHIoXfJNI2', 'NeLoLKyR5L', 'PKxoiFcKGB', 'f9ro6CCVpf', 'eUuo5oyvtS', 'EBqoUAoFRI', 'zSMoffv33Y', 'Y1yoFkqV3h', 'CYToCrNyyj'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, jGh0f6da7wPlrjUftu.cs	High entropy of concatenated method names: 's9vvPuDBap', 'VdXvcB9fXd', 'tFdvYuhD1t', 'iGMvOnOyrk', 'xvwvSqUol2', 'hiJvZW0goZ', 'oa8vKXRIwD', 'wAGvnOYAbO', 'QsNv2Hsj5l', 'jqovQi9GI8'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, MLZsOCVH9oEcSAMSXk.cs	High entropy of concatenated method names: 'LgPMxiL0AW', 'U15MJSnL4i', 'rNVvaJ4MXC', 'Ctkv4GGM7x', 'i3nMAEDlnh', 'iRbM7U6djy', 'XM8Mw8ZOlY', 'YZeMIh4HoV', 'EbUMu0gCOL', 'jtkM9Gvaaa'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	High entropy of concatenated method names: 'WGxVNL7rXJ', 'ibvVPh4U9s', 'PRjVcouqg0', 'FNdVYEe8qh', 'B8CVOfXgLu', 'iSPVS6lKoG', 'P1CVZ7S6Fx', 'rtjVKDsO94', 'aLKVnYAJRS', 'BdcV2F1fYS'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, lX8mGBzbZKqfy9eq3E.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IflorU8eu6', 'fn7oq2pcpi', 'VORo3DJRjS', 'g6woM50kpH', 'cSAov48fLs', 'ULaoo3maaX', 'NyEob1pJE4'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, lipLHQA0HXPkqBR4Xo.cs	High entropy of concatenated method names: 'tTfM2whN7w', 'x0lMQ0MlUu', 'ToString', 'DK0MPOMj8f', 'IhQMccvJ5y', 'QLCMYakgXx', 'mpLMOEA56i', 'GmrMSvSuqi', 'fP6MZW0Qqq', 'DgvMKIN1JH'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, KZBhJ4sOaOwuQCN5j1.cs	High entropy of concatenated method names: 'Dispose', 'Guj4RaYSGi', 'N3MpHjPej3', 'Xm8BBqHEC3', 'Cd74JxqlrQ', 'kM44zxs1qD', 'ProcessDialogKey', 'NB4pa6jTy7', 'c89p4jf46R', 'UaCppnCd07'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, PAdjSefqVd3d1MbrPP.cs	High entropy of concatenated method names: 'y4rZPNbbqR', 'yqqZYSsM6F', 'NE8ZSryJ1N', 'pOpSJycumZ', 'pmiSzluaOV', 'c7NZaqrIwW', 'HYYZ4nWFjV', 'KCJZpQY07w', 'N2XZVyX9vv', 'hcEZmklQib'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, bgWR3SlvGBnIBeVV8B.cs	High entropy of concatenated method names: 'ToString', 'lhu3AlUpI6', 'MG13HUCEKJ', 'ISJ3dtTTDW', 'XEi3D71vk3', 'rNx31IDaGC', 'MHG3lvuUl9', 'wdO3ekxdD2', 'qIt3GnFxMC', 'Mbm3t3XlFJ'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, U53nLycTvhMOpauPXv.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'CvspR2adLY', 'r6KpJF3alV', 'c5npzYdEow', 'bVoVamUGym', 'Ne5V4ry4Tr', 'njpVpRE06m', 'PhCVVjCdXU', 's13t5AHlJmIc2coLvXi'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, qBl9b0GxTlxFFuCRK2.cs	High entropy of concatenated method names: 'KfpSNjMeG7', 'OnaScBadpM', 'G5xSOUX7vH', 'eOUSZ8EbGD', 'AHFSK2xpUH', 'gnkOTPa7Br', 'hL6Ohhp91e', 'y7bOgNVkGW', 'sGMOxRP4GS', 'wLoORbLJ8X'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, Mf9fGZCUtxLE1lxTi2.cs	High entropy of concatenated method names: 'yfm4ZdOayl', 'WNT4KhmF0q', 'Jia426vlpP', 'hjp4QvqV0u', 'hhm4qJR8oa', 'cB743lsnZt', 'e0Q371GZHYDfaM4FCD', 'pXgPYJ4kvqCljDTQHc', 'wnYL6Z1pxqvdhkS9Q1', 'RX244dg40c'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, E0lA2XkHhq24UrfrL2S.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LfxbIj3oas', 'kkqbuQu0tE', 'oRLb9JMsc1', 'rFnb09dDp1', 'w2jbTrsBor', 'j8Ebh6CxvI', 's7xbgtNSqG'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, gAgUdLkkn3pE9McEd3O.cs	High entropy of concatenated method names: 'ToString', 'Xq0bVPhAIC', 'DrcbmkMGfJ', 'qjBbNxk0hH', 'afebPl1SXl', 'hfCbcCxrt3', 'oF1bYGlgQ4', 'Lx9bOBWiL6', 'cqeuQHrEGvW6Bc0Ky3c', 'RNQOFRrggq7GYEis471'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, o4jfPcyns5C1jwO5Ml.cs	High entropy of concatenated method names: 'kXfYiCie0T', 'aMuY5Wciyt', 'lhVYfj6xCh', 'MFYYF9Zllx', 'oH8YqJBpeM', 'evXY3Sf3jZ', 'KMnYMQEtKZ', 'yqLYvj5SKW', 'mJVYoecjLU', 'WtiYb5rg2r'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, WXZTa3wOMcwmvT2dy5.cs	High entropy of concatenated method names: 'HCqq8ky7V6', 'DxAq7yW6Js', 'wOjqISZm3m', 'HNequ25xgD', 'gRLqHlLXnm', 'FiEqdDUF69', 'HhgqDAOLul', 'kUsq1uOoXp', 'oIoqlLwcOA', 'Sr2qeAVSHw'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, m8imPH8RDiKdEpb5Cu.cs	High entropy of concatenated method names: 'tL0LBe6mU', 'SZfijWbpJ', 'UXe5KJUgq', 'Y8fUMcGEo', 'kFYFOrOtf', 'TCCCkve7s', 'UgOUDr899Ib6RMAy4C', 'akjlqxEDyPNdGo0mxs', 'pBrv4qT9V', 'jfLbPFsvJ'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, vRsUOtLODDDDFdDlot.cs	High entropy of concatenated method names: 'AZscItTqYL', 'cuccuGrhRr', 'sARc9yrEQi', 'kcuc0hVXYP', 'JOecTu1RfO', 'diDchjAeQj', 't85cg8UhVq', 'sLRcxFnGdA', 'iHfcRewb8Y', 'FZTcJmqnIp'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, hXOejlIqi6RstsrJkQ.cs	High entropy of concatenated method names: 'rAuZyCA1MO', 'XKhZXonxBk', 'IVjZLrpD8C', 'tkGZiA4sH5', 'OUrZ6XrXmg', 'zl7Z5s2VNW', 'UapZU3d8Gc', 'UntZfYph9G', 'fXsZFhbUXr', 'gDaZCXKkRR'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, OfEwCHr7TwVojPnX3J.cs	High entropy of concatenated method names: 'yQLrf6E2MW', 'cx1rFR89TO', 'VChrWEMaO8', 'ei5rHi7tFs', 'SBlrDuPVY2', 'IXsr1UlOIx', 'BnvreaEona', 'eCjrGAC6Xk', 'IElr8AIMfb', 'oNfrAPPXFv'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, rtN0ht0FqLVQlHkL8d.cs	High entropy of concatenated method names: 'uFTo4HEt5Z', 'o5NoVuyIU7', 'LJJom7YeC4', 'zAKoP0xojf', 'CCCocNf7xi', 'sFHoOKUlY9', 'xOWoSEq9fq', 'WpRvgJpJ8y', 'CYHvxBUEse', 'bQbvRr7wCc'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, dqL8rN4QOXDT7rVqEb.cs	High entropy of concatenated method names: 'x2WvW5Ugp0', 'hpbvH4GUFn', 'PbMvdjaKRo', 'K0EvDhcDcV', 'poCvIf1tva', 'OZTv1ZvVqZ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, MoCqVYkqqcmxrpVO3KG.cs	High entropy of concatenated method names: 'L8coyTQwgM', 'wHIoXfJNI2', 'NeLoLKyR5L', 'PKxoiFcKGB', 'f9ro6CCVpf', 'eUuo5oyvtS', 'EBqoUAoFRI', 'zSMoffv33Y', 'Y1yoFkqV3h', 'CYToCrNyyj'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, jGh0f6da7wPlrjUftu.cs	High entropy of concatenated method names: 's9vvPuDBap', 'VdXvcB9fXd', 'tFdvYuhD1t', 'iGMvOnOyrk', 'xvwvSqUol2', 'hiJvZW0goZ', 'oa8vKXRIwD', 'wAGvnOYAbO', 'QsNv2Hsj5l', 'jqovQi9GI8'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, MLZsOCVH9oEcSAMSXk.cs	High entropy of concatenated method names: 'LgPMxiL0AW', 'U15MJSnL4i', 'rNVvaJ4MXC', 'Ctkv4GGM7x', 'i3nMAEDlnh', 'iRbM7U6djy', 'XM8Mw8ZOlY', 'YZeMIh4HoV', 'EbUMu0gCOL', 'jtkM9Gvaaa'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	High entropy of concatenated method names: 'WGxVNL7rXJ', 'ibvVPh4U9s', 'PRjVcouqg0', 'FNdVYEe8qh', 'B8CVOfXgLu', 'iSPVS6lKoG', 'P1CVZ7S6Fx', 'rtjVKDsO94', 'aLKVnYAJRS', 'BdcV2F1fYS'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, lX8mGBzbZKqfy9eq3E.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IflorU8eu6', 'fn7oq2pcpi', 'VORo3DJRjS', 'g6woM50kpH', 'cSAov48fLs', 'ULaoo3maaX', 'NyEob1pJE4'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, lipLHQA0HXPkqBR4Xo.cs	High entropy of concatenated method names: 'tTfM2whN7w', 'x0lMQ0MlUu', 'ToString', 'DK0MPOMj8f', 'IhQMccvJ5y', 'QLCMYakgXx', 'mpLMOEA56i', 'GmrMSvSuqi', 'fP6MZW0Qqq', 'DgvMKIN1JH'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, KZBhJ4sOaOwuQCN5j1.cs	High entropy of concatenated method names: 'Dispose', 'Guj4RaYSGi', 'N3MpHjPej3', 'Xm8BBqHEC3', 'Cd74JxqlrQ', 'kM44zxs1qD', 'ProcessDialogKey', 'NB4pa6jTy7', 'c89p4jf46R', 'UaCppnCd07'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, PAdjSefqVd3d1MbrPP.cs	High entropy of concatenated method names: 'y4rZPNbbqR', 'yqqZYSsM6F', 'NE8ZSryJ1N', 'pOpSJycumZ', 'pmiSzluaOV', 'c7NZaqrIwW', 'HYYZ4nWFjV', 'KCJZpQY07w', 'N2XZVyX9vv', 'hcEZmklQib'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, bgWR3SlvGBnIBeVV8B.cs	High entropy of concatenated method names: 'ToString', 'lhu3AlUpI6', 'MG13HUCEKJ', 'ISJ3dtTTDW', 'XEi3D71vk3', 'rNx31IDaGC', 'MHG3lvuUl9', 'wdO3ekxdD2', 'qIt3GnFxMC', 'Mbm3t3XlFJ'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, U53nLycTvhMOpauPXv.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'CvspR2adLY', 'r6KpJF3alV', 'c5npzYdEow', 'bVoVamUGym', 'Ne5V4ry4Tr', 'njpVpRE06m', 'PhCVVjCdXU', 's13t5AHlJmIc2coLvXi'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, qBl9b0GxTlxFFuCRK2.cs	High entropy of concatenated method names: 'KfpSNjMeG7', 'OnaScBadpM', 'G5xSOUX7vH', 'eOUSZ8EbGD', 'AHFSK2xpUH', 'gnkOTPa7Br', 'hL6Ohhp91e', 'y7bOgNVkGW', 'sGMOxRP4GS', 'wLoORbLJ8X'

Drops PE files

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

File created: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VgPjxShbdbBH" /XML "C:\Users\user\AppData\Local\Temp\tmp4C43.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: L3pFsxNFICpBGmi.exe PID: 6536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VgPjxShbdbBH.exe PID: 3580, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Memory allocated: E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Memory allocated: 2860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Memory allocated: 2660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Memory allocated: 75B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Memory allocated: 85B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Memory allocated: 8760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Memory allocated: 9760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Memory allocated: 1680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Memory allocated: 3380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Memory allocated: 5380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Memory allocated: 7F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Memory allocated: 78D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Memory allocated: 8F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Memory allocated: 9F40000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

Code function: 7_2_0112096E rdtsc

7_2_0112096E

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6249			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2119			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	API coverage: 0.6 %
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	API coverage: 0.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe TID: 2748	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2196	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4420	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe TID: 3640	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe TID: 2968	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe TID: 6336	Thread sleep time: -30000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

Code function: 7_2_0112096E rdtsc

7_2_0112096E

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

Code function: 7_2_00417B73 LdrLoadDll,

7_2_00417B73

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118A118 mov ecx, dword ptr fs:[00000030h]	7_2_0118A118
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118A118 mov eax, dword ptr fs:[00000030h]	7_2_0118A118
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118A118 mov eax, dword ptr fs:[00000030h]	7_2_0118A118
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118A118 mov eax, dword ptr fs:[00000030h]	7_2_0118A118
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A0115 mov eax, dword ptr fs:[00000030h]	7_2_011A0115
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E10E mov eax, dword ptr fs:[00000030h]	7_2_0118E10E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E10E mov ecx, dword ptr fs:[00000030h]	7_2_0118E10E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E10E mov eax, dword ptr fs:[00000030h]	7_2_0118E10E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E10E mov eax, dword ptr fs:[00000030h]	7_2_0118E10E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E10E mov ecx, dword ptr fs:[00000030h]	7_2_0118E10E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E10E mov eax, dword ptr fs:[00000030h]	7_2_0118E10E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E10E mov eax, dword ptr fs:[00000030h]	7_2_0118E10E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E10E mov ecx, dword ptr fs:[00000030h]	7_2_0118E10E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E10E mov eax, dword ptr fs:[00000030h]	7_2_0118E10E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E10E mov ecx, dword ptr fs:[00000030h]	7_2_0118E10E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01110124 mov eax, dword ptr fs:[00000030h]	7_2_01110124
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01178158 mov eax, dword ptr fs:[00000030h]	7_2_01178158
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01174144 mov eax, dword ptr fs:[00000030h]	7_2_01174144
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01174144 mov eax, dword ptr fs:[00000030h]	7_2_01174144
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01174144 mov ecx, dword ptr fs:[00000030h]	7_2_01174144
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01174144 mov eax, dword ptr fs:[00000030h]	7_2_01174144
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01174144 mov eax, dword ptr fs:[00000030h]	7_2_01174144
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E6154 mov eax, dword ptr fs:[00000030h]	7_2_010E6154
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E6154 mov eax, dword ptr fs:[00000030h]	7_2_010E6154
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DC156 mov eax, dword ptr fs:[00000030h]	7_2_010DC156
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4164 mov eax, dword ptr fs:[00000030h]	7_2_011B4164
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4164 mov eax, dword ptr fs:[00000030h]	7_2_011B4164
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116019F mov eax, dword ptr fs:[00000030h]	7_2_0116019F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116019F mov eax, dword ptr fs:[00000030h]	7_2_0116019F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116019F mov eax, dword ptr fs:[00000030h]	7_2_0116019F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116019F mov eax, dword ptr fs:[00000030h]	7_2_0116019F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0119C188 mov eax, dword ptr fs:[00000030h]	7_2_0119C188
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0119C188 mov eax, dword ptr fs:[00000030h]	7_2_0119C188
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01120185 mov eax, dword ptr fs:[00000030h]	7_2_01120185
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01184180 mov eax, dword ptr fs:[00000030h]	7_2_01184180
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01184180 mov eax, dword ptr fs:[00000030h]	7_2_01184180
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DA197 mov eax, dword ptr fs:[00000030h]	7_2_010DA197
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DA197 mov eax, dword ptr fs:[00000030h]	7_2_010DA197
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DA197 mov eax, dword ptr fs:[00000030h]	7_2_010DA197
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E1D0 mov eax, dword ptr fs:[00000030h]	7_2_0115E1D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E1D0 mov eax, dword ptr fs:[00000030h]	7_2_0115E1D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E1D0 mov ecx, dword ptr fs:[00000030h]	7_2_0115E1D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E1D0 mov eax, dword ptr fs:[00000030h]	7_2_0115E1D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E1D0 mov eax, dword ptr fs:[00000030h]	7_2_0115E1D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A61C3 mov eax, dword ptr fs:[00000030h]	7_2_011A61C3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A61C3 mov eax, dword ptr fs:[00000030h]	7_2_011A61C3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011101F8 mov eax, dword ptr fs:[00000030h]	7_2_011101F8
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B61E5 mov eax, dword ptr fs:[00000030h]	7_2_011B61E5
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01164000 mov ecx, dword ptr fs:[00000030h]	7_2_01164000
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01182000 mov eax, dword ptr fs:[00000030h]	7_2_01182000
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01182000 mov eax, dword ptr fs:[00000030h]	7_2_01182000
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01182000 mov eax, dword ptr fs:[00000030h]	7_2_01182000
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01182000 mov eax, dword ptr fs:[00000030h]	7_2_01182000
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01182000 mov eax, dword ptr fs:[00000030h]	7_2_01182000
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01182000 mov eax, dword ptr fs:[00000030h]	7_2_01182000
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01182000 mov eax, dword ptr fs:[00000030h]	7_2_01182000
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01182000 mov eax, dword ptr fs:[00000030h]	7_2_01182000
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FE016 mov eax, dword ptr fs:[00000030h]	7_2_010FE016
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FE016 mov eax, dword ptr fs:[00000030h]	7_2_010FE016
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FE016 mov eax, dword ptr fs:[00000030h]	7_2_010FE016
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FE016 mov eax, dword ptr fs:[00000030h]	7_2_010FE016
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01176030 mov eax, dword ptr fs:[00000030h]	7_2_01176030
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DA020 mov eax, dword ptr fs:[00000030h]	7_2_010DA020
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DC020 mov eax, dword ptr fs:[00000030h]	7_2_010DC020
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01166050 mov eax, dword ptr fs:[00000030h]	7_2_01166050
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E2050 mov eax, dword ptr fs:[00000030h]	7_2_010E2050
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110C073 mov eax, dword ptr fs:[00000030h]	7_2_0110C073
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E208A mov eax, dword ptr fs:[00000030h]	7_2_010E208A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A60B8 mov eax, dword ptr fs:[00000030h]	7_2_011A60B8
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A60B8 mov ecx, dword ptr fs:[00000030h]	7_2_011A60B8
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010D80A0 mov eax, dword ptr fs:[00000030h]	7_2_010D80A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011780A8 mov eax, dword ptr fs:[00000030h]	7_2_011780A8
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011620DE mov eax, dword ptr fs:[00000030h]	7_2_011620DE
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011220F0 mov ecx, dword ptr fs:[00000030h]	7_2_011220F0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E80E9 mov eax, dword ptr fs:[00000030h]	7_2_010E80E9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DA0E3 mov ecx, dword ptr fs:[00000030h]	7_2_010DA0E3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011660E0 mov eax, dword ptr fs:[00000030h]	7_2_011660E0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DC0F0 mov eax, dword ptr fs:[00000030h]	7_2_010DC0F0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01100310 mov ecx, dword ptr fs:[00000030h]	7_2_01100310
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111A30B mov eax, dword ptr fs:[00000030h]	7_2_0111A30B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111A30B mov eax, dword ptr fs:[00000030h]	7_2_0111A30B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111A30B mov eax, dword ptr fs:[00000030h]	7_2_0111A30B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DC310 mov ecx, dword ptr fs:[00000030h]	7_2_010DC310
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B8324 mov eax, dword ptr fs:[00000030h]	7_2_011B8324
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B8324 mov ecx, dword ptr fs:[00000030h]	7_2_011B8324
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B8324 mov eax, dword ptr fs:[00000030h]	7_2_011B8324
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B8324 mov eax, dword ptr fs:[00000030h]	7_2_011B8324
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AA352 mov eax, dword ptr fs:[00000030h]	7_2_011AA352
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01188350 mov ecx, dword ptr fs:[00000030h]	7_2_01188350
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116035C mov eax, dword ptr fs:[00000030h]	7_2_0116035C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116035C mov eax, dword ptr fs:[00000030h]	7_2_0116035C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116035C mov eax, dword ptr fs:[00000030h]	7_2_0116035C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116035C mov ecx, dword ptr fs:[00000030h]	7_2_0116035C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116035C mov eax, dword ptr fs:[00000030h]	7_2_0116035C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116035C mov eax, dword ptr fs:[00000030h]	7_2_0116035C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B634F mov eax, dword ptr fs:[00000030h]	7_2_011B634F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118437C mov eax, dword ptr fs:[00000030h]	7_2_0118437C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DE388 mov eax, dword ptr fs:[00000030h]	7_2_010DE388
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DE388 mov eax, dword ptr fs:[00000030h]	7_2_010DE388
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DE388 mov eax, dword ptr fs:[00000030h]	7_2_010DE388
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010D8397 mov eax, dword ptr fs:[00000030h]	7_2_010D8397
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010D8397 mov eax, dword ptr fs:[00000030h]	7_2_010D8397
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010D8397 mov eax, dword ptr fs:[00000030h]	7_2_010D8397
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110438F mov eax, dword ptr fs:[00000030h]	7_2_0110438F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110438F mov eax, dword ptr fs:[00000030h]	7_2_0110438F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E3DB mov eax, dword ptr fs:[00000030h]	7_2_0118E3DB
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E3DB mov eax, dword ptr fs:[00000030h]	7_2_0118E3DB
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E3DB mov ecx, dword ptr fs:[00000030h]	7_2_0118E3DB
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E3DB mov eax, dword ptr fs:[00000030h]	7_2_0118E3DB
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011843D4 mov eax, dword ptr fs:[00000030h]	7_2_011843D4
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011843D4 mov eax, dword ptr fs:[00000030h]	7_2_011843D4
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA3C0 mov eax, dword ptr fs:[00000030h]	7_2_010EA3C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA3C0 mov eax, dword ptr fs:[00000030h]	7_2_010EA3C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA3C0 mov eax, dword ptr fs:[00000030h]	7_2_010EA3C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA3C0 mov eax, dword ptr fs:[00000030h]	7_2_010EA3C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA3C0 mov eax, dword ptr fs:[00000030h]	7_2_010EA3C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA3C0 mov eax, dword ptr fs:[00000030h]	7_2_010EA3C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E83C0 mov eax, dword ptr fs:[00000030h]	7_2_010E83C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E83C0 mov eax, dword ptr fs:[00000030h]	7_2_010E83C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E83C0 mov eax, dword ptr fs:[00000030h]	7_2_010E83C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E83C0 mov eax, dword ptr fs:[00000030h]	7_2_010E83C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0119C3CD mov eax, dword ptr fs:[00000030h]	7_2_0119C3CD
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011663C0 mov eax, dword ptr fs:[00000030h]	7_2_011663C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F03E9 mov eax, dword ptr fs:[00000030h]	7_2_010F03E9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F03E9 mov eax, dword ptr fs:[00000030h]	7_2_010F03E9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F03E9 mov eax, dword ptr fs:[00000030h]	7_2_010F03E9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F03E9 mov eax, dword ptr fs:[00000030h]	7_2_010F03E9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F03E9 mov eax, dword ptr fs:[00000030h]	7_2_010F03E9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F03E9 mov eax, dword ptr fs:[00000030h]	7_2_010F03E9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F03E9 mov eax, dword ptr fs:[00000030h]	7_2_010F03E9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F03E9 mov eax, dword ptr fs:[00000030h]	7_2_010F03E9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011163FF mov eax, dword ptr fs:[00000030h]	7_2_011163FF
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FE3F0 mov eax, dword ptr fs:[00000030h]	7_2_010FE3F0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FE3F0 mov eax, dword ptr fs:[00000030h]	7_2_010FE3F0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FE3F0 mov eax, dword ptr fs:[00000030h]	7_2_010FE3F0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010D823B mov eax, dword ptr fs:[00000030h]	7_2_010D823B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B625D mov eax, dword ptr fs:[00000030h]	7_2_011B625D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0119A250 mov eax, dword ptr fs:[00000030h]	7_2_0119A250
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0119A250 mov eax, dword ptr fs:[00000030h]	7_2_0119A250
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01168243 mov eax, dword ptr fs:[00000030h]	7_2_01168243
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01168243 mov ecx, dword ptr fs:[00000030h]	7_2_01168243
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E6259 mov eax, dword ptr fs:[00000030h]	7_2_010E6259
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DA250 mov eax, dword ptr fs:[00000030h]	7_2_010DA250
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010D826B mov eax, dword ptr fs:[00000030h]	7_2_010D826B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E4260 mov eax, dword ptr fs:[00000030h]	7_2_010E4260
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E4260 mov eax, dword ptr fs:[00000030h]	7_2_010E4260
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E4260 mov eax, dword ptr fs:[00000030h]	7_2_010E4260
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01160283 mov eax, dword ptr fs:[00000030h]	7_2_01160283
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01160283 mov eax, dword ptr fs:[00000030h]	7_2_01160283
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01160283 mov eax, dword ptr fs:[00000030h]	7_2_01160283
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E284 mov eax, dword ptr fs:[00000030h]	7_2_0111E284
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E284 mov eax, dword ptr fs:[00000030h]	7_2_0111E284
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011762A0 mov eax, dword ptr fs:[00000030h]	7_2_011762A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011762A0 mov ecx, dword ptr fs:[00000030h]	7_2_011762A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011762A0 mov eax, dword ptr fs:[00000030h]	7_2_011762A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011762A0 mov eax, dword ptr fs:[00000030h]	7_2_011762A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011762A0 mov eax, dword ptr fs:[00000030h]	7_2_011762A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011762A0 mov eax, dword ptr fs:[00000030h]	7_2_011762A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA2C3 mov eax, dword ptr fs:[00000030h]	7_2_010EA2C3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA2C3 mov eax, dword ptr fs:[00000030h]	7_2_010EA2C3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA2C3 mov eax, dword ptr fs:[00000030h]	7_2_010EA2C3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA2C3 mov eax, dword ptr fs:[00000030h]	7_2_010EA2C3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA2C3 mov eax, dword ptr fs:[00000030h]	7_2_010EA2C3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B62D6 mov eax, dword ptr fs:[00000030h]	7_2_011B62D6
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F02E1 mov eax, dword ptr fs:[00000030h]	7_2_010F02E1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F02E1 mov eax, dword ptr fs:[00000030h]	7_2_010F02E1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F02E1 mov eax, dword ptr fs:[00000030h]	7_2_010F02E1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01176500 mov eax, dword ptr fs:[00000030h]	7_2_01176500
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4500 mov eax, dword ptr fs:[00000030h]	7_2_011B4500
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4500 mov eax, dword ptr fs:[00000030h]	7_2_011B4500
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4500 mov eax, dword ptr fs:[00000030h]	7_2_011B4500
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4500 mov eax, dword ptr fs:[00000030h]	7_2_011B4500
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4500 mov eax, dword ptr fs:[00000030h]	7_2_011B4500
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4500 mov eax, dword ptr fs:[00000030h]	7_2_011B4500
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4500 mov eax, dword ptr fs:[00000030h]	7_2_011B4500
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E53E mov eax, dword ptr fs:[00000030h]	7_2_0110E53E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E53E mov eax, dword ptr fs:[00000030h]	7_2_0110E53E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E53E mov eax, dword ptr fs:[00000030h]	7_2_0110E53E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E53E mov eax, dword ptr fs:[00000030h]	7_2_0110E53E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E53E mov eax, dword ptr fs:[00000030h]	7_2_0110E53E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0535 mov eax, dword ptr fs:[00000030h]	7_2_010F0535
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0535 mov eax, dword ptr fs:[00000030h]	7_2_010F0535
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0535 mov eax, dword ptr fs:[00000030h]	7_2_010F0535
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0535 mov eax, dword ptr fs:[00000030h]	7_2_010F0535
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0535 mov eax, dword ptr fs:[00000030h]	7_2_010F0535
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0535 mov eax, dword ptr fs:[00000030h]	7_2_010F0535
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E8550 mov eax, dword ptr fs:[00000030h]	7_2_010E8550
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E8550 mov eax, dword ptr fs:[00000030h]	7_2_010E8550
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111656A mov eax, dword ptr fs:[00000030h]	7_2_0111656A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111656A mov eax, dword ptr fs:[00000030h]	7_2_0111656A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111656A mov eax, dword ptr fs:[00000030h]	7_2_0111656A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E2582 mov eax, dword ptr fs:[00000030h]	7_2_010E2582
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E2582 mov ecx, dword ptr fs:[00000030h]	7_2_010E2582
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E59C mov eax, dword ptr fs:[00000030h]	7_2_0111E59C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01114588 mov eax, dword ptr fs:[00000030h]	7_2_01114588
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011045B1 mov eax, dword ptr fs:[00000030h]	7_2_011045B1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011045B1 mov eax, dword ptr fs:[00000030h]	7_2_011045B1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011605A7 mov eax, dword ptr fs:[00000030h]	7_2_011605A7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011605A7 mov eax, dword ptr fs:[00000030h]	7_2_011605A7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011605A7 mov eax, dword ptr fs:[00000030h]	7_2_011605A7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111A5D0 mov eax, dword ptr fs:[00000030h]	7_2_0111A5D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111A5D0 mov eax, dword ptr fs:[00000030h]	7_2_0111A5D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E5CF mov eax, dword ptr fs:[00000030h]	7_2_0111E5CF
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E5CF mov eax, dword ptr fs:[00000030h]	7_2_0111E5CF
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E65D0 mov eax, dword ptr fs:[00000030h]	7_2_010E65D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E25E0 mov eax, dword ptr fs:[00000030h]	7_2_010E25E0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0110E5E7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0110E5E7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0110E5E7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0110E5E7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0110E5E7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0110E5E7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0110E5E7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0110E5E7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111C5ED mov eax, dword ptr fs:[00000030h]	7_2_0111C5ED
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111C5ED mov eax, dword ptr fs:[00000030h]	7_2_0111C5ED
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01118402 mov eax, dword ptr fs:[00000030h]	7_2_01118402
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01118402 mov eax, dword ptr fs:[00000030h]	7_2_01118402
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01118402 mov eax, dword ptr fs:[00000030h]	7_2_01118402
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111A430 mov eax, dword ptr fs:[00000030h]	7_2_0111A430
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DC427 mov eax, dword ptr fs:[00000030h]	7_2_010DC427
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DE420 mov eax, dword ptr fs:[00000030h]	7_2_010DE420
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DE420 mov eax, dword ptr fs:[00000030h]	7_2_010DE420
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DE420 mov eax, dword ptr fs:[00000030h]	7_2_010DE420
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01166420 mov eax, dword ptr fs:[00000030h]	7_2_01166420
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01166420 mov eax, dword ptr fs:[00000030h]	7_2_01166420
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01166420 mov eax, dword ptr fs:[00000030h]	7_2_01166420
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01166420 mov eax, dword ptr fs:[00000030h]	7_2_01166420
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01166420 mov eax, dword ptr fs:[00000030h]	7_2_01166420
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01166420 mov eax, dword ptr fs:[00000030h]	7_2_01166420
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01166420 mov eax, dword ptr fs:[00000030h]	7_2_01166420
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110245A mov eax, dword ptr fs:[00000030h]	7_2_0110245A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0119A456 mov eax, dword ptr fs:[00000030h]	7_2_0119A456
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010D645D mov eax, dword ptr fs:[00000030h]	7_2_010D645D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E443 mov eax, dword ptr fs:[00000030h]	7_2_0111E443
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E443 mov eax, dword ptr fs:[00000030h]	7_2_0111E443
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E443 mov eax, dword ptr fs:[00000030h]	7_2_0111E443
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E443 mov eax, dword ptr fs:[00000030h]	7_2_0111E443
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E443 mov eax, dword ptr fs:[00000030h]	7_2_0111E443
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E443 mov eax, dword ptr fs:[00000030h]	7_2_0111E443
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E443 mov eax, dword ptr fs:[00000030h]	7_2_0111E443
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E443 mov eax, dword ptr fs:[00000030h]	7_2_0111E443
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110A470 mov eax, dword ptr fs:[00000030h]	7_2_0110A470
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110A470 mov eax, dword ptr fs:[00000030h]	7_2_0110A470
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110A470 mov eax, dword ptr fs:[00000030h]	7_2_0110A470
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116C460 mov ecx, dword ptr fs:[00000030h]	7_2_0116C460
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0119A49A mov eax, dword ptr fs:[00000030h]	7_2_0119A49A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011144B0 mov ecx, dword ptr fs:[00000030h]	7_2_011144B0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E64AB mov eax, dword ptr fs:[00000030h]	7_2_010E64AB
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116A4B0 mov eax, dword ptr fs:[00000030h]	7_2_0116A4B0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E04E5 mov ecx, dword ptr fs:[00000030h]	7_2_010E04E5
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01110710 mov eax, dword ptr fs:[00000030h]	7_2_01110710
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111C700 mov eax, dword ptr fs:[00000030h]	7_2_0111C700
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E0710 mov eax, dword ptr fs:[00000030h]	7_2_010E0710
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115C730 mov eax, dword ptr fs:[00000030h]	7_2_0115C730
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111273C mov eax, dword ptr fs:[00000030h]	7_2_0111273C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111273C mov ecx, dword ptr fs:[00000030h]	7_2_0111273C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111273C mov eax, dword ptr fs:[00000030h]	7_2_0111273C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111C720 mov eax, dword ptr fs:[00000030h]	7_2_0111C720
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111C720 mov eax, dword ptr fs:[00000030h]	7_2_0111C720
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122750 mov eax, dword ptr fs:[00000030h]	7_2_01122750
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122750 mov eax, dword ptr fs:[00000030h]	7_2_01122750
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01164755 mov eax, dword ptr fs:[00000030h]	7_2_01164755
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116E75D mov eax, dword ptr fs:[00000030h]	7_2_0116E75D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111674D mov esi, dword ptr fs:[00000030h]	7_2_0111674D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111674D mov eax, dword ptr fs:[00000030h]	7_2_0111674D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111674D mov eax, dword ptr fs:[00000030h]	7_2_0111674D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E0750 mov eax, dword ptr fs:[00000030h]	7_2_010E0750
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E8770 mov eax, dword ptr fs:[00000030h]	7_2_010E8770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118678E mov eax, dword ptr fs:[00000030h]	7_2_0118678E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E07AF mov eax, dword ptr fs:[00000030h]	7_2_010E07AF
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011947A0 mov eax, dword ptr fs:[00000030h]	7_2_011947A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EC7C0 mov eax, dword ptr fs:[00000030h]	7_2_010EC7C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011607C3 mov eax, dword ptr fs:[00000030h]	7_2_011607C3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E47FB mov eax, dword ptr fs:[00000030h]	7_2_010E47FB
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E47FB mov eax, dword ptr fs:[00000030h]	7_2_010E47FB
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116E7E1 mov eax, dword ptr fs:[00000030h]	7_2_0116E7E1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011027ED mov eax, dword ptr fs:[00000030h]	7_2_011027ED
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011027ED mov eax, dword ptr fs:[00000030h]	7_2_011027ED
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011027ED mov eax, dword ptr fs:[00000030h]	7_2_011027ED
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F260B mov eax, dword ptr fs:[00000030h]	7_2_010F260B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F260B mov eax, dword ptr fs:[00000030h]	7_2_010F260B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F260B mov eax, dword ptr fs:[00000030h]	7_2_010F260B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F260B mov eax, dword ptr fs:[00000030h]	7_2_010F260B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F260B mov eax, dword ptr fs:[00000030h]	7_2_010F260B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F260B mov eax, dword ptr fs:[00000030h]	7_2_010F260B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F260B mov eax, dword ptr fs:[00000030h]	7_2_010F260B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122619 mov eax, dword ptr fs:[00000030h]	7_2_01122619
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E609 mov eax, dword ptr fs:[00000030h]	7_2_0115E609
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E262C mov eax, dword ptr fs:[00000030h]	7_2_010E262C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FE627 mov eax, dword ptr fs:[00000030h]	7_2_010FE627
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01116620 mov eax, dword ptr fs:[00000030h]	7_2_01116620
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01118620 mov eax, dword ptr fs:[00000030h]	7_2_01118620
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FC640 mov eax, dword ptr fs:[00000030h]	7_2_010FC640
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01112674 mov eax, dword ptr fs:[00000030h]	7_2_01112674
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111A660 mov eax, dword ptr fs:[00000030h]	7_2_0111A660
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111A660 mov eax, dword ptr fs:[00000030h]	7_2_0111A660
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A866E mov eax, dword ptr fs:[00000030h]	7_2_011A866E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A866E mov eax, dword ptr fs:[00000030h]	7_2_011A866E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E4690 mov eax, dword ptr fs:[00000030h]	7_2_010E4690
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E4690 mov eax, dword ptr fs:[00000030h]	7_2_010E4690
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011166B0 mov eax, dword ptr fs:[00000030h]	7_2_011166B0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111C6A6 mov eax, dword ptr fs:[00000030h]	7_2_0111C6A6
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111A6C7 mov ebx, dword ptr fs:[00000030h]	7_2_0111A6C7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111A6C7 mov eax, dword ptr fs:[00000030h]	7_2_0111A6C7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E6F2 mov eax, dword ptr fs:[00000030h]	7_2_0115E6F2
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E6F2 mov eax, dword ptr fs:[00000030h]	7_2_0115E6F2
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E6F2 mov eax, dword ptr fs:[00000030h]	7_2_0115E6F2
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E6F2 mov eax, dword ptr fs:[00000030h]	7_2_0115E6F2
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011606F1 mov eax, dword ptr fs:[00000030h]	7_2_011606F1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011606F1 mov eax, dword ptr fs:[00000030h]	7_2_011606F1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116C912 mov eax, dword ptr fs:[00000030h]	7_2_0116C912
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010D8918 mov eax, dword ptr fs:[00000030h]	7_2_010D8918
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010D8918 mov eax, dword ptr fs:[00000030h]	7_2_010D8918
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E908 mov eax, dword ptr fs:[00000030h]	7_2_0115E908
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E908 mov eax, dword ptr fs:[00000030h]	7_2_0115E908
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116892A mov eax, dword ptr fs:[00000030h]	7_2_0116892A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0117892B mov eax, dword ptr fs:[00000030h]	7_2_0117892B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01160946 mov eax, dword ptr fs:[00000030h]	7_2_01160946
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4940 mov eax, dword ptr fs:[00000030h]	7_2_011B4940
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01184978 mov eax, dword ptr fs:[00000030h]	7_2_01184978
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01184978 mov eax, dword ptr fs:[00000030h]	7_2_01184978
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116C97C mov eax, dword ptr fs:[00000030h]	7_2_0116C97C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01106962 mov eax, dword ptr fs:[00000030h]	7_2_01106962
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01106962 mov eax, dword ptr fs:[00000030h]	7_2_01106962
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01106962 mov eax, dword ptr fs:[00000030h]	7_2_01106962
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0112096E mov eax, dword ptr fs:[00000030h]	7_2_0112096E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0112096E mov edx, dword ptr fs:[00000030h]	7_2_0112096E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0112096E mov eax, dword ptr fs:[00000030h]	7_2_0112096E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E09AD mov eax, dword ptr fs:[00000030h]	7_2_010E09AD
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E09AD mov eax, dword ptr fs:[00000030h]	7_2_010E09AD
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011689B3 mov esi, dword ptr fs:[00000030h]	7_2_011689B3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011689B3 mov eax, dword ptr fs:[00000030h]	7_2_011689B3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011689B3 mov eax, dword ptr fs:[00000030h]	7_2_011689B3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011149D0 mov eax, dword ptr fs:[00000030h]	7_2_011149D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AA9D3 mov eax, dword ptr fs:[00000030h]	7_2_011AA9D3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011769C0 mov eax, dword ptr fs:[00000030h]	7_2_011769C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA9D0 mov eax, dword ptr fs:[00000030h]	7_2_010EA9D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA9D0 mov eax, dword ptr fs:[00000030h]	7_2_010EA9D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA9D0 mov eax, dword ptr fs:[00000030h]	7_2_010EA9D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA9D0 mov eax, dword ptr fs:[00000030h]	7_2_010EA9D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA9D0 mov eax, dword ptr fs:[00000030h]	7_2_010EA9D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA9D0 mov eax, dword ptr fs:[00000030h]	7_2_010EA9D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011129F9 mov eax, dword ptr fs:[00000030h]	7_2_011129F9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011129F9 mov eax, dword ptr fs:[00000030h]	7_2_011129F9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116E9E0 mov eax, dword ptr fs:[00000030h]	7_2_0116E9E0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116C810 mov eax, dword ptr fs:[00000030h]	7_2_0116C810
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111A830 mov eax, dword ptr fs:[00000030h]	7_2_0111A830
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118483A mov eax, dword ptr fs:[00000030h]	7_2_0118483A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118483A mov eax, dword ptr fs:[00000030h]	7_2_0118483A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01102835 mov eax, dword ptr fs:[00000030h]	7_2_01102835
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01102835 mov eax, dword ptr fs:[00000030h]	7_2_01102835
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01102835 mov eax, dword ptr fs:[00000030h]	7_2_01102835
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01102835 mov ecx, dword ptr fs:[00000030h]	7_2_01102835
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01102835 mov eax, dword ptr fs:[00000030h]	7_2_01102835
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01102835 mov eax, dword ptr fs:[00000030h]	7_2_01102835
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01110854 mov eax, dword ptr fs:[00000030h]	7_2_01110854
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F2840 mov ecx, dword ptr fs:[00000030h]	7_2_010F2840
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E4859 mov eax, dword ptr fs:[00000030h]	7_2_010E4859
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E4859 mov eax, dword ptr fs:[00000030h]	7_2_010E4859
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116E872 mov eax, dword ptr fs:[00000030h]	7_2_0116E872
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116E872 mov eax, dword ptr fs:[00000030h]	7_2_0116E872
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01176870 mov eax, dword ptr fs:[00000030h]	7_2_01176870
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01176870 mov eax, dword ptr fs:[00000030h]	7_2_01176870
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E0887 mov eax, dword ptr fs:[00000030h]	7_2_010E0887
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116C89D mov eax, dword ptr fs:[00000030h]	7_2_0116C89D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E8C0 mov eax, dword ptr fs:[00000030h]	7_2_0110E8C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B08C0 mov eax, dword ptr fs:[00000030h]	7_2_011B08C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111C8F9 mov eax, dword ptr fs:[00000030h]	7_2_0111C8F9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111C8F9 mov eax, dword ptr fs:[00000030h]	7_2_0111C8F9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AA8E4 mov eax, dword ptr fs:[00000030h]	7_2_011AA8E4
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115EB1D mov eax, dword ptr fs:[00000030h]	7_2_0115EB1D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115EB1D mov eax, dword ptr fs:[00000030h]	7_2_0115EB1D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115EB1D mov eax, dword ptr fs:[00000030h]	7_2_0115EB1D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115EB1D mov eax, dword ptr fs:[00000030h]	7_2_0115EB1D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115EB1D mov eax, dword ptr fs:[00000030h]	7_2_0115EB1D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115EB1D mov eax, dword ptr fs:[00000030h]	7_2_0115EB1D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115EB1D mov eax, dword ptr fs:[00000030h]	7_2_0115EB1D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115EB1D mov eax, dword ptr fs:[00000030h]	7_2_0115EB1D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115EB1D mov eax, dword ptr fs:[00000030h]	7_2_0115EB1D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4B00 mov eax, dword ptr fs:[00000030h]	7_2_011B4B00
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110EB20 mov eax, dword ptr fs:[00000030h]	7_2_0110EB20
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110EB20 mov eax, dword ptr fs:[00000030h]	7_2_0110EB20
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A8B28 mov eax, dword ptr fs:[00000030h]	7_2_011A8B28
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A8B28 mov eax, dword ptr fs:[00000030h]	7_2_011A8B28
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118EB50 mov eax, dword ptr fs:[00000030h]	7_2_0118EB50
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B2B57 mov eax, dword ptr fs:[00000030h]	7_2_011B2B57
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B2B57 mov eax, dword ptr fs:[00000030h]	7_2_011B2B57
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B2B57 mov eax, dword ptr fs:[00000030h]	7_2_011B2B57
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B2B57 mov eax, dword ptr fs:[00000030h]	7_2_011B2B57
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01194B4B mov eax, dword ptr fs:[00000030h]	7_2_01194B4B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01194B4B mov eax, dword ptr fs:[00000030h]	7_2_01194B4B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01176B40 mov eax, dword ptr fs:[00000030h]	7_2_01176B40
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01176B40 mov eax, dword ptr fs:[00000030h]	7_2_01176B40
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AAB40 mov eax, dword ptr fs:[00000030h]	7_2_011AAB40
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01188B42 mov eax, dword ptr fs:[00000030h]	7_2_01188B42
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010D8B50 mov eax, dword ptr fs:[00000030h]	7_2_010D8B50
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DCB7E mov eax, dword ptr fs:[00000030h]	7_2_010DCB7E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01194BB0 mov eax, dword ptr fs:[00000030h]	7_2_01194BB0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01194BB0 mov eax, dword ptr fs:[00000030h]	7_2_01194BB0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0BBE mov eax, dword ptr fs:[00000030h]	7_2_010F0BBE
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0BBE mov eax, dword ptr fs:[00000030h]	7_2_010F0BBE
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E0BCD mov eax, dword ptr fs:[00000030h]	7_2_010E0BCD
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E0BCD mov eax, dword ptr fs:[00000030h]	7_2_010E0BCD
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E0BCD mov eax, dword ptr fs:[00000030h]	7_2_010E0BCD
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118EBD0 mov eax, dword ptr fs:[00000030h]	7_2_0118EBD0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01100BCB mov eax, dword ptr fs:[00000030h]	7_2_01100BCB
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01100BCB mov eax, dword ptr fs:[00000030h]	7_2_01100BCB
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01100BCB mov eax, dword ptr fs:[00000030h]	7_2_01100BCB
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116CBF0 mov eax, dword ptr fs:[00000030h]	7_2_0116CBF0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110EBFC mov eax, dword ptr fs:[00000030h]	7_2_0110EBFC
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E8BF0 mov eax, dword ptr fs:[00000030h]	7_2_010E8BF0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E8BF0 mov eax, dword ptr fs:[00000030h]	7_2_010E8BF0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E8BF0 mov eax, dword ptr fs:[00000030h]	7_2_010E8BF0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116CA11 mov eax, dword ptr fs:[00000030h]	7_2_0116CA11
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01104A35 mov eax, dword ptr fs:[00000030h]	7_2_01104A35
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01104A35 mov eax, dword ptr fs:[00000030h]	7_2_01104A35
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111CA38 mov eax, dword ptr fs:[00000030h]	7_2_0111CA38
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111CA24 mov eax, dword ptr fs:[00000030h]	7_2_0111CA24
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110EA2E mov eax, dword ptr fs:[00000030h]	7_2_0110EA2E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0A5B mov eax, dword ptr fs:[00000030h]	7_2_010F0A5B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0A5B mov eax, dword ptr fs:[00000030h]	7_2_010F0A5B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E6A50 mov eax, dword ptr fs:[00000030h]	7_2_010E6A50
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E6A50 mov eax, dword ptr fs:[00000030h]	7_2_010E6A50
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E6A50 mov eax, dword ptr fs:[00000030h]	7_2_010E6A50
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E6A50 mov eax, dword ptr fs:[00000030h]	7_2_010E6A50
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E6A50 mov eax, dword ptr fs:[00000030h]	7_2_010E6A50
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E6A50 mov eax, dword ptr fs:[00000030h]	7_2_010E6A50
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E6A50 mov eax, dword ptr fs:[00000030h]	7_2_010E6A50
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115CA72 mov eax, dword ptr fs:[00000030h]	7_2_0115CA72
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115CA72 mov eax, dword ptr fs:[00000030h]	7_2_0115CA72
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118EA60 mov eax, dword ptr fs:[00000030h]	7_2_0118EA60
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111CA6F mov eax, dword ptr fs:[00000030h]	7_2_0111CA6F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111CA6F mov eax, dword ptr fs:[00000030h]	7_2_0111CA6F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111CA6F mov eax, dword ptr fs:[00000030h]	7_2_0111CA6F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01118A90 mov edx, dword ptr fs:[00000030h]	7_2_01118A90
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EEA80 mov eax, dword ptr fs:[00000030h]	7_2_010EEA80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EEA80 mov eax, dword ptr fs:[00000030h]	7_2_010EEA80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EEA80 mov eax, dword ptr fs:[00000030h]	7_2_010EEA80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EEA80 mov eax, dword ptr fs:[00000030h]	7_2_010EEA80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EEA80 mov eax, dword ptr fs:[00000030h]	7_2_010EEA80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EEA80 mov eax, dword ptr fs:[00000030h]	7_2_010EEA80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EEA80 mov eax, dword ptr fs:[00000030h]	7_2_010EEA80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EEA80 mov eax, dword ptr fs:[00000030h]	7_2_010EEA80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EEA80 mov eax, dword ptr fs:[00000030h]	7_2_010EEA80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4A80 mov eax, dword ptr fs:[00000030h]	7_2_011B4A80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E8AA0 mov eax, dword ptr fs:[00000030h]	7_2_010E8AA0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E8AA0 mov eax, dword ptr fs:[00000030h]	7_2_010E8AA0

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe"
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Memory written: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Memory written: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe base: 400000 value starts with: 4D5A			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VgPjxShbdbBH" /XML "C:\Users\user\AppData\Local\Temp\tmp4C43.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process created: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe "C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VgPjxShbdbBH" /XML "C:\Users\user\AppData\Local\Temp\tmp5CCE.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process created: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe "C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process created: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe "C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Queries volume information: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Queries volume information: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2368050884.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2368458197.0000000000BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2368050884.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2368458197.0000000000BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
15.164.165.52.in-addr.arpa	unknown	unknown

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe

ReversingLabs: Detection: 79%

Multi AV Scanner detection for submitted file

Source: L3pFsxNFICpBGmi.exe	Virustotal: Detection: 35%			Perma Link
Source: L3pFsxNFICpBGmi.exe	ReversingLabs: Detection: 83%

Yara detected FormBook

Source: Yara match	File source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2368050884.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2368458197.0000000000BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: L3pFsxNFICpBGmi.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: L3pFsxNFICpBGmi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: L3pFsxNFICpBGmi.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: qVcY.pdb- source: L3pFsxNFICpBGmi.exe, 00000000.00000002.2177605427.000000000703A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: L3pFsxNFICpBGmi.exe, 00000007.00000002.2369047392.00000000010B0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: L3pFsxNFICpBGmi.exe, L3pFsxNFICpBGmi.exe, 00000007.00000002.2369047392.00000000010B0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: qVcY.pdb source: L3pFsxNFICpBGmi.exe, VgPjxShbdbBH.exe.0.dr
Source:	Binary string: qVcY.pdbSHA256 source: L3pFsxNFICpBGmi.exe, VgPjxShbdbBH.exe.0.dr

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 4x nop then jmp 06E30D4Dh	0_2_06E30CE8
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 4x nop then jmp 06E30D4Dh	0_2_06E30CD8
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 4x nop then jmp 06E30D4Dh	0_2_06E30C91

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2368050884.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2368458197.0000000000BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.2368050884.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.2368458197.0000000000BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0042CA43 NtClose,	7_2_0042CA43
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0040AD92 NtDelayExecution,	7_2_0040AD92
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_01122DF0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_01122C70
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011235C0 NtCreateMutant,LdrInitializeThunk,	7_2_011235C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01124340 NtSetContextThread,	7_2_01124340
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01124650 NtSuspendThread,	7_2_01124650
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122B60 NtClose,	7_2_01122B60
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122B80 NtQueryInformationFile,	7_2_01122B80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122BA0 NtEnumerateValueKey,	7_2_01122BA0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122BF0 NtAllocateVirtualMemory,	7_2_01122BF0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122BE0 NtQueryValueKey,	7_2_01122BE0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122AB0 NtWaitForSingleObject,	7_2_01122AB0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122AD0 NtReadFile,	7_2_01122AD0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122AF0 NtWriteFile,	7_2_01122AF0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122D10 NtMapViewOfSection,	7_2_01122D10
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122D00 NtSetInformationFile,	7_2_01122D00
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122D30 NtUnmapViewOfSection,	7_2_01122D30
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122DB0 NtEnumerateKey,	7_2_01122DB0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122DD0 NtDelayExecution,	7_2_01122DD0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122C00 NtQueryInformationProcess,	7_2_01122C00
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122C60 NtCreateKey,	7_2_01122C60
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122CA0 NtQueryInformationToken,	7_2_01122CA0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122CC0 NtQueryVirtualMemory,	7_2_01122CC0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122CF0 NtOpenProcess,	7_2_01122CF0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122F30 NtCreateSection,	7_2_01122F30
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122F60 NtCreateProcessEx,	7_2_01122F60
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122F90 NtProtectVirtualMemory,	7_2_01122F90
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122FB0 NtResumeThread,	7_2_01122FB0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122FA0 NtQuerySection,	7_2_01122FA0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122FE0 NtCreateFile,	7_2_01122FE0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122E30 NtWriteVirtualMemory,	7_2_01122E30
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122E80 NtReadVirtualMemory,	7_2_01122E80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122EA0 NtAdjustPrivilegesToken,	7_2_01122EA0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122EE0 NtQueueApcThread,	7_2_01122EE0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01123010 NtOpenDirectoryObject,	7_2_01123010
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01123090 NtSetValueKey,	7_2_01123090
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011239B0 NtGetContextThread,	7_2_011239B0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01123D10 NtOpenProcessToken,	7_2_01123D10
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01123D70 NtOpenThread,	7_2_01123D70

Detected potential crypto function

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06E32E50	0_2_06E32E50
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06E34ADA	0_2_06E34ADA
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06FF0448	0_2_06FF0448
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06FFA2B8	0_2_06FFA2B8
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06FFE630	0_2_06FFE630
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06FFEEA0	0_2_06FFEEA0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06FF6FF8	0_2_06FF6FF8
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06FF6FCE	0_2_06FF6FCE
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06FFEA68	0_2_06FFEA68
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_07466F20	0_2_07466F20
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_07460478	0_2_07460478
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_07460040	0_2_07460040
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_07460006	0_2_07460006
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06E32278	0_2_06E32278
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06E33008	0_2_06E33008
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0042F063	7_2_0042F063
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00402990	7_2_00402990
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_004102EA	7_2_004102EA
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_004102F3	7_2_004102F3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00403320	7_2_00403320
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00416BC3	7_2_00416BC3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00416BBE	7_2_00416BBE
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00410513	7_2_00410513
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0040E593	7_2_0040E593
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00402610	7_2_00402610
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00402EC0	7_2_00402EC0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0040E76B	7_2_0040E76B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118A118	7_2_0118A118
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E0100	7_2_010E0100
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01178158	7_2_01178158
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B01AA	7_2_011B01AA
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A41A2	7_2_011A41A2
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A81CC	7_2_011A81CC
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01182000	7_2_01182000
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AA352	7_2_011AA352
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B03E6	7_2_011B03E6
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FE3F0	7_2_010FE3F0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011702C0	7_2_011702C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0535	7_2_010F0535
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B0591	7_2_011B0591
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01194420	7_2_01194420
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A2446	7_2_011A2446
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0119E4F6	7_2_0119E4F6
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01114750	7_2_01114750
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EC7C0	7_2_010EC7C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110C6E0	7_2_0110C6E0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01106962	7_2_01106962
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011BA9A6	7_2_011BA9A6
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F2840	7_2_010F2840
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FA840	7_2_010FA840
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010D68B8	7_2_010D68B8
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E8F0	7_2_0111E8F0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AAB40	7_2_011AAB40
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A6BD7	7_2_011A6BD7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EEA80	7_2_010EEA80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118CD1F	7_2_0118CD1F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FAD00	7_2_010FAD00
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01108DBF	7_2_01108DBF
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EADE0	7_2_010EADE0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0C00	7_2_010F0C00
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190CB5	7_2_01190CB5
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E0CF2	7_2_010E0CF2
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01110F30	7_2_01110F30
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01192F30	7_2_01192F30
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01132F28	7_2_01132F28
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01164F40	7_2_01164F40
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116EFA0	7_2_0116EFA0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E2FC8	7_2_010E2FC8
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FCFE0	7_2_010FCFE0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AEE26	7_2_011AEE26
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0E59	7_2_010F0E59
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01102E90	7_2_01102E90
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011ACE93	7_2_011ACE93
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AEEDB	7_2_011AEEDB
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011BB16B	7_2_011BB16B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0112516C	7_2_0112516C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DF172	7_2_010DF172
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FB1B0	7_2_010FB1B0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F70C0	7_2_010F70C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0119F0CC	7_2_0119F0CC
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A70E9	7_2_011A70E9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AF0E0	7_2_011AF0E0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A132D	7_2_011A132D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DD34C	7_2_010DD34C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0113739A	7_2_0113739A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F52A0	7_2_010F52A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110B2C0	7_2_0110B2C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011912ED	7_2_011912ED
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A7571	7_2_011A7571
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118D5B0	7_2_0118D5B0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B95C3	7_2_011B95C3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AF43F	7_2_011AF43F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E1460	7_2_010E1460
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AF7B0	7_2_011AF7B0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01135630	7_2_01135630
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A16CC	7_2_011A16CC
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01185910	7_2_01185910
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110B950	7_2_0110B950
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F9950	7_2_010F9950
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115D800	7_2_0115D800
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F38E0	7_2_010F38E0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AFB76	7_2_011AFB76
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110FB80	7_2_0110FB80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01165BF0	7_2_01165BF0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0112DBF9	7_2_0112DBF9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AFA49	7_2_011AFA49
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A7A46	7_2_011A7A46
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01163A6C	7_2_01163A6C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01135AA0	7_2_01135AA0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118DAAC	7_2_0118DAAC
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01191AA3	7_2_01191AA3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0119DAC6	7_2_0119DAC6
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A1D5A	7_2_011A1D5A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F3D40	7_2_010F3D40
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A7D73	7_2_011A7D73
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110FDC0	7_2_0110FDC0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01169C32	7_2_01169C32
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AFCF2	7_2_011AFCF2
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AFF09	7_2_011AFF09
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F1F92	7_2_010F1F92
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AFFB1	7_2_011AFFB1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010B3FD2	7_2_010B3FD2
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010B3FD5	7_2_010B3FD5
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F9EB0	7_2_010F9EB0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_07600448	9_2_07600448
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_0760A2B8	9_2_0760A2B8
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_0760E630	9_2_0760E630
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_07606FF7	9_2_07606FF7
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_07606FF8	9_2_07606FF8
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_0760EEA0	9_2_0760EEA0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_0760EA68	9_2_0760EA68
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_07A80478	9_2_07A80478
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_07A86250	9_2_07A86250
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_07A80040	9_2_07A80040
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01310100	13_2_01310100
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01366000	13_2_01366000
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_013A02C0	13_2_013A02C0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01320535	13_2_01320535
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01320770	13_2_01320770
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01344750	13_2_01344750
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0131C7C0	13_2_0131C7C0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0133C6E0	13_2_0133C6E0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01336962	13_2_01336962
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_013229A0	13_2_013229A0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0132A840	13_2_0132A840
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01322840	13_2_01322840
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_013068B8	13_2_013068B8
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01358890	13_2_01358890
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0134E8F0	13_2_0134E8F0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0131EA80	13_2_0131EA80
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0132AD00	13_2_0132AD00
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0132ED7A	13_2_0132ED7A
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01338DBF	13_2_01338DBF
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0131ADE0	13_2_0131ADE0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01328DC0	13_2_01328DC0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01320C00	13_2_01320C00
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01310CF2	13_2_01310CF2
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01340F30	13_2_01340F30
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01362F28	13_2_01362F28
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01394F40	13_2_01394F40
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0139EFA0	13_2_0139EFA0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01312FC8	13_2_01312FC8
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01320E59	13_2_01320E59
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01332E90	13_2_01332E90
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0130F172	13_2_0130F172
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0135516C	13_2_0135516C
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0132B1B0	13_2_0132B1B0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0130D34C	13_2_0130D34C
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_013233F3	13_2_013233F3
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_013252A0	13_2_013252A0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0133D2F0	13_2_0133D2F0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0133B2C0	13_2_0133B2C0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01311460	13_2_01311460
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01323497	13_2_01323497
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_013674E0	13_2_013674E0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0132B730	13_2_0132B730
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01329950	13_2_01329950
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0133B950	13_2_0133B950
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01325990	13_2_01325990
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0138D800	13_2_0138D800
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_013238E0	13_2_013238E0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0133FB80	13_2_0133FB80
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01395BF0	13_2_01395BF0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0135DBF9	13_2_0135DBF9
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01393A6C	13_2_01393A6C
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01323D40	13_2_01323D40
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0133FDC0	13_2_0133FDC0
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01399C32	13_2_01399C32
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01339C20	13_2_01339C20
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01321F92	13_2_01321F92
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01329EB0	13_2_01329EB0

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: String function: 01125130 appears 58 times
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: String function: 0116F290 appears 105 times
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: String function: 010DB970 appears 280 times
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: String function: 01137E54 appears 111 times
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: String function: 0115EA12 appears 86 times
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: String function: 01367E54 appears 97 times
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: String function: 0138EA12 appears 37 times

Sample file is different than original file name gathered from version info

Source: L3pFsxNFICpBGmi.exe, 00000000.00000002.2161205330.0000000003A3E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs L3pFsxNFICpBGmi.exe
Source: L3pFsxNFICpBGmi.exe, 00000000.00000002.2159682582.00000000009EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs L3pFsxNFICpBGmi.exe
Source: L3pFsxNFICpBGmi.exe, 00000000.00000002.2179546143.0000000007280000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs L3pFsxNFICpBGmi.exe
Source: L3pFsxNFICpBGmi.exe, 00000000.00000002.2160601217.0000000002861000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs L3pFsxNFICpBGmi.exe
Source: L3pFsxNFICpBGmi.exe, 00000000.00000002.2178360469.0000000007200000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs L3pFsxNFICpBGmi.exe
Source: L3pFsxNFICpBGmi.exe, 00000000.00000000.2136997645.0000000000504000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameqVcY.exe2 vs L3pFsxNFICpBGmi.exe
Source: L3pFsxNFICpBGmi.exe, 00000007.00000002.2369047392.00000000011DD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs L3pFsxNFICpBGmi.exe
Source: L3pFsxNFICpBGmi.exe	Binary or memory string: OriginalFilenameqVcY.exe2 vs L3pFsxNFICpBGmi.exe

Uses 32bit PE files

Source: L3pFsxNFICpBGmi.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.2368050884.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.2368458197.0000000000BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: L3pFsxNFICpBGmi.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: VgPjxShbdbBH.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, vRsUOtLODDDDFdDlot.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	Security API names: _0020.SetAccessControl
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	Security API names: _0020.AddAccessRule
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	Security API names: _0020.SetAccessControl
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	Security API names: _0020.AddAccessRule
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, vRsUOtLODDDDFdDlot.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	Security API names: _0020.SetAccessControl
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	Security API names: _0020.AddAccessRule
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, vRsUOtLODDDDFdDlot.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@18/11@1/0

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

File created: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2104:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_03

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

File created: C:\Users\user\AppData\Local\Temp\tmp4C43.tmp

Jump to behavior

Source: L3pFsxNFICpBGmi.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: L3pFsxNFICpBGmi.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: L3pFsxNFICpBGmi.exe	Virustotal: Detection: 35%
Source: L3pFsxNFICpBGmi.exe	ReversingLabs: Detection: 83%

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

File read: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe "C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe"
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VgPjxShbdbBH" /XML "C:\Users\user\AppData\Local\Temp\tmp4C43.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process created: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe "C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VgPjxShbdbBH" /XML "C:\Users\user\AppData\Local\Temp\tmp5CCE.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process created: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe "C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe"
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process created: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe "C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe"
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VgPjxShbdbBH" /XML "C:\Users\user\AppData\Local\Temp\tmp4C43.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process created: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe "C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VgPjxShbdbBH" /XML "C:\Users\user\AppData\Local\Temp\tmp5CCE.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process created: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe "C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process created: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe "C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe"	Jump to behavior

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: L3pFsxNFICpBGmi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: L3pFsxNFICpBGmi.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: L3pFsxNFICpBGmi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: qVcY.pdb- source: L3pFsxNFICpBGmi.exe, 00000000.00000002.2177605427.000000000703A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: L3pFsxNFICpBGmi.exe, 00000007.00000002.2369047392.00000000010B0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: L3pFsxNFICpBGmi.exe, L3pFsxNFICpBGmi.exe, 00000007.00000002.2369047392.00000000010B0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: qVcY.pdb source: L3pFsxNFICpBGmi.exe, VgPjxShbdbBH.exe.0.dr
Source:	Binary string: qVcY.pdbSHA256 source: L3pFsxNFICpBGmi.exe, VgPjxShbdbBH.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	.Net Code: oxCmLb4yxk System.Reflection.Assembly.Load(byte[])
Source: 0.2.L3pFsxNFICpBGmi.exe.7200000.3.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.L3pFsxNFICpBGmi.exe.7200000.3.raw.unpack, PingPong.cs	.Net Code: Justy
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	.Net Code: oxCmLb4yxk System.Reflection.Assembly.Load(byte[])
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	.Net Code: oxCmLb4yxk System.Reflection.Assembly.Load(byte[])
Source: 0.2.L3pFsxNFICpBGmi.exe.288a0e4.0.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.L3pFsxNFICpBGmi.exe.288a0e4.0.raw.unpack, PingPong.cs	.Net Code: Justy

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06E39801 push 9806E4BEh; iretd	0_2_06E3980D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06FFC8CB push esp; ret	0_2_06FFC8D1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 0_2_06FFD9E8 push eax; iretd	0_2_06FFD9E9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0041F80D pushad ; iretd	7_2_0041F82A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0041F83A pushad ; iretd	7_2_0041F82A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0040D83D push 024B2A5Ch; iretd	7_2_0040D85E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00419287 push eax; iretd	7_2_00419288
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00423BE8 push ss; iretd	7_2_00423BEE
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00424397 push 00000068h; retf	7_2_00424399
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0040D473 push ebx; iretd	7_2_0040D475
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_004194AF push esi; iretd	7_2_004194B0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00403570 push eax; ret	7_2_00403572
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0040D64B push DD34D148h; ret	7_2_0040D650
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_00414F0D push ss; iretd	7_2_00414F0E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010B225F pushad ; ret	7_2_010B27F9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010B27FA pushad ; ret	7_2_010B27F9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E09AD push ecx; mov dword ptr [esp], ecx	7_2_010E09B6
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010B283D push eax; iretd	7_2_010B2858
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010B1366 push eax; iretd	7_2_010B1369
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_0760D9E8 push eax; iretd	9_2_0760D9E9
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 9_2_0760C8CA push esp; ret	9_2_0760C8D1
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0135C54D pushfd ; ret	13_2_0135C54E
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0135C54F push 8B012E67h; ret	13_2_0135C554
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_013109AD push ecx; mov dword ptr [esp], ecx	13_2_013109B6
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_0135C9D7 push edi; ret	13_2_0135C9D9
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_012E1368 push eax; iretd	13_2_012E1369
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_012E1FEC push eax; iretd	13_2_012E1FED
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Code function: 13_2_01367E99 push ecx; ret	13_2_01367EAC

Source: L3pFsxNFICpBGmi.exe	Static PE information: section name: .text entropy: 7.92691719537184
Source: VgPjxShbdbBH.exe.0.dr	Static PE information: section name: .text entropy: 7.92691719537184

Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, Mf9fGZCUtxLE1lxTi2.cs	High entropy of concatenated method names: 'yfm4ZdOayl', 'WNT4KhmF0q', 'Jia426vlpP', 'hjp4QvqV0u', 'hhm4qJR8oa', 'cB743lsnZt', 'e0Q371GZHYDfaM4FCD', 'pXgPYJ4kvqCljDTQHc', 'wnYL6Z1pxqvdhkS9Q1', 'RX244dg40c'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, E0lA2XkHhq24UrfrL2S.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LfxbIj3oas', 'kkqbuQu0tE', 'oRLb9JMsc1', 'rFnb09dDp1', 'w2jbTrsBor', 'j8Ebh6CxvI', 's7xbgtNSqG'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, gAgUdLkkn3pE9McEd3O.cs	High entropy of concatenated method names: 'ToString', 'Xq0bVPhAIC', 'DrcbmkMGfJ', 'qjBbNxk0hH', 'afebPl1SXl', 'hfCbcCxrt3', 'oF1bYGlgQ4', 'Lx9bOBWiL6', 'cqeuQHrEGvW6Bc0Ky3c', 'RNQOFRrggq7GYEis471'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, o4jfPcyns5C1jwO5Ml.cs	High entropy of concatenated method names: 'kXfYiCie0T', 'aMuY5Wciyt', 'lhVYfj6xCh', 'MFYYF9Zllx', 'oH8YqJBpeM', 'evXY3Sf3jZ', 'KMnYMQEtKZ', 'yqLYvj5SKW', 'mJVYoecjLU', 'WtiYb5rg2r'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, WXZTa3wOMcwmvT2dy5.cs	High entropy of concatenated method names: 'HCqq8ky7V6', 'DxAq7yW6Js', 'wOjqISZm3m', 'HNequ25xgD', 'gRLqHlLXnm', 'FiEqdDUF69', 'HhgqDAOLul', 'kUsq1uOoXp', 'oIoqlLwcOA', 'Sr2qeAVSHw'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, m8imPH8RDiKdEpb5Cu.cs	High entropy of concatenated method names: 'tL0LBe6mU', 'SZfijWbpJ', 'UXe5KJUgq', 'Y8fUMcGEo', 'kFYFOrOtf', 'TCCCkve7s', 'UgOUDr899Ib6RMAy4C', 'akjlqxEDyPNdGo0mxs', 'pBrv4qT9V', 'jfLbPFsvJ'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, vRsUOtLODDDDFdDlot.cs	High entropy of concatenated method names: 'AZscItTqYL', 'cuccuGrhRr', 'sARc9yrEQi', 'kcuc0hVXYP', 'JOecTu1RfO', 'diDchjAeQj', 't85cg8UhVq', 'sLRcxFnGdA', 'iHfcRewb8Y', 'FZTcJmqnIp'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, hXOejlIqi6RstsrJkQ.cs	High entropy of concatenated method names: 'rAuZyCA1MO', 'XKhZXonxBk', 'IVjZLrpD8C', 'tkGZiA4sH5', 'OUrZ6XrXmg', 'zl7Z5s2VNW', 'UapZU3d8Gc', 'UntZfYph9G', 'fXsZFhbUXr', 'gDaZCXKkRR'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, OfEwCHr7TwVojPnX3J.cs	High entropy of concatenated method names: 'yQLrf6E2MW', 'cx1rFR89TO', 'VChrWEMaO8', 'ei5rHi7tFs', 'SBlrDuPVY2', 'IXsr1UlOIx', 'BnvreaEona', 'eCjrGAC6Xk', 'IElr8AIMfb', 'oNfrAPPXFv'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, rtN0ht0FqLVQlHkL8d.cs	High entropy of concatenated method names: 'uFTo4HEt5Z', 'o5NoVuyIU7', 'LJJom7YeC4', 'zAKoP0xojf', 'CCCocNf7xi', 'sFHoOKUlY9', 'xOWoSEq9fq', 'WpRvgJpJ8y', 'CYHvxBUEse', 'bQbvRr7wCc'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, dqL8rN4QOXDT7rVqEb.cs	High entropy of concatenated method names: 'x2WvW5Ugp0', 'hpbvH4GUFn', 'PbMvdjaKRo', 'K0EvDhcDcV', 'poCvIf1tva', 'OZTv1ZvVqZ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, MoCqVYkqqcmxrpVO3KG.cs	High entropy of concatenated method names: 'L8coyTQwgM', 'wHIoXfJNI2', 'NeLoLKyR5L', 'PKxoiFcKGB', 'f9ro6CCVpf', 'eUuo5oyvtS', 'EBqoUAoFRI', 'zSMoffv33Y', 'Y1yoFkqV3h', 'CYToCrNyyj'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, jGh0f6da7wPlrjUftu.cs	High entropy of concatenated method names: 's9vvPuDBap', 'VdXvcB9fXd', 'tFdvYuhD1t', 'iGMvOnOyrk', 'xvwvSqUol2', 'hiJvZW0goZ', 'oa8vKXRIwD', 'wAGvnOYAbO', 'QsNv2Hsj5l', 'jqovQi9GI8'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, MLZsOCVH9oEcSAMSXk.cs	High entropy of concatenated method names: 'LgPMxiL0AW', 'U15MJSnL4i', 'rNVvaJ4MXC', 'Ctkv4GGM7x', 'i3nMAEDlnh', 'iRbM7U6djy', 'XM8Mw8ZOlY', 'YZeMIh4HoV', 'EbUMu0gCOL', 'jtkM9Gvaaa'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	High entropy of concatenated method names: 'WGxVNL7rXJ', 'ibvVPh4U9s', 'PRjVcouqg0', 'FNdVYEe8qh', 'B8CVOfXgLu', 'iSPVS6lKoG', 'P1CVZ7S6Fx', 'rtjVKDsO94', 'aLKVnYAJRS', 'BdcV2F1fYS'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, lX8mGBzbZKqfy9eq3E.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IflorU8eu6', 'fn7oq2pcpi', 'VORo3DJRjS', 'g6woM50kpH', 'cSAov48fLs', 'ULaoo3maaX', 'NyEob1pJE4'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, lipLHQA0HXPkqBR4Xo.cs	High entropy of concatenated method names: 'tTfM2whN7w', 'x0lMQ0MlUu', 'ToString', 'DK0MPOMj8f', 'IhQMccvJ5y', 'QLCMYakgXx', 'mpLMOEA56i', 'GmrMSvSuqi', 'fP6MZW0Qqq', 'DgvMKIN1JH'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, KZBhJ4sOaOwuQCN5j1.cs	High entropy of concatenated method names: 'Dispose', 'Guj4RaYSGi', 'N3MpHjPej3', 'Xm8BBqHEC3', 'Cd74JxqlrQ', 'kM44zxs1qD', 'ProcessDialogKey', 'NB4pa6jTy7', 'c89p4jf46R', 'UaCppnCd07'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, PAdjSefqVd3d1MbrPP.cs	High entropy of concatenated method names: 'y4rZPNbbqR', 'yqqZYSsM6F', 'NE8ZSryJ1N', 'pOpSJycumZ', 'pmiSzluaOV', 'c7NZaqrIwW', 'HYYZ4nWFjV', 'KCJZpQY07w', 'N2XZVyX9vv', 'hcEZmklQib'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, bgWR3SlvGBnIBeVV8B.cs	High entropy of concatenated method names: 'ToString', 'lhu3AlUpI6', 'MG13HUCEKJ', 'ISJ3dtTTDW', 'XEi3D71vk3', 'rNx31IDaGC', 'MHG3lvuUl9', 'wdO3ekxdD2', 'qIt3GnFxMC', 'Mbm3t3XlFJ'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, U53nLycTvhMOpauPXv.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'CvspR2adLY', 'r6KpJF3alV', 'c5npzYdEow', 'bVoVamUGym', 'Ne5V4ry4Tr', 'njpVpRE06m', 'PhCVVjCdXU', 's13t5AHlJmIc2coLvXi'
Source: 0.2.L3pFsxNFICpBGmi.exe.3c69830.1.raw.unpack, qBl9b0GxTlxFFuCRK2.cs	High entropy of concatenated method names: 'KfpSNjMeG7', 'OnaScBadpM', 'G5xSOUX7vH', 'eOUSZ8EbGD', 'AHFSK2xpUH', 'gnkOTPa7Br', 'hL6Ohhp91e', 'y7bOgNVkGW', 'sGMOxRP4GS', 'wLoORbLJ8X'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, Mf9fGZCUtxLE1lxTi2.cs	High entropy of concatenated method names: 'yfm4ZdOayl', 'WNT4KhmF0q', 'Jia426vlpP', 'hjp4QvqV0u', 'hhm4qJR8oa', 'cB743lsnZt', 'e0Q371GZHYDfaM4FCD', 'pXgPYJ4kvqCljDTQHc', 'wnYL6Z1pxqvdhkS9Q1', 'RX244dg40c'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, E0lA2XkHhq24UrfrL2S.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LfxbIj3oas', 'kkqbuQu0tE', 'oRLb9JMsc1', 'rFnb09dDp1', 'w2jbTrsBor', 'j8Ebh6CxvI', 's7xbgtNSqG'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, gAgUdLkkn3pE9McEd3O.cs	High entropy of concatenated method names: 'ToString', 'Xq0bVPhAIC', 'DrcbmkMGfJ', 'qjBbNxk0hH', 'afebPl1SXl', 'hfCbcCxrt3', 'oF1bYGlgQ4', 'Lx9bOBWiL6', 'cqeuQHrEGvW6Bc0Ky3c', 'RNQOFRrggq7GYEis471'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, o4jfPcyns5C1jwO5Ml.cs	High entropy of concatenated method names: 'kXfYiCie0T', 'aMuY5Wciyt', 'lhVYfj6xCh', 'MFYYF9Zllx', 'oH8YqJBpeM', 'evXY3Sf3jZ', 'KMnYMQEtKZ', 'yqLYvj5SKW', 'mJVYoecjLU', 'WtiYb5rg2r'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, WXZTa3wOMcwmvT2dy5.cs	High entropy of concatenated method names: 'HCqq8ky7V6', 'DxAq7yW6Js', 'wOjqISZm3m', 'HNequ25xgD', 'gRLqHlLXnm', 'FiEqdDUF69', 'HhgqDAOLul', 'kUsq1uOoXp', 'oIoqlLwcOA', 'Sr2qeAVSHw'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, m8imPH8RDiKdEpb5Cu.cs	High entropy of concatenated method names: 'tL0LBe6mU', 'SZfijWbpJ', 'UXe5KJUgq', 'Y8fUMcGEo', 'kFYFOrOtf', 'TCCCkve7s', 'UgOUDr899Ib6RMAy4C', 'akjlqxEDyPNdGo0mxs', 'pBrv4qT9V', 'jfLbPFsvJ'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, vRsUOtLODDDDFdDlot.cs	High entropy of concatenated method names: 'AZscItTqYL', 'cuccuGrhRr', 'sARc9yrEQi', 'kcuc0hVXYP', 'JOecTu1RfO', 'diDchjAeQj', 't85cg8UhVq', 'sLRcxFnGdA', 'iHfcRewb8Y', 'FZTcJmqnIp'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, hXOejlIqi6RstsrJkQ.cs	High entropy of concatenated method names: 'rAuZyCA1MO', 'XKhZXonxBk', 'IVjZLrpD8C', 'tkGZiA4sH5', 'OUrZ6XrXmg', 'zl7Z5s2VNW', 'UapZU3d8Gc', 'UntZfYph9G', 'fXsZFhbUXr', 'gDaZCXKkRR'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, OfEwCHr7TwVojPnX3J.cs	High entropy of concatenated method names: 'yQLrf6E2MW', 'cx1rFR89TO', 'VChrWEMaO8', 'ei5rHi7tFs', 'SBlrDuPVY2', 'IXsr1UlOIx', 'BnvreaEona', 'eCjrGAC6Xk', 'IElr8AIMfb', 'oNfrAPPXFv'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, rtN0ht0FqLVQlHkL8d.cs	High entropy of concatenated method names: 'uFTo4HEt5Z', 'o5NoVuyIU7', 'LJJom7YeC4', 'zAKoP0xojf', 'CCCocNf7xi', 'sFHoOKUlY9', 'xOWoSEq9fq', 'WpRvgJpJ8y', 'CYHvxBUEse', 'bQbvRr7wCc'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, dqL8rN4QOXDT7rVqEb.cs	High entropy of concatenated method names: 'x2WvW5Ugp0', 'hpbvH4GUFn', 'PbMvdjaKRo', 'K0EvDhcDcV', 'poCvIf1tva', 'OZTv1ZvVqZ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, MoCqVYkqqcmxrpVO3KG.cs	High entropy of concatenated method names: 'L8coyTQwgM', 'wHIoXfJNI2', 'NeLoLKyR5L', 'PKxoiFcKGB', 'f9ro6CCVpf', 'eUuo5oyvtS', 'EBqoUAoFRI', 'zSMoffv33Y', 'Y1yoFkqV3h', 'CYToCrNyyj'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, jGh0f6da7wPlrjUftu.cs	High entropy of concatenated method names: 's9vvPuDBap', 'VdXvcB9fXd', 'tFdvYuhD1t', 'iGMvOnOyrk', 'xvwvSqUol2', 'hiJvZW0goZ', 'oa8vKXRIwD', 'wAGvnOYAbO', 'QsNv2Hsj5l', 'jqovQi9GI8'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, MLZsOCVH9oEcSAMSXk.cs	High entropy of concatenated method names: 'LgPMxiL0AW', 'U15MJSnL4i', 'rNVvaJ4MXC', 'Ctkv4GGM7x', 'i3nMAEDlnh', 'iRbM7U6djy', 'XM8Mw8ZOlY', 'YZeMIh4HoV', 'EbUMu0gCOL', 'jtkM9Gvaaa'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	High entropy of concatenated method names: 'WGxVNL7rXJ', 'ibvVPh4U9s', 'PRjVcouqg0', 'FNdVYEe8qh', 'B8CVOfXgLu', 'iSPVS6lKoG', 'P1CVZ7S6Fx', 'rtjVKDsO94', 'aLKVnYAJRS', 'BdcV2F1fYS'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, lX8mGBzbZKqfy9eq3E.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IflorU8eu6', 'fn7oq2pcpi', 'VORo3DJRjS', 'g6woM50kpH', 'cSAov48fLs', 'ULaoo3maaX', 'NyEob1pJE4'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, lipLHQA0HXPkqBR4Xo.cs	High entropy of concatenated method names: 'tTfM2whN7w', 'x0lMQ0MlUu', 'ToString', 'DK0MPOMj8f', 'IhQMccvJ5y', 'QLCMYakgXx', 'mpLMOEA56i', 'GmrMSvSuqi', 'fP6MZW0Qqq', 'DgvMKIN1JH'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, KZBhJ4sOaOwuQCN5j1.cs	High entropy of concatenated method names: 'Dispose', 'Guj4RaYSGi', 'N3MpHjPej3', 'Xm8BBqHEC3', 'Cd74JxqlrQ', 'kM44zxs1qD', 'ProcessDialogKey', 'NB4pa6jTy7', 'c89p4jf46R', 'UaCppnCd07'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, PAdjSefqVd3d1MbrPP.cs	High entropy of concatenated method names: 'y4rZPNbbqR', 'yqqZYSsM6F', 'NE8ZSryJ1N', 'pOpSJycumZ', 'pmiSzluaOV', 'c7NZaqrIwW', 'HYYZ4nWFjV', 'KCJZpQY07w', 'N2XZVyX9vv', 'hcEZmklQib'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, bgWR3SlvGBnIBeVV8B.cs	High entropy of concatenated method names: 'ToString', 'lhu3AlUpI6', 'MG13HUCEKJ', 'ISJ3dtTTDW', 'XEi3D71vk3', 'rNx31IDaGC', 'MHG3lvuUl9', 'wdO3ekxdD2', 'qIt3GnFxMC', 'Mbm3t3XlFJ'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, U53nLycTvhMOpauPXv.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'CvspR2adLY', 'r6KpJF3alV', 'c5npzYdEow', 'bVoVamUGym', 'Ne5V4ry4Tr', 'njpVpRE06m', 'PhCVVjCdXU', 's13t5AHlJmIc2coLvXi'
Source: 0.2.L3pFsxNFICpBGmi.exe.3be1a10.2.raw.unpack, qBl9b0GxTlxFFuCRK2.cs	High entropy of concatenated method names: 'KfpSNjMeG7', 'OnaScBadpM', 'G5xSOUX7vH', 'eOUSZ8EbGD', 'AHFSK2xpUH', 'gnkOTPa7Br', 'hL6Ohhp91e', 'y7bOgNVkGW', 'sGMOxRP4GS', 'wLoORbLJ8X'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, Mf9fGZCUtxLE1lxTi2.cs	High entropy of concatenated method names: 'yfm4ZdOayl', 'WNT4KhmF0q', 'Jia426vlpP', 'hjp4QvqV0u', 'hhm4qJR8oa', 'cB743lsnZt', 'e0Q371GZHYDfaM4FCD', 'pXgPYJ4kvqCljDTQHc', 'wnYL6Z1pxqvdhkS9Q1', 'RX244dg40c'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, E0lA2XkHhq24UrfrL2S.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LfxbIj3oas', 'kkqbuQu0tE', 'oRLb9JMsc1', 'rFnb09dDp1', 'w2jbTrsBor', 'j8Ebh6CxvI', 's7xbgtNSqG'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, gAgUdLkkn3pE9McEd3O.cs	High entropy of concatenated method names: 'ToString', 'Xq0bVPhAIC', 'DrcbmkMGfJ', 'qjBbNxk0hH', 'afebPl1SXl', 'hfCbcCxrt3', 'oF1bYGlgQ4', 'Lx9bOBWiL6', 'cqeuQHrEGvW6Bc0Ky3c', 'RNQOFRrggq7GYEis471'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, o4jfPcyns5C1jwO5Ml.cs	High entropy of concatenated method names: 'kXfYiCie0T', 'aMuY5Wciyt', 'lhVYfj6xCh', 'MFYYF9Zllx', 'oH8YqJBpeM', 'evXY3Sf3jZ', 'KMnYMQEtKZ', 'yqLYvj5SKW', 'mJVYoecjLU', 'WtiYb5rg2r'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, WXZTa3wOMcwmvT2dy5.cs	High entropy of concatenated method names: 'HCqq8ky7V6', 'DxAq7yW6Js', 'wOjqISZm3m', 'HNequ25xgD', 'gRLqHlLXnm', 'FiEqdDUF69', 'HhgqDAOLul', 'kUsq1uOoXp', 'oIoqlLwcOA', 'Sr2qeAVSHw'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, m8imPH8RDiKdEpb5Cu.cs	High entropy of concatenated method names: 'tL0LBe6mU', 'SZfijWbpJ', 'UXe5KJUgq', 'Y8fUMcGEo', 'kFYFOrOtf', 'TCCCkve7s', 'UgOUDr899Ib6RMAy4C', 'akjlqxEDyPNdGo0mxs', 'pBrv4qT9V', 'jfLbPFsvJ'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, vRsUOtLODDDDFdDlot.cs	High entropy of concatenated method names: 'AZscItTqYL', 'cuccuGrhRr', 'sARc9yrEQi', 'kcuc0hVXYP', 'JOecTu1RfO', 'diDchjAeQj', 't85cg8UhVq', 'sLRcxFnGdA', 'iHfcRewb8Y', 'FZTcJmqnIp'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, hXOejlIqi6RstsrJkQ.cs	High entropy of concatenated method names: 'rAuZyCA1MO', 'XKhZXonxBk', 'IVjZLrpD8C', 'tkGZiA4sH5', 'OUrZ6XrXmg', 'zl7Z5s2VNW', 'UapZU3d8Gc', 'UntZfYph9G', 'fXsZFhbUXr', 'gDaZCXKkRR'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, OfEwCHr7TwVojPnX3J.cs	High entropy of concatenated method names: 'yQLrf6E2MW', 'cx1rFR89TO', 'VChrWEMaO8', 'ei5rHi7tFs', 'SBlrDuPVY2', 'IXsr1UlOIx', 'BnvreaEona', 'eCjrGAC6Xk', 'IElr8AIMfb', 'oNfrAPPXFv'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, rtN0ht0FqLVQlHkL8d.cs	High entropy of concatenated method names: 'uFTo4HEt5Z', 'o5NoVuyIU7', 'LJJom7YeC4', 'zAKoP0xojf', 'CCCocNf7xi', 'sFHoOKUlY9', 'xOWoSEq9fq', 'WpRvgJpJ8y', 'CYHvxBUEse', 'bQbvRr7wCc'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, dqL8rN4QOXDT7rVqEb.cs	High entropy of concatenated method names: 'x2WvW5Ugp0', 'hpbvH4GUFn', 'PbMvdjaKRo', 'K0EvDhcDcV', 'poCvIf1tva', 'OZTv1ZvVqZ', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, MoCqVYkqqcmxrpVO3KG.cs	High entropy of concatenated method names: 'L8coyTQwgM', 'wHIoXfJNI2', 'NeLoLKyR5L', 'PKxoiFcKGB', 'f9ro6CCVpf', 'eUuo5oyvtS', 'EBqoUAoFRI', 'zSMoffv33Y', 'Y1yoFkqV3h', 'CYToCrNyyj'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, jGh0f6da7wPlrjUftu.cs	High entropy of concatenated method names: 's9vvPuDBap', 'VdXvcB9fXd', 'tFdvYuhD1t', 'iGMvOnOyrk', 'xvwvSqUol2', 'hiJvZW0goZ', 'oa8vKXRIwD', 'wAGvnOYAbO', 'QsNv2Hsj5l', 'jqovQi9GI8'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, MLZsOCVH9oEcSAMSXk.cs	High entropy of concatenated method names: 'LgPMxiL0AW', 'U15MJSnL4i', 'rNVvaJ4MXC', 'Ctkv4GGM7x', 'i3nMAEDlnh', 'iRbM7U6djy', 'XM8Mw8ZOlY', 'YZeMIh4HoV', 'EbUMu0gCOL', 'jtkM9Gvaaa'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, rsTBOyOF7WfQBcJnO8.cs	High entropy of concatenated method names: 'WGxVNL7rXJ', 'ibvVPh4U9s', 'PRjVcouqg0', 'FNdVYEe8qh', 'B8CVOfXgLu', 'iSPVS6lKoG', 'P1CVZ7S6Fx', 'rtjVKDsO94', 'aLKVnYAJRS', 'BdcV2F1fYS'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, lX8mGBzbZKqfy9eq3E.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IflorU8eu6', 'fn7oq2pcpi', 'VORo3DJRjS', 'g6woM50kpH', 'cSAov48fLs', 'ULaoo3maaX', 'NyEob1pJE4'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, lipLHQA0HXPkqBR4Xo.cs	High entropy of concatenated method names: 'tTfM2whN7w', 'x0lMQ0MlUu', 'ToString', 'DK0MPOMj8f', 'IhQMccvJ5y', 'QLCMYakgXx', 'mpLMOEA56i', 'GmrMSvSuqi', 'fP6MZW0Qqq', 'DgvMKIN1JH'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, KZBhJ4sOaOwuQCN5j1.cs	High entropy of concatenated method names: 'Dispose', 'Guj4RaYSGi', 'N3MpHjPej3', 'Xm8BBqHEC3', 'Cd74JxqlrQ', 'kM44zxs1qD', 'ProcessDialogKey', 'NB4pa6jTy7', 'c89p4jf46R', 'UaCppnCd07'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, PAdjSefqVd3d1MbrPP.cs	High entropy of concatenated method names: 'y4rZPNbbqR', 'yqqZYSsM6F', 'NE8ZSryJ1N', 'pOpSJycumZ', 'pmiSzluaOV', 'c7NZaqrIwW', 'HYYZ4nWFjV', 'KCJZpQY07w', 'N2XZVyX9vv', 'hcEZmklQib'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, bgWR3SlvGBnIBeVV8B.cs	High entropy of concatenated method names: 'ToString', 'lhu3AlUpI6', 'MG13HUCEKJ', 'ISJ3dtTTDW', 'XEi3D71vk3', 'rNx31IDaGC', 'MHG3lvuUl9', 'wdO3ekxdD2', 'qIt3GnFxMC', 'Mbm3t3XlFJ'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, U53nLycTvhMOpauPXv.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'CvspR2adLY', 'r6KpJF3alV', 'c5npzYdEow', 'bVoVamUGym', 'Ne5V4ry4Tr', 'njpVpRE06m', 'PhCVVjCdXU', 's13t5AHlJmIc2coLvXi'
Source: 0.2.L3pFsxNFICpBGmi.exe.7280000.5.raw.unpack, qBl9b0GxTlxFFuCRK2.cs	High entropy of concatenated method names: 'KfpSNjMeG7', 'OnaScBadpM', 'G5xSOUX7vH', 'eOUSZ8EbGD', 'AHFSK2xpUH', 'gnkOTPa7Br', 'hL6Ohhp91e', 'y7bOgNVkGW', 'sGMOxRP4GS', 'wLoORbLJ8X'

Drops PE files

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

File created: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VgPjxShbdbBH" /XML "C:\Users\user\AppData\Local\Temp\tmp4C43.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: L3pFsxNFICpBGmi.exe PID: 6536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: VgPjxShbdbBH.exe PID: 3580, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Memory allocated: E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Memory allocated: 2860000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Memory allocated: 2660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Memory allocated: 75B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Memory allocated: 85B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Memory allocated: 8760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Memory allocated: 9760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Memory allocated: 1680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Memory allocated: 3380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Memory allocated: 5380000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Memory allocated: 7F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Memory allocated: 78D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Memory allocated: 8F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Memory allocated: 9F40000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

Code function: 7_2_0112096E rdtsc

7_2_0112096E

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6249			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2119			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	API coverage: 0.6 %
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	API coverage: 0.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe TID: 2748	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2196	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4420	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe TID: 3640	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe TID: 2968	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe TID: 6336	Thread sleep time: -30000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

Code function: 7_2_0112096E rdtsc

7_2_0112096E

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

Code function: 7_2_00417B73 LdrLoadDll,

7_2_00417B73

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118A118 mov ecx, dword ptr fs:[00000030h]	7_2_0118A118
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118A118 mov eax, dword ptr fs:[00000030h]	7_2_0118A118
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118A118 mov eax, dword ptr fs:[00000030h]	7_2_0118A118
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118A118 mov eax, dword ptr fs:[00000030h]	7_2_0118A118
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A0115 mov eax, dword ptr fs:[00000030h]	7_2_011A0115
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E10E mov eax, dword ptr fs:[00000030h]	7_2_0118E10E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E10E mov ecx, dword ptr fs:[00000030h]	7_2_0118E10E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E10E mov eax, dword ptr fs:[00000030h]	7_2_0118E10E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E10E mov eax, dword ptr fs:[00000030h]	7_2_0118E10E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E10E mov ecx, dword ptr fs:[00000030h]	7_2_0118E10E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E10E mov eax, dword ptr fs:[00000030h]	7_2_0118E10E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E10E mov eax, dword ptr fs:[00000030h]	7_2_0118E10E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E10E mov ecx, dword ptr fs:[00000030h]	7_2_0118E10E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E10E mov eax, dword ptr fs:[00000030h]	7_2_0118E10E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E10E mov ecx, dword ptr fs:[00000030h]	7_2_0118E10E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01110124 mov eax, dword ptr fs:[00000030h]	7_2_01110124
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01178158 mov eax, dword ptr fs:[00000030h]	7_2_01178158
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01174144 mov eax, dword ptr fs:[00000030h]	7_2_01174144
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01174144 mov eax, dword ptr fs:[00000030h]	7_2_01174144
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01174144 mov ecx, dword ptr fs:[00000030h]	7_2_01174144
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01174144 mov eax, dword ptr fs:[00000030h]	7_2_01174144
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01174144 mov eax, dword ptr fs:[00000030h]	7_2_01174144
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E6154 mov eax, dword ptr fs:[00000030h]	7_2_010E6154
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E6154 mov eax, dword ptr fs:[00000030h]	7_2_010E6154
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DC156 mov eax, dword ptr fs:[00000030h]	7_2_010DC156
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4164 mov eax, dword ptr fs:[00000030h]	7_2_011B4164
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4164 mov eax, dword ptr fs:[00000030h]	7_2_011B4164
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116019F mov eax, dword ptr fs:[00000030h]	7_2_0116019F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116019F mov eax, dword ptr fs:[00000030h]	7_2_0116019F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116019F mov eax, dword ptr fs:[00000030h]	7_2_0116019F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116019F mov eax, dword ptr fs:[00000030h]	7_2_0116019F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0119C188 mov eax, dword ptr fs:[00000030h]	7_2_0119C188
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0119C188 mov eax, dword ptr fs:[00000030h]	7_2_0119C188
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01120185 mov eax, dword ptr fs:[00000030h]	7_2_01120185
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01184180 mov eax, dword ptr fs:[00000030h]	7_2_01184180
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01184180 mov eax, dword ptr fs:[00000030h]	7_2_01184180
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DA197 mov eax, dword ptr fs:[00000030h]	7_2_010DA197
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DA197 mov eax, dword ptr fs:[00000030h]	7_2_010DA197
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DA197 mov eax, dword ptr fs:[00000030h]	7_2_010DA197
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E1D0 mov eax, dword ptr fs:[00000030h]	7_2_0115E1D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E1D0 mov eax, dword ptr fs:[00000030h]	7_2_0115E1D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E1D0 mov ecx, dword ptr fs:[00000030h]	7_2_0115E1D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E1D0 mov eax, dword ptr fs:[00000030h]	7_2_0115E1D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E1D0 mov eax, dword ptr fs:[00000030h]	7_2_0115E1D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A61C3 mov eax, dword ptr fs:[00000030h]	7_2_011A61C3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A61C3 mov eax, dword ptr fs:[00000030h]	7_2_011A61C3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011101F8 mov eax, dword ptr fs:[00000030h]	7_2_011101F8
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B61E5 mov eax, dword ptr fs:[00000030h]	7_2_011B61E5
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01164000 mov ecx, dword ptr fs:[00000030h]	7_2_01164000
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01182000 mov eax, dword ptr fs:[00000030h]	7_2_01182000
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01182000 mov eax, dword ptr fs:[00000030h]	7_2_01182000
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01182000 mov eax, dword ptr fs:[00000030h]	7_2_01182000
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01182000 mov eax, dword ptr fs:[00000030h]	7_2_01182000
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01182000 mov eax, dword ptr fs:[00000030h]	7_2_01182000
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01182000 mov eax, dword ptr fs:[00000030h]	7_2_01182000
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01182000 mov eax, dword ptr fs:[00000030h]	7_2_01182000
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01182000 mov eax, dword ptr fs:[00000030h]	7_2_01182000
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FE016 mov eax, dword ptr fs:[00000030h]	7_2_010FE016
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FE016 mov eax, dword ptr fs:[00000030h]	7_2_010FE016
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FE016 mov eax, dword ptr fs:[00000030h]	7_2_010FE016
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FE016 mov eax, dword ptr fs:[00000030h]	7_2_010FE016
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01176030 mov eax, dword ptr fs:[00000030h]	7_2_01176030
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DA020 mov eax, dword ptr fs:[00000030h]	7_2_010DA020
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DC020 mov eax, dword ptr fs:[00000030h]	7_2_010DC020
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01166050 mov eax, dword ptr fs:[00000030h]	7_2_01166050
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E2050 mov eax, dword ptr fs:[00000030h]	7_2_010E2050
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110C073 mov eax, dword ptr fs:[00000030h]	7_2_0110C073
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E208A mov eax, dword ptr fs:[00000030h]	7_2_010E208A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A60B8 mov eax, dword ptr fs:[00000030h]	7_2_011A60B8
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A60B8 mov ecx, dword ptr fs:[00000030h]	7_2_011A60B8
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010D80A0 mov eax, dword ptr fs:[00000030h]	7_2_010D80A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011780A8 mov eax, dword ptr fs:[00000030h]	7_2_011780A8
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011620DE mov eax, dword ptr fs:[00000030h]	7_2_011620DE
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011220F0 mov ecx, dword ptr fs:[00000030h]	7_2_011220F0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E80E9 mov eax, dword ptr fs:[00000030h]	7_2_010E80E9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DA0E3 mov ecx, dword ptr fs:[00000030h]	7_2_010DA0E3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011660E0 mov eax, dword ptr fs:[00000030h]	7_2_011660E0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DC0F0 mov eax, dword ptr fs:[00000030h]	7_2_010DC0F0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01100310 mov ecx, dword ptr fs:[00000030h]	7_2_01100310
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111A30B mov eax, dword ptr fs:[00000030h]	7_2_0111A30B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111A30B mov eax, dword ptr fs:[00000030h]	7_2_0111A30B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111A30B mov eax, dword ptr fs:[00000030h]	7_2_0111A30B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DC310 mov ecx, dword ptr fs:[00000030h]	7_2_010DC310
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B8324 mov eax, dword ptr fs:[00000030h]	7_2_011B8324
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B8324 mov ecx, dword ptr fs:[00000030h]	7_2_011B8324
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B8324 mov eax, dword ptr fs:[00000030h]	7_2_011B8324
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B8324 mov eax, dword ptr fs:[00000030h]	7_2_011B8324
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AA352 mov eax, dword ptr fs:[00000030h]	7_2_011AA352
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01188350 mov ecx, dword ptr fs:[00000030h]	7_2_01188350
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116035C mov eax, dword ptr fs:[00000030h]	7_2_0116035C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116035C mov eax, dword ptr fs:[00000030h]	7_2_0116035C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116035C mov eax, dword ptr fs:[00000030h]	7_2_0116035C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116035C mov ecx, dword ptr fs:[00000030h]	7_2_0116035C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116035C mov eax, dword ptr fs:[00000030h]	7_2_0116035C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116035C mov eax, dword ptr fs:[00000030h]	7_2_0116035C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B634F mov eax, dword ptr fs:[00000030h]	7_2_011B634F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01162349 mov eax, dword ptr fs:[00000030h]	7_2_01162349
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118437C mov eax, dword ptr fs:[00000030h]	7_2_0118437C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DE388 mov eax, dword ptr fs:[00000030h]	7_2_010DE388
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DE388 mov eax, dword ptr fs:[00000030h]	7_2_010DE388
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DE388 mov eax, dword ptr fs:[00000030h]	7_2_010DE388
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010D8397 mov eax, dword ptr fs:[00000030h]	7_2_010D8397
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010D8397 mov eax, dword ptr fs:[00000030h]	7_2_010D8397
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010D8397 mov eax, dword ptr fs:[00000030h]	7_2_010D8397
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110438F mov eax, dword ptr fs:[00000030h]	7_2_0110438F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110438F mov eax, dword ptr fs:[00000030h]	7_2_0110438F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E3DB mov eax, dword ptr fs:[00000030h]	7_2_0118E3DB
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E3DB mov eax, dword ptr fs:[00000030h]	7_2_0118E3DB
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E3DB mov ecx, dword ptr fs:[00000030h]	7_2_0118E3DB
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118E3DB mov eax, dword ptr fs:[00000030h]	7_2_0118E3DB
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011843D4 mov eax, dword ptr fs:[00000030h]	7_2_011843D4
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011843D4 mov eax, dword ptr fs:[00000030h]	7_2_011843D4
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA3C0 mov eax, dword ptr fs:[00000030h]	7_2_010EA3C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA3C0 mov eax, dword ptr fs:[00000030h]	7_2_010EA3C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA3C0 mov eax, dword ptr fs:[00000030h]	7_2_010EA3C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA3C0 mov eax, dword ptr fs:[00000030h]	7_2_010EA3C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA3C0 mov eax, dword ptr fs:[00000030h]	7_2_010EA3C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA3C0 mov eax, dword ptr fs:[00000030h]	7_2_010EA3C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E83C0 mov eax, dword ptr fs:[00000030h]	7_2_010E83C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E83C0 mov eax, dword ptr fs:[00000030h]	7_2_010E83C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E83C0 mov eax, dword ptr fs:[00000030h]	7_2_010E83C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E83C0 mov eax, dword ptr fs:[00000030h]	7_2_010E83C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0119C3CD mov eax, dword ptr fs:[00000030h]	7_2_0119C3CD
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011663C0 mov eax, dword ptr fs:[00000030h]	7_2_011663C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F03E9 mov eax, dword ptr fs:[00000030h]	7_2_010F03E9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F03E9 mov eax, dword ptr fs:[00000030h]	7_2_010F03E9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F03E9 mov eax, dword ptr fs:[00000030h]	7_2_010F03E9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F03E9 mov eax, dword ptr fs:[00000030h]	7_2_010F03E9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F03E9 mov eax, dword ptr fs:[00000030h]	7_2_010F03E9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F03E9 mov eax, dword ptr fs:[00000030h]	7_2_010F03E9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F03E9 mov eax, dword ptr fs:[00000030h]	7_2_010F03E9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F03E9 mov eax, dword ptr fs:[00000030h]	7_2_010F03E9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011163FF mov eax, dword ptr fs:[00000030h]	7_2_011163FF
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FE3F0 mov eax, dword ptr fs:[00000030h]	7_2_010FE3F0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FE3F0 mov eax, dword ptr fs:[00000030h]	7_2_010FE3F0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FE3F0 mov eax, dword ptr fs:[00000030h]	7_2_010FE3F0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010D823B mov eax, dword ptr fs:[00000030h]	7_2_010D823B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B625D mov eax, dword ptr fs:[00000030h]	7_2_011B625D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0119A250 mov eax, dword ptr fs:[00000030h]	7_2_0119A250
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0119A250 mov eax, dword ptr fs:[00000030h]	7_2_0119A250
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01168243 mov eax, dword ptr fs:[00000030h]	7_2_01168243
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01168243 mov ecx, dword ptr fs:[00000030h]	7_2_01168243
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E6259 mov eax, dword ptr fs:[00000030h]	7_2_010E6259
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DA250 mov eax, dword ptr fs:[00000030h]	7_2_010DA250
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010D826B mov eax, dword ptr fs:[00000030h]	7_2_010D826B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01190274 mov eax, dword ptr fs:[00000030h]	7_2_01190274
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E4260 mov eax, dword ptr fs:[00000030h]	7_2_010E4260
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E4260 mov eax, dword ptr fs:[00000030h]	7_2_010E4260
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E4260 mov eax, dword ptr fs:[00000030h]	7_2_010E4260
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01160283 mov eax, dword ptr fs:[00000030h]	7_2_01160283
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01160283 mov eax, dword ptr fs:[00000030h]	7_2_01160283
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01160283 mov eax, dword ptr fs:[00000030h]	7_2_01160283
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E284 mov eax, dword ptr fs:[00000030h]	7_2_0111E284
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E284 mov eax, dword ptr fs:[00000030h]	7_2_0111E284
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011762A0 mov eax, dword ptr fs:[00000030h]	7_2_011762A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011762A0 mov ecx, dword ptr fs:[00000030h]	7_2_011762A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011762A0 mov eax, dword ptr fs:[00000030h]	7_2_011762A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011762A0 mov eax, dword ptr fs:[00000030h]	7_2_011762A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011762A0 mov eax, dword ptr fs:[00000030h]	7_2_011762A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011762A0 mov eax, dword ptr fs:[00000030h]	7_2_011762A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA2C3 mov eax, dword ptr fs:[00000030h]	7_2_010EA2C3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA2C3 mov eax, dword ptr fs:[00000030h]	7_2_010EA2C3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA2C3 mov eax, dword ptr fs:[00000030h]	7_2_010EA2C3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA2C3 mov eax, dword ptr fs:[00000030h]	7_2_010EA2C3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA2C3 mov eax, dword ptr fs:[00000030h]	7_2_010EA2C3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B62D6 mov eax, dword ptr fs:[00000030h]	7_2_011B62D6
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F02E1 mov eax, dword ptr fs:[00000030h]	7_2_010F02E1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F02E1 mov eax, dword ptr fs:[00000030h]	7_2_010F02E1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F02E1 mov eax, dword ptr fs:[00000030h]	7_2_010F02E1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01176500 mov eax, dword ptr fs:[00000030h]	7_2_01176500
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4500 mov eax, dword ptr fs:[00000030h]	7_2_011B4500
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4500 mov eax, dword ptr fs:[00000030h]	7_2_011B4500
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4500 mov eax, dword ptr fs:[00000030h]	7_2_011B4500
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4500 mov eax, dword ptr fs:[00000030h]	7_2_011B4500
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4500 mov eax, dword ptr fs:[00000030h]	7_2_011B4500
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4500 mov eax, dword ptr fs:[00000030h]	7_2_011B4500
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4500 mov eax, dword ptr fs:[00000030h]	7_2_011B4500
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E53E mov eax, dword ptr fs:[00000030h]	7_2_0110E53E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E53E mov eax, dword ptr fs:[00000030h]	7_2_0110E53E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E53E mov eax, dword ptr fs:[00000030h]	7_2_0110E53E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E53E mov eax, dword ptr fs:[00000030h]	7_2_0110E53E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E53E mov eax, dword ptr fs:[00000030h]	7_2_0110E53E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0535 mov eax, dword ptr fs:[00000030h]	7_2_010F0535
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0535 mov eax, dword ptr fs:[00000030h]	7_2_010F0535
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0535 mov eax, dword ptr fs:[00000030h]	7_2_010F0535
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0535 mov eax, dword ptr fs:[00000030h]	7_2_010F0535
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0535 mov eax, dword ptr fs:[00000030h]	7_2_010F0535
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0535 mov eax, dword ptr fs:[00000030h]	7_2_010F0535
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E8550 mov eax, dword ptr fs:[00000030h]	7_2_010E8550
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E8550 mov eax, dword ptr fs:[00000030h]	7_2_010E8550
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111656A mov eax, dword ptr fs:[00000030h]	7_2_0111656A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111656A mov eax, dword ptr fs:[00000030h]	7_2_0111656A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111656A mov eax, dword ptr fs:[00000030h]	7_2_0111656A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E2582 mov eax, dword ptr fs:[00000030h]	7_2_010E2582
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E2582 mov ecx, dword ptr fs:[00000030h]	7_2_010E2582
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E59C mov eax, dword ptr fs:[00000030h]	7_2_0111E59C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01114588 mov eax, dword ptr fs:[00000030h]	7_2_01114588
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011045B1 mov eax, dword ptr fs:[00000030h]	7_2_011045B1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011045B1 mov eax, dword ptr fs:[00000030h]	7_2_011045B1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011605A7 mov eax, dword ptr fs:[00000030h]	7_2_011605A7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011605A7 mov eax, dword ptr fs:[00000030h]	7_2_011605A7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011605A7 mov eax, dword ptr fs:[00000030h]	7_2_011605A7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111A5D0 mov eax, dword ptr fs:[00000030h]	7_2_0111A5D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111A5D0 mov eax, dword ptr fs:[00000030h]	7_2_0111A5D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E5CF mov eax, dword ptr fs:[00000030h]	7_2_0111E5CF
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E5CF mov eax, dword ptr fs:[00000030h]	7_2_0111E5CF
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E65D0 mov eax, dword ptr fs:[00000030h]	7_2_010E65D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E25E0 mov eax, dword ptr fs:[00000030h]	7_2_010E25E0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0110E5E7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0110E5E7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0110E5E7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0110E5E7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0110E5E7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0110E5E7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0110E5E7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0110E5E7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111C5ED mov eax, dword ptr fs:[00000030h]	7_2_0111C5ED
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111C5ED mov eax, dword ptr fs:[00000030h]	7_2_0111C5ED
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01118402 mov eax, dword ptr fs:[00000030h]	7_2_01118402
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01118402 mov eax, dword ptr fs:[00000030h]	7_2_01118402
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01118402 mov eax, dword ptr fs:[00000030h]	7_2_01118402
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111A430 mov eax, dword ptr fs:[00000030h]	7_2_0111A430
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DC427 mov eax, dword ptr fs:[00000030h]	7_2_010DC427
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DE420 mov eax, dword ptr fs:[00000030h]	7_2_010DE420
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DE420 mov eax, dword ptr fs:[00000030h]	7_2_010DE420
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DE420 mov eax, dword ptr fs:[00000030h]	7_2_010DE420
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01166420 mov eax, dword ptr fs:[00000030h]	7_2_01166420
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01166420 mov eax, dword ptr fs:[00000030h]	7_2_01166420
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01166420 mov eax, dword ptr fs:[00000030h]	7_2_01166420
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01166420 mov eax, dword ptr fs:[00000030h]	7_2_01166420
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01166420 mov eax, dword ptr fs:[00000030h]	7_2_01166420
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01166420 mov eax, dword ptr fs:[00000030h]	7_2_01166420
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01166420 mov eax, dword ptr fs:[00000030h]	7_2_01166420
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110245A mov eax, dword ptr fs:[00000030h]	7_2_0110245A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0119A456 mov eax, dword ptr fs:[00000030h]	7_2_0119A456
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010D645D mov eax, dword ptr fs:[00000030h]	7_2_010D645D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E443 mov eax, dword ptr fs:[00000030h]	7_2_0111E443
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E443 mov eax, dword ptr fs:[00000030h]	7_2_0111E443
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E443 mov eax, dword ptr fs:[00000030h]	7_2_0111E443
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E443 mov eax, dword ptr fs:[00000030h]	7_2_0111E443
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E443 mov eax, dword ptr fs:[00000030h]	7_2_0111E443
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E443 mov eax, dword ptr fs:[00000030h]	7_2_0111E443
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E443 mov eax, dword ptr fs:[00000030h]	7_2_0111E443
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111E443 mov eax, dword ptr fs:[00000030h]	7_2_0111E443
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110A470 mov eax, dword ptr fs:[00000030h]	7_2_0110A470
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110A470 mov eax, dword ptr fs:[00000030h]	7_2_0110A470
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110A470 mov eax, dword ptr fs:[00000030h]	7_2_0110A470
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116C460 mov ecx, dword ptr fs:[00000030h]	7_2_0116C460
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0119A49A mov eax, dword ptr fs:[00000030h]	7_2_0119A49A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011144B0 mov ecx, dword ptr fs:[00000030h]	7_2_011144B0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E64AB mov eax, dword ptr fs:[00000030h]	7_2_010E64AB
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116A4B0 mov eax, dword ptr fs:[00000030h]	7_2_0116A4B0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E04E5 mov ecx, dword ptr fs:[00000030h]	7_2_010E04E5
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01110710 mov eax, dword ptr fs:[00000030h]	7_2_01110710
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111C700 mov eax, dword ptr fs:[00000030h]	7_2_0111C700
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E0710 mov eax, dword ptr fs:[00000030h]	7_2_010E0710
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115C730 mov eax, dword ptr fs:[00000030h]	7_2_0115C730
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111273C mov eax, dword ptr fs:[00000030h]	7_2_0111273C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111273C mov ecx, dword ptr fs:[00000030h]	7_2_0111273C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111273C mov eax, dword ptr fs:[00000030h]	7_2_0111273C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111C720 mov eax, dword ptr fs:[00000030h]	7_2_0111C720
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111C720 mov eax, dword ptr fs:[00000030h]	7_2_0111C720
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122750 mov eax, dword ptr fs:[00000030h]	7_2_01122750
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122750 mov eax, dword ptr fs:[00000030h]	7_2_01122750
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01164755 mov eax, dword ptr fs:[00000030h]	7_2_01164755
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116E75D mov eax, dword ptr fs:[00000030h]	7_2_0116E75D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111674D mov esi, dword ptr fs:[00000030h]	7_2_0111674D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111674D mov eax, dword ptr fs:[00000030h]	7_2_0111674D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111674D mov eax, dword ptr fs:[00000030h]	7_2_0111674D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E0750 mov eax, dword ptr fs:[00000030h]	7_2_010E0750
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E8770 mov eax, dword ptr fs:[00000030h]	7_2_010E8770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0770 mov eax, dword ptr fs:[00000030h]	7_2_010F0770
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118678E mov eax, dword ptr fs:[00000030h]	7_2_0118678E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E07AF mov eax, dword ptr fs:[00000030h]	7_2_010E07AF
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011947A0 mov eax, dword ptr fs:[00000030h]	7_2_011947A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EC7C0 mov eax, dword ptr fs:[00000030h]	7_2_010EC7C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011607C3 mov eax, dword ptr fs:[00000030h]	7_2_011607C3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E47FB mov eax, dword ptr fs:[00000030h]	7_2_010E47FB
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E47FB mov eax, dword ptr fs:[00000030h]	7_2_010E47FB
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116E7E1 mov eax, dword ptr fs:[00000030h]	7_2_0116E7E1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011027ED mov eax, dword ptr fs:[00000030h]	7_2_011027ED
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011027ED mov eax, dword ptr fs:[00000030h]	7_2_011027ED
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011027ED mov eax, dword ptr fs:[00000030h]	7_2_011027ED
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F260B mov eax, dword ptr fs:[00000030h]	7_2_010F260B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F260B mov eax, dword ptr fs:[00000030h]	7_2_010F260B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F260B mov eax, dword ptr fs:[00000030h]	7_2_010F260B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F260B mov eax, dword ptr fs:[00000030h]	7_2_010F260B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F260B mov eax, dword ptr fs:[00000030h]	7_2_010F260B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F260B mov eax, dword ptr fs:[00000030h]	7_2_010F260B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F260B mov eax, dword ptr fs:[00000030h]	7_2_010F260B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01122619 mov eax, dword ptr fs:[00000030h]	7_2_01122619
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E609 mov eax, dword ptr fs:[00000030h]	7_2_0115E609
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E262C mov eax, dword ptr fs:[00000030h]	7_2_010E262C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FE627 mov eax, dword ptr fs:[00000030h]	7_2_010FE627
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01116620 mov eax, dword ptr fs:[00000030h]	7_2_01116620
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01118620 mov eax, dword ptr fs:[00000030h]	7_2_01118620
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010FC640 mov eax, dword ptr fs:[00000030h]	7_2_010FC640
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01112674 mov eax, dword ptr fs:[00000030h]	7_2_01112674
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111A660 mov eax, dword ptr fs:[00000030h]	7_2_0111A660
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111A660 mov eax, dword ptr fs:[00000030h]	7_2_0111A660
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A866E mov eax, dword ptr fs:[00000030h]	7_2_011A866E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A866E mov eax, dword ptr fs:[00000030h]	7_2_011A866E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E4690 mov eax, dword ptr fs:[00000030h]	7_2_010E4690
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E4690 mov eax, dword ptr fs:[00000030h]	7_2_010E4690
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011166B0 mov eax, dword ptr fs:[00000030h]	7_2_011166B0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111C6A6 mov eax, dword ptr fs:[00000030h]	7_2_0111C6A6
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111A6C7 mov ebx, dword ptr fs:[00000030h]	7_2_0111A6C7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111A6C7 mov eax, dword ptr fs:[00000030h]	7_2_0111A6C7
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E6F2 mov eax, dword ptr fs:[00000030h]	7_2_0115E6F2
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E6F2 mov eax, dword ptr fs:[00000030h]	7_2_0115E6F2
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E6F2 mov eax, dword ptr fs:[00000030h]	7_2_0115E6F2
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E6F2 mov eax, dword ptr fs:[00000030h]	7_2_0115E6F2
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011606F1 mov eax, dword ptr fs:[00000030h]	7_2_011606F1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011606F1 mov eax, dword ptr fs:[00000030h]	7_2_011606F1
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116C912 mov eax, dword ptr fs:[00000030h]	7_2_0116C912
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010D8918 mov eax, dword ptr fs:[00000030h]	7_2_010D8918
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010D8918 mov eax, dword ptr fs:[00000030h]	7_2_010D8918
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E908 mov eax, dword ptr fs:[00000030h]	7_2_0115E908
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115E908 mov eax, dword ptr fs:[00000030h]	7_2_0115E908
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116892A mov eax, dword ptr fs:[00000030h]	7_2_0116892A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0117892B mov eax, dword ptr fs:[00000030h]	7_2_0117892B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01160946 mov eax, dword ptr fs:[00000030h]	7_2_01160946
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4940 mov eax, dword ptr fs:[00000030h]	7_2_011B4940
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01184978 mov eax, dword ptr fs:[00000030h]	7_2_01184978
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01184978 mov eax, dword ptr fs:[00000030h]	7_2_01184978
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116C97C mov eax, dword ptr fs:[00000030h]	7_2_0116C97C
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01106962 mov eax, dword ptr fs:[00000030h]	7_2_01106962
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01106962 mov eax, dword ptr fs:[00000030h]	7_2_01106962
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01106962 mov eax, dword ptr fs:[00000030h]	7_2_01106962
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0112096E mov eax, dword ptr fs:[00000030h]	7_2_0112096E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0112096E mov edx, dword ptr fs:[00000030h]	7_2_0112096E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0112096E mov eax, dword ptr fs:[00000030h]	7_2_0112096E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E09AD mov eax, dword ptr fs:[00000030h]	7_2_010E09AD
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E09AD mov eax, dword ptr fs:[00000030h]	7_2_010E09AD
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011689B3 mov esi, dword ptr fs:[00000030h]	7_2_011689B3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011689B3 mov eax, dword ptr fs:[00000030h]	7_2_011689B3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011689B3 mov eax, dword ptr fs:[00000030h]	7_2_011689B3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F29A0 mov eax, dword ptr fs:[00000030h]	7_2_010F29A0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011149D0 mov eax, dword ptr fs:[00000030h]	7_2_011149D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AA9D3 mov eax, dword ptr fs:[00000030h]	7_2_011AA9D3
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011769C0 mov eax, dword ptr fs:[00000030h]	7_2_011769C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA9D0 mov eax, dword ptr fs:[00000030h]	7_2_010EA9D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA9D0 mov eax, dword ptr fs:[00000030h]	7_2_010EA9D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA9D0 mov eax, dword ptr fs:[00000030h]	7_2_010EA9D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA9D0 mov eax, dword ptr fs:[00000030h]	7_2_010EA9D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA9D0 mov eax, dword ptr fs:[00000030h]	7_2_010EA9D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EA9D0 mov eax, dword ptr fs:[00000030h]	7_2_010EA9D0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011129F9 mov eax, dword ptr fs:[00000030h]	7_2_011129F9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011129F9 mov eax, dword ptr fs:[00000030h]	7_2_011129F9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116E9E0 mov eax, dword ptr fs:[00000030h]	7_2_0116E9E0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116C810 mov eax, dword ptr fs:[00000030h]	7_2_0116C810
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111A830 mov eax, dword ptr fs:[00000030h]	7_2_0111A830
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118483A mov eax, dword ptr fs:[00000030h]	7_2_0118483A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118483A mov eax, dword ptr fs:[00000030h]	7_2_0118483A
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01102835 mov eax, dword ptr fs:[00000030h]	7_2_01102835
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01102835 mov eax, dword ptr fs:[00000030h]	7_2_01102835
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01102835 mov eax, dword ptr fs:[00000030h]	7_2_01102835
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01102835 mov ecx, dword ptr fs:[00000030h]	7_2_01102835
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01102835 mov eax, dword ptr fs:[00000030h]	7_2_01102835
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01102835 mov eax, dword ptr fs:[00000030h]	7_2_01102835
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01110854 mov eax, dword ptr fs:[00000030h]	7_2_01110854
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F2840 mov ecx, dword ptr fs:[00000030h]	7_2_010F2840
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E4859 mov eax, dword ptr fs:[00000030h]	7_2_010E4859
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E4859 mov eax, dword ptr fs:[00000030h]	7_2_010E4859
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116E872 mov eax, dword ptr fs:[00000030h]	7_2_0116E872
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116E872 mov eax, dword ptr fs:[00000030h]	7_2_0116E872
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01176870 mov eax, dword ptr fs:[00000030h]	7_2_01176870
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01176870 mov eax, dword ptr fs:[00000030h]	7_2_01176870
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E0887 mov eax, dword ptr fs:[00000030h]	7_2_010E0887
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116C89D mov eax, dword ptr fs:[00000030h]	7_2_0116C89D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110E8C0 mov eax, dword ptr fs:[00000030h]	7_2_0110E8C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B08C0 mov eax, dword ptr fs:[00000030h]	7_2_011B08C0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111C8F9 mov eax, dword ptr fs:[00000030h]	7_2_0111C8F9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111C8F9 mov eax, dword ptr fs:[00000030h]	7_2_0111C8F9
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AA8E4 mov eax, dword ptr fs:[00000030h]	7_2_011AA8E4
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115EB1D mov eax, dword ptr fs:[00000030h]	7_2_0115EB1D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115EB1D mov eax, dword ptr fs:[00000030h]	7_2_0115EB1D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115EB1D mov eax, dword ptr fs:[00000030h]	7_2_0115EB1D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115EB1D mov eax, dword ptr fs:[00000030h]	7_2_0115EB1D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115EB1D mov eax, dword ptr fs:[00000030h]	7_2_0115EB1D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115EB1D mov eax, dword ptr fs:[00000030h]	7_2_0115EB1D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115EB1D mov eax, dword ptr fs:[00000030h]	7_2_0115EB1D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115EB1D mov eax, dword ptr fs:[00000030h]	7_2_0115EB1D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115EB1D mov eax, dword ptr fs:[00000030h]	7_2_0115EB1D
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4B00 mov eax, dword ptr fs:[00000030h]	7_2_011B4B00
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110EB20 mov eax, dword ptr fs:[00000030h]	7_2_0110EB20
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110EB20 mov eax, dword ptr fs:[00000030h]	7_2_0110EB20
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A8B28 mov eax, dword ptr fs:[00000030h]	7_2_011A8B28
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011A8B28 mov eax, dword ptr fs:[00000030h]	7_2_011A8B28
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118EB50 mov eax, dword ptr fs:[00000030h]	7_2_0118EB50
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B2B57 mov eax, dword ptr fs:[00000030h]	7_2_011B2B57
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B2B57 mov eax, dword ptr fs:[00000030h]	7_2_011B2B57
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B2B57 mov eax, dword ptr fs:[00000030h]	7_2_011B2B57
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B2B57 mov eax, dword ptr fs:[00000030h]	7_2_011B2B57
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01194B4B mov eax, dword ptr fs:[00000030h]	7_2_01194B4B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01194B4B mov eax, dword ptr fs:[00000030h]	7_2_01194B4B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01176B40 mov eax, dword ptr fs:[00000030h]	7_2_01176B40
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01176B40 mov eax, dword ptr fs:[00000030h]	7_2_01176B40
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011AAB40 mov eax, dword ptr fs:[00000030h]	7_2_011AAB40
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01188B42 mov eax, dword ptr fs:[00000030h]	7_2_01188B42
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010D8B50 mov eax, dword ptr fs:[00000030h]	7_2_010D8B50
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010DCB7E mov eax, dword ptr fs:[00000030h]	7_2_010DCB7E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01194BB0 mov eax, dword ptr fs:[00000030h]	7_2_01194BB0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01194BB0 mov eax, dword ptr fs:[00000030h]	7_2_01194BB0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0BBE mov eax, dword ptr fs:[00000030h]	7_2_010F0BBE
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0BBE mov eax, dword ptr fs:[00000030h]	7_2_010F0BBE
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E0BCD mov eax, dword ptr fs:[00000030h]	7_2_010E0BCD
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E0BCD mov eax, dword ptr fs:[00000030h]	7_2_010E0BCD
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E0BCD mov eax, dword ptr fs:[00000030h]	7_2_010E0BCD
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118EBD0 mov eax, dword ptr fs:[00000030h]	7_2_0118EBD0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01100BCB mov eax, dword ptr fs:[00000030h]	7_2_01100BCB
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01100BCB mov eax, dword ptr fs:[00000030h]	7_2_01100BCB
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01100BCB mov eax, dword ptr fs:[00000030h]	7_2_01100BCB
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116CBF0 mov eax, dword ptr fs:[00000030h]	7_2_0116CBF0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110EBFC mov eax, dword ptr fs:[00000030h]	7_2_0110EBFC
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E8BF0 mov eax, dword ptr fs:[00000030h]	7_2_010E8BF0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E8BF0 mov eax, dword ptr fs:[00000030h]	7_2_010E8BF0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E8BF0 mov eax, dword ptr fs:[00000030h]	7_2_010E8BF0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0116CA11 mov eax, dword ptr fs:[00000030h]	7_2_0116CA11
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01104A35 mov eax, dword ptr fs:[00000030h]	7_2_01104A35
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01104A35 mov eax, dword ptr fs:[00000030h]	7_2_01104A35
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111CA38 mov eax, dword ptr fs:[00000030h]	7_2_0111CA38
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111CA24 mov eax, dword ptr fs:[00000030h]	7_2_0111CA24
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0110EA2E mov eax, dword ptr fs:[00000030h]	7_2_0110EA2E
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0A5B mov eax, dword ptr fs:[00000030h]	7_2_010F0A5B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010F0A5B mov eax, dword ptr fs:[00000030h]	7_2_010F0A5B
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E6A50 mov eax, dword ptr fs:[00000030h]	7_2_010E6A50
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E6A50 mov eax, dword ptr fs:[00000030h]	7_2_010E6A50
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E6A50 mov eax, dword ptr fs:[00000030h]	7_2_010E6A50
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E6A50 mov eax, dword ptr fs:[00000030h]	7_2_010E6A50
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E6A50 mov eax, dword ptr fs:[00000030h]	7_2_010E6A50
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E6A50 mov eax, dword ptr fs:[00000030h]	7_2_010E6A50
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E6A50 mov eax, dword ptr fs:[00000030h]	7_2_010E6A50
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115CA72 mov eax, dword ptr fs:[00000030h]	7_2_0115CA72
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0115CA72 mov eax, dword ptr fs:[00000030h]	7_2_0115CA72
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0118EA60 mov eax, dword ptr fs:[00000030h]	7_2_0118EA60
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111CA6F mov eax, dword ptr fs:[00000030h]	7_2_0111CA6F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111CA6F mov eax, dword ptr fs:[00000030h]	7_2_0111CA6F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_0111CA6F mov eax, dword ptr fs:[00000030h]	7_2_0111CA6F
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_01118A90 mov edx, dword ptr fs:[00000030h]	7_2_01118A90
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EEA80 mov eax, dword ptr fs:[00000030h]	7_2_010EEA80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EEA80 mov eax, dword ptr fs:[00000030h]	7_2_010EEA80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EEA80 mov eax, dword ptr fs:[00000030h]	7_2_010EEA80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EEA80 mov eax, dword ptr fs:[00000030h]	7_2_010EEA80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EEA80 mov eax, dword ptr fs:[00000030h]	7_2_010EEA80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EEA80 mov eax, dword ptr fs:[00000030h]	7_2_010EEA80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EEA80 mov eax, dword ptr fs:[00000030h]	7_2_010EEA80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EEA80 mov eax, dword ptr fs:[00000030h]	7_2_010EEA80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010EEA80 mov eax, dword ptr fs:[00000030h]	7_2_010EEA80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_011B4A80 mov eax, dword ptr fs:[00000030h]	7_2_011B4A80
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E8AA0 mov eax, dword ptr fs:[00000030h]	7_2_010E8AA0
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Code function: 7_2_010E8AA0 mov eax, dword ptr fs:[00000030h]	7_2_010E8AA0

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe"
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe"			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Memory written: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Memory written: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe base: 400000 value starts with: 4D5A			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe"	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VgPjxShbdbBH" /XML "C:\Users\user\AppData\Local\Temp\tmp4C43.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Process created: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe "C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VgPjxShbdbBH" /XML "C:\Users\user\AppData\Local\Temp\tmp5CCE.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process created: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe "C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Process created: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe "C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Queries volume information: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Queries volume information: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\L3pFsxNFICpBGmi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2368050884.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2368458197.0000000000BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.L3pFsxNFICpBGmi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2368050884.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2368458197.0000000000BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

ID:	1482902
Product:	CloudBasic
Start time:	10:53:58
Start date:	26.07.2024
Sample:	L3pFsxNFICpBGmi.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	24bb9c65918d0110cd3175a206ec1a4f
SHA1:	851184f625d91154bf84a37f6fce380ab96e1770
SHA256:	2ce56b77aff14fba64510a678e42154864d96f445f8fcb28a398fecb18b2d6d4
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\L3pFsxNFICpBGmi.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VgPjxShbdbBH.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	4D3B8C97355CF67072ABECB12613F72B	07B27BA4FE575BBF9F893F03789AD9B8BC2F8615	75FC38CDE708951C1963BB89E8AA6CC82F15F1A261BEACAF1BFD9CF0518BEECD
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3pad0gkz.1q4.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_504tzhih.vd4.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dd3gdga5.5id.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uxs0w3zc.zmi.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\tmp4C43.tmp	XML 1.0 document, ASCII text	310C84608CF6EC27E87905B554ABFFEA	D9C5DC94B960C913FD03F51EC5691833A06128C9	7FCABC91E6B2770FBAADDF85BC73E87FDD3915E2411559BD3BC9ED5F937481EC
C:\Users\user\AppData\Local\Temp\tmp5CCE.tmp	XML 1.0 document, ASCII text	310C84608CF6EC27E87905B554ABFFEA	D9C5DC94B960C913FD03F51EC5691833A06128C9	7FCABC91E6B2770FBAADDF85BC73E87FDD3915E2411559BD3BC9ED5F937481EC
C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	24BB9C65918D0110CD3175A206EC1A4F	851184F625D91154BF84A37F6FCE380AB96E1770	2CE56B77AFF14FBA64510A678E42154864D96F445F8FCB28A398FECB18B2D6D4
C:\Users\user\AppData\Roaming\VgPjxShbdbBH.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report
L3pFsxNFICpBGmi.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report L3pFsxNFICpBGmi.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report
L3pFsxNFICpBGmi.exe

Malware Threat Intel
Provided by