Windows Analysis Report
PO#86637.exe

Overview

General Information

Sample name:	PO#86637.exe
Analysis ID:	1522678
MD5:	c38fe2b4f5b0ebd3333a88fd42752f63
SHA1:	16db98340dac46d1ed93b119d165aaa5521d631c
SHA256:	3850da992cb6ca0cd6bcaafd65baeee9f420c3f878cf0aa6fc47fc5472e395cc
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Fyepece.exe

ReversingLabs: Detection: 21%

Multi AV Scanner detection for submitted file

Source: PO#86637.exe	Virustotal: Detection: 24%			Perma Link
Source: PO#86637.exe	ReversingLabs: Detection: 21%

Yara detected FormBook

Source: Yara match	File source: 11.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.PO#86637.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1583643903.0000000001400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Fyepece.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PO#86637.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: PO#86637.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PO#86637.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RWnC.pdb source: PO#86637.exe, Fyepece.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: PO#86637.exe, 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PO#86637.exe, PO#86637.exe, 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: RWnC.pdbSHA256U source: PO#86637.exe, Fyepece.exe.0.dr

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\Fyepece.exe

Code function: 4x nop then jmp 08310CB1h

12_2_083101BC

Source: PO#86637.exe, 00000000.00000002.1430741996.0000000003144000.00000004.00000800.00020000.00000000.sdmp, Fyepece.exe, 0000000C.00000002.1561312955.000000000339D000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 11.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.PO#86637.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1583643903.0000000001400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 11.2.PO#86637.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.1583643903.0000000001400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PO#86637.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0042C283 NtClose,	11_2_0042C283
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962B60 NtClose,LdrInitializeThunk,	11_2_01962B60
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962DF0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_01962DF0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962C70 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_01962C70
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019635C0 NtCreateMutant,LdrInitializeThunk,	11_2_019635C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01964340 NtSetContextThread,	11_2_01964340
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01964650 NtSuspendThread,	11_2_01964650
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962B80 NtQueryInformationFile,	11_2_01962B80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962BA0 NtEnumerateValueKey,	11_2_01962BA0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962BF0 NtAllocateVirtualMemory,	11_2_01962BF0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962BE0 NtQueryValueKey,	11_2_01962BE0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962AB0 NtWaitForSingleObject,	11_2_01962AB0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962AD0 NtReadFile,	11_2_01962AD0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962AF0 NtWriteFile,	11_2_01962AF0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962DB0 NtEnumerateKey,	11_2_01962DB0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962DD0 NtDelayExecution,	11_2_01962DD0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962D10 NtMapViewOfSection,	11_2_01962D10
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962D00 NtSetInformationFile,	11_2_01962D00
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962D30 NtUnmapViewOfSection,	11_2_01962D30
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962CA0 NtQueryInformationToken,	11_2_01962CA0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962CC0 NtQueryVirtualMemory,	11_2_01962CC0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962CF0 NtOpenProcess,	11_2_01962CF0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962C00 NtQueryInformationProcess,	11_2_01962C00
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962C60 NtCreateKey,	11_2_01962C60
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962F90 NtProtectVirtualMemory,	11_2_01962F90
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962FB0 NtResumeThread,	11_2_01962FB0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962FA0 NtQuerySection,	11_2_01962FA0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962FE0 NtCreateFile,	11_2_01962FE0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962F30 NtCreateSection,	11_2_01962F30
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962F60 NtCreateProcessEx,	11_2_01962F60
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962E80 NtReadVirtualMemory,	11_2_01962E80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962EA0 NtAdjustPrivilegesToken,	11_2_01962EA0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962EE0 NtQueueApcThread,	11_2_01962EE0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962E30 NtWriteVirtualMemory,	11_2_01962E30
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01963090 NtSetValueKey,	11_2_01963090
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01963010 NtOpenDirectoryObject,	11_2_01963010
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019639B0 NtGetContextThread,	11_2_019639B0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01963D10 NtOpenProcessToken,	11_2_01963D10
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01963D70 NtOpenThread,	11_2_01963D70

Detected potential crypto function

Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A9E0E0	0_2_05A9E0E0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A9C468	0_2_05A9C468
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A9C478	0_2_05A9C478
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A9D0C9	0_2_05A9D0C9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A9D0D8	0_2_05A9D0D8
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A9E0D0	0_2_05A9E0D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A94D00	0_2_05A94D00
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A94CF0	0_2_05A94CF0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A9E838	0_2_05A9E838
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A9E848	0_2_05A9E848
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07484608	0_2_07484608
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_074836D0	0_2_074836D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07480040	0_2_07480040
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07480F28	0_2_07480F28
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_0748E7C8	0_2_0748E7C8
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_0748E7B8	0_2_0748E7B8
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_074836C0	0_2_074836C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_074845F9	0_2_074845F9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_074834C0	0_2_074834C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_074834B1	0_2_074834B1
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07485378	0_2_07485378
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07485331	0_2_07485331
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07485388	0_2_07485388
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_0748E382	0_2_0748E382
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_0748E390	0_2_0748E390
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07483250	0_2_07483250
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07483260	0_2_07483260
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_0748B290	0_2_0748B290
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_0748C1E0	0_2_0748C1E0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07480006	0_2_07480006
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_074830C0	0_2_074830C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_074830B0	0_2_074830B0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07480F17	0_2_07480F17
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07481E40	0_2_07481E40
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07483E40	0_2_07483E40
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07484E40	0_2_07484E40
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07484E50	0_2_07484E50
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07483E50	0_2_07483E50
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07481E50	0_2_07481E50
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_0748DE70	0_2_0748DE70
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07483EFB	0_2_07483EFB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_0748DE80	0_2_0748DE80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_0748BD79	0_2_0748BD79
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07481C40	0_2_07481C40
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07481C50	0_2_07481C50
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07482A11	0_2_07482A11
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07482A20	0_2_07482A20
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07483918	0_2_07483918
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07483928	0_2_07483928
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0042E8E3	11_2_0042E8E3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0040FA41	11_2_0040FA41
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0040FA43	11_2_0040FA43
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_00401260	11_2_00401260
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_004023D0	11_2_004023D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_004163EE	11_2_004163EE
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_004163F3	11_2_004163F3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0040FC63	11_2_0040FC63
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_004014E0	11_2_004014E0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0040DCE3	11_2_0040DCE3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_00402F50	11_2_00402F50
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_00402730	11_2_00402730
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F01AA	11_2_019F01AA
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E41A2	11_2_019E41A2
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E81CC	11_2_019E81CC
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CA118	11_2_019CA118
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01920100	11_2_01920100
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B8158	11_2_019B8158
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C2000	11_2_019C2000
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193E3F0	11_2_0193E3F0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F03E6	11_2_019F03E6
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EA352	11_2_019EA352
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B02C0	11_2_019B02C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F0591	11_2_019F0591
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930535	11_2_01930535
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019DE4F6	11_2_019DE4F6
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D4420	11_2_019D4420
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E2446	11_2_019E2446
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192C7C0	11_2_0192C7C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01954750	11_2_01954750
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194C6E0	11_2_0194C6E0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019FA9A6	11_2_019FA9A6
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01946962	11_2_01946962
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019168B8	11_2_019168B8
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E8F0	11_2_0195E8F0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193A840	11_2_0193A840
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01932840	11_2_01932840
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E6BD7	11_2_019E6BD7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EAB40	11_2_019EAB40
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192EA80	11_2_0192EA80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01948DBF	11_2_01948DBF
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192ADE0	11_2_0192ADE0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CCD1F	11_2_019CCD1F
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193AD00	11_2_0193AD00
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0CB5	11_2_019D0CB5
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01920CF2	11_2_01920CF2
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930C00	11_2_01930C00
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AEFA0	11_2_019AEFA0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01922FC8	11_2_01922FC8
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193CFE0	11_2_0193CFE0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01950F30	11_2_01950F30
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D2F30	11_2_019D2F30
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01972F28	11_2_01972F28
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A4F40	11_2_019A4F40
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01942E90	11_2_01942E90
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019ECE93	11_2_019ECE93
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EEEDB	11_2_019EEEDB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EEE26	11_2_019EEE26
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930E59	11_2_01930E59
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193B1B0	11_2_0193B1B0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191F172	11_2_0191F172
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019FB16B	11_2_019FB16B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0196516C	11_2_0196516C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019DF0CC	11_2_019DF0CC
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019370C0	11_2_019370C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E70E9	11_2_019E70E9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EF0E0	11_2_019EF0E0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0197739A	11_2_0197739A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E132D	11_2_019E132D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191D34C	11_2_0191D34C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019352A0	11_2_019352A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194B2C0	11_2_0194B2C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D12ED	11_2_019D12ED
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CD5B0	11_2_019CD5B0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E7571	11_2_019E7571
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EF43F	11_2_019EF43F
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01921460	11_2_01921460
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EF7B0	11_2_019EF7B0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E16CC	11_2_019E16CC
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01975630	11_2_01975630
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C5910	11_2_019C5910
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01939950	11_2_01939950
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194B950	11_2_0194B950
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019338E0	11_2_019338E0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199D800	11_2_0199D800
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194FB80	11_2_0194FB80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A5BF0	11_2_019A5BF0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0196DBF9	11_2_0196DBF9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EFB76	11_2_019EFB76
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CDAAC	11_2_019CDAAC
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01975AA0	11_2_01975AA0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D1AA3	11_2_019D1AA3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019DDAC6	11_2_019DDAC6
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EFA49	11_2_019EFA49
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E7A46	11_2_019E7A46
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A3A6C	11_2_019A3A6C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194FDC0	11_2_0194FDC0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E1D5A	11_2_019E1D5A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01933D40	11_2_01933D40
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E7D73	11_2_019E7D73
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EFCF2	11_2_019EFCF2
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A9C32	11_2_019A9C32
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01931F92	11_2_01931F92
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EFFB1	11_2_019EFFB1
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EFF09	11_2_019EFF09
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01939EB0	11_2_01939EB0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF36D0	12_2_07CF36D0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF4608	12_2_07CF4608
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF0040	12_2_07CF0040
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF0F28	12_2_07CF0F28
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CFE7C8	12_2_07CFE7C8
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CFE7B8	12_2_07CFE7B8
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF36C0	12_2_07CF36C0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF45F9	12_2_07CF45F9
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF34C0	12_2_07CF34C0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF34B1	12_2_07CF34B1
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF5388	12_2_07CF5388
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CFE382	12_2_07CFE382
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CFE390	12_2_07CFE390
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF5378	12_2_07CF5378
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF5331	12_2_07CF5331
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CFB290	12_2_07CFB290
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF3250	12_2_07CF3250
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF3260	12_2_07CF3260
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CFC1E0	12_2_07CFC1E0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF30C0	12_2_07CF30C0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF30B0	12_2_07CF30B0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF0023	12_2_07CF0023
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF0F17	12_2_07CF0F17
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF3EFB	12_2_07CF3EFB
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CFDE80	12_2_07CFDE80
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF1E40	12_2_07CF1E40
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF3E40	12_2_07CF3E40
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF4E40	12_2_07CF4E40
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF1E50	12_2_07CF1E50
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF3E50	12_2_07CF3E50
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF4E50	12_2_07CF4E50
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CFDE70	12_2_07CFDE70
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CFBD93	12_2_07CFBD93
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF1C40	12_2_07CF1C40
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF1C50	12_2_07CF1C50
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF2A11	12_2_07CF2A11
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF2A20	12_2_07CF2A20
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF3918	12_2_07CF3918
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF3928	12_2_07CF3928
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DCE0E0	12_2_07DCE0E0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DC4D00	12_2_07DC4D00
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DC4CF0	12_2_07DC4CF0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DCC478	12_2_07DCC478
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DCC468	12_2_07DCC468
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DCD0D8	12_2_07DCD0D8
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DCE0D0	12_2_07DCE0D0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DCD0C9	12_2_07DCD0C9
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DCE848	12_2_07DCE848
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DCE838	12_2_07DCE838
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015E0100	18_2_015E0100
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01636000	18_2_01636000
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_016702C0	18_2_016702C0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F0535	18_2_015F0535
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F0770	18_2_015F0770
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01614750	18_2_01614750
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015EC7C0	18_2_015EC7C0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0160C6E0	18_2_0160C6E0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01606962	18_2_01606962
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F29A0	18_2_015F29A0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F2840	18_2_015F2840
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015FA840	18_2_015FA840
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0161E8F0	18_2_0161E8F0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015D68B8	18_2_015D68B8
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01628890	18_2_01628890
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015EEA80	18_2_015EEA80
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015FED7A	18_2_015FED7A
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015FAD00	18_2_015FAD00
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F8DC0	18_2_015F8DC0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015EADE0	18_2_015EADE0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01608DBF	18_2_01608DBF
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F0C00	18_2_015F0C00
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015E0CF2	18_2_015E0CF2
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01664F40	18_2_01664F40
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01632F28	18_2_01632F28
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01610F30	18_2_01610F30
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015E2FC8	18_2_015E2FC8
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0166EFA0	18_2_0166EFA0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F0E59	18_2_015F0E59
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01602E90	18_2_01602E90
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0162516C	18_2_0162516C
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015DF172	18_2_015DF172
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015FB1B0	18_2_015FB1B0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015DD34C	18_2_015DD34C
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F33F3	18_2_015F33F3
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0160D2F0	18_2_0160D2F0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0160B2C0	18_2_0160B2C0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F52A0	18_2_015F52A0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015E1460	18_2_015E1460
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_016374E0	18_2_016374E0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F3497	18_2_015F3497
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015FB730	18_2_015FB730
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F9950	18_2_015F9950
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0160B950	18_2_0160B950
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F5990	18_2_015F5990
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0165D800	18_2_0165D800
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F38E0	18_2_015F38E0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01665BF0	18_2_01665BF0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0162DBF9	18_2_0162DBF9
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0160FB80	18_2_0160FB80
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01663A6C	18_2_01663A6C
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F3D40	18_2_015F3D40
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0160FDC0	18_2_0160FDC0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01609C20	18_2_01609C20
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01669C32	18_2_01669C32
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F1F92	18_2_015F1F92
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F9EB0	18_2_015F9EB0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: String function: 0165EA12 appears 37 times
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: String function: 01637E54 appears 97 times
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: String function: 01965130 appears 58 times
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: String function: 019AF290 appears 105 times
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: String function: 01977E54 appears 111 times
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: String function: 0199EA12 appears 86 times
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: String function: 0191B970 appears 280 times

Sample file is different than original file name gathered from version info

Source: PO#86637.exe, 00000000.00000002.1465826910.000000000A510000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PO#86637.exe
Source: PO#86637.exe, 00000000.00000000.1407683939.0000000000B58000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRWnC.exe> vs PO#86637.exe
Source: PO#86637.exe, 00000000.00000002.1429036257.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO#86637.exe
Source: PO#86637.exe, 0000000B.00000002.1584084138.0000000001A1D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO#86637.exe
Source: PO#86637.exe	Binary or memory string: OriginalFilenameRWnC.exe> vs PO#86637.exe

Uses 32bit PE files

Source: PO#86637.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 11.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 11.2.PO#86637.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.1583643903.0000000001400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: PO#86637.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Fyepece.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, gaT0VtLolsTmIlrt70.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, gaT0VtLolsTmIlrt70.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, gaT0VtLolsTmIlrt70.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@27/15@0/0

Source: C:\Users\user\Desktop\PO#86637.exe

File created: C:\Users\user\AppData\Roaming\Fyepece.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03

Source: C:\Users\user\Desktop\PO#86637.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp

Jump to behavior

Source: PO#86637.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO#86637.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\PO#86637.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO#86637.exe	Virustotal: Detection: 24%
Source: PO#86637.exe	ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\PO#86637.exe

File read: C:\Users\user\Desktop\PO#86637.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Fyepece.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Fyepece.exe C:\Users\user\AppData\Roaming\Fyepece.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp958F.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Fyepece.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp958F.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PO#86637.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PO#86637.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO#86637.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PO#86637.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RWnC.pdb source: PO#86637.exe, Fyepece.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: PO#86637.exe, 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PO#86637.exe, PO#86637.exe, 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: RWnC.pdbSHA256U source: PO#86637.exe, Fyepece.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.PO#86637.exe.3ec1c20.1.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	.Net Code: fWOZhDRxOu System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	.Net Code: fWOZhDRxOu System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	.Net Code: fWOZhDRxOu System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO#86637.exe.7430000.3.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_01470DF5 pushfd ; iretd	0_2_01470DF9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A97080 pushad ; ret	0_2_05A97081
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A97082 push esp; ret	0_2_05A97089
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A9FC12 push esp; ret	0_2_05A9FC19
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A93E78 push eax; mov dword ptr [esp], ecx	0_2_05A93E7C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0041A87D push esp; retf	11_2_0041A87E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0040710D pushfd ; retf	11_2_0040710E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_00423916 push esi; retf	11_2_0042392E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_00423923 push esi; retf	11_2_0042392E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_004031D0 push eax; ret	11_2_004031D2
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_00418B76 push ebx; retf	11_2_00418B77
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_00423B35 push cs; retf	11_2_00423B36
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0041A3C1 push edi; retf	11_2_0041A3C7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_004143E3 push edi; iretd	11_2_004143EF
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_00423C2F push C67CA722h; ret	11_2_00423C34
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_00411DA3 push edi; iretd	11_2_00411DAF
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_00424700 push ecx; retf	11_2_00424749
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_004247A8 push edi; ret	11_2_004247AC
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019209AD push ecx; mov dword ptr [esp], ecx	11_2_019209B6
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_03120DF5 pushfd ; iretd	12_2_03120DF9
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF92E8 pushfd ; iretd	12_2_07CF92E9
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF0E8B push es; iretd	12_2_07CF0E8E
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF0E47 push 0000000Ch; iretd	12_2_07CF0E4A
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF0E6B push es; iretd	12_2_07CF0E72
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DC3E78 push eax; mov dword ptr [esp], ecx	12_2_07DC3E7C
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DC7080 pushad ; ret	12_2_07DC7081
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DC7083 push esp; ret	12_2_07DC7089
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_0831364D push FFFFFF8Bh; iretd	12_2_0831364F
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_083117AA push esp; iretd	12_2_083117AD
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0162C54F push 8B015B67h; ret	18_2_0162C554
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0162C54D pushfd ; ret	18_2_0162C54E

Source: PO#86637.exe	Static PE information: section name: .text entropy: 7.775931986103321
Source: Fyepece.exe.0.dr	Static PE information: section name: .text entropy: 7.775931986103321

Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, aaOnasOOrmA08I2wWux.cs	High entropy of concatenated method names: 'ToString', 'uuVPs0pbO2', 'sW0PZq9j5p', 'YGAP6HZxdC', 'CDwPt2vEL8', 'sRhPHUegSC', 'aPDPgfHEiD', 'CpKP2i4k5T', 'V6ZAPMEmC6DuGgjn5Av', 'yYX4TWENGDe912wIet6'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, mi9sax1VSksVKx3i4W.cs	High entropy of concatenated method names: 'ToString', 'JGGjKk0WM2', 'wLLjWn2ccg', 'QdOj8WOEJP', 'Kh2j3cNACP', 'HVqjAaeVtr', 'khYjNQJdrB', 'O5Zj7RM64h', 'zBejaF6q77', 'bGOjxGF4Lj'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, fhC2YhcDAwMvSech5h.cs	High entropy of concatenated method names: 'hKmdfWBgZa', 'bkIdo5hHlE', 'jKldcdrHBJ', 'zl5dUCBm9W', 'spbdW0SdiX', 'tZ3d8I370V', 'kNCd3Gj9Po', 'T41dAco38e', 'DyodNK5Wcv', 'YwRd77ifp1'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	High entropy of concatenated method names: 'wQvs6CAoHK', 'JHqst1AYSi', 'csfsHBUBSe', 'hASsg2nf4M', 'Nvbs2yGBR4', 'PsuswXetGy', 'P9UspwBwrm', 'LihsDApAsA', 'lTZskd0AXJ', 'gnQsyxJBEn'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, OXWBBDZiEOUKc1d7yd.cs	High entropy of concatenated method names: 'TRHOpaT0Vt', 'PlsODTmIlr', 'UpmOy6e5jY', 'Nj3Ol4G8lP', 'zGyOd73OAa', 'VlCOjj6heu', 'XO3sE6VuwirSZT7uHu', 'q3abZFMZxWGujkhqNg', 'MkHOObaBmH', 'n2QOsbiXwd'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, sgAmBSv3yqo7QmRnDX.cs	High entropy of concatenated method names: 'CPTTix6L8c', 'X8uTVX2B1r', 'XRsEJv1ZFN', 'HJaEO0Z68T', 'L4STKKl5Pj', 'RctTobYrA3', 'alKT5A3KAh', 'B3BTcspxpP', 'N91TU9CetX', 'TdUT1BBgPc'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, mDCJGi5n5IiQBlF3Di.cs	High entropy of concatenated method names: 'S3TILcpQ7A', 'RXDIG6GMCv', 'LjaIFREEr3', 'hRsIWJL1Un', 'aNVI3KlhOP', 'gHgIA35HM2', 'pItI7Lox0R', 'xRbIaVBxZf', 'NNuIfQac9s', 'VneIKxGuNg'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, MIx6NdzWM7MNjAuofV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GtlYI4ViXC', 'juSYdXK7jl', 'pFoYjSkd16', 'X9mYTl6ls7', 'M47YELOrub', 'rn5YYGC9xq', 'PfhYPGO6xi'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, bAavlCFj6heusMkO2Q.cs	High entropy of concatenated method names: 'uCXw6Cd9Qs', 'norwHSFiOv', 'Xmuw2Shpj4', 'TFawpSD3jg', 'NmAwDChp3H', 'tQj2C9HQNV', 'iY22vPX5lT', 'mHL2eqgOAj', 'yiv2iC3Vyh', 'VGP2qRYjyB'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, gaT0VtLolsTmIlrt70.cs	High entropy of concatenated method names: 'pFyHcA5puL', 'uLuHU7oUQU', 'UCXH1pebDx', 'Gh5H9oMQet', 's4MHCoD6UR', 'jBlHvK4r2d', 'LGaHeau0m0', 'bv8HiDUWNm', 'BhbHqRaANe', 'VAXHVwyjX2'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, E8lPECR9BGmgOhGy73.cs	High entropy of concatenated method names: 'umZ2Q3xvQg', 'De72naqrFM', 'cIdg8NNGIN', 'bPpg3IEPRv', 'Wf5gAFeo9e', 'bssgNnQp0Y', 'b4Qg7JYw9C', 'LF2galNlit', 'qUHgxFfEqB', 'Sk5gfByYvR'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, ihr2IjOsiu7TSCME1ab.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kjRPcSNw5R', 'u8IPUd7IPQ', 'gjQP17G3Tf', 'dfLP9eJQkt', 'k5kPCc0ltQ', 'u71PvxMVCV', 'pFjPe9gvOw'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, NlPEcCGpm6e5jYfj34.cs	High entropy of concatenated method names: 'hWdg4OKsDI', 'TjAgXXi1Xn', 'fAEgLh7IcP', 'e7ygGVkm7K', 'F2FgdZGG4f', 'gA2gjjccsk', 'FmcgTf73jX', 'qlegExEAwG', 'U0TgYKB5Hx', 'IEOgPYvrlq'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, wYLaRBisUKwyOTbCK3.cs	High entropy of concatenated method names: 'qPuEtpNlAn', 'uwJEH0O0A1', 'aCfEgxmJJF', 'gnGE2GZsK3', 'mrYEwXOmDD', 'xqfEpPfa1C', 'gUUEDdQcgR', 'WYNEkev6ur', 'PmMEyGRxro', 'XIYElZeOhc'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, d2ad8ROJHVErhE8p8b9.cs	High entropy of concatenated method names: 'dWMYBBVMCT', 'qeRYMHy2hs', 'dqZYhGPPKn', 'p5HY4BNZp8', 'yR0YQpGmLJ', 'G9rYXGoAol', 'XJqYnWL9H7', 'YejYLeXnXj', 'LtgYGHrR3O', 's4KYRqFog0'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, oAseWL02DMjjqFMBXR.cs	High entropy of concatenated method names: 'myEhhQGH2', 'O9H48we8m', 'z4FX9JQSK', 'fOpnw1waF', 'It1G6pAl1', 'DOTRQbLGc', 'SuM6owUF4JYX2kbFMj', 'BusdXRGObGaO7AviEp', 'ocQE4x1eR', 'xumPPJTcK'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, NjAYRtVR1ISG2pUfbe.cs	High entropy of concatenated method names: 'nUGYOgDKyw', 'pwqYsaSXK9', 'kyBYZPkKhc', 'dskYtkGA4q', 'UM4YHLgrcf', 'DUkY2mkv1v', 'FMiYw07QAJ', 'NITEedw8xv', 'bFEEi4Kj1O', 'yFsEqNuCv7'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, dDoUytHr6ppWvIHaSy.cs	High entropy of concatenated method names: 'Dispose', 'netOqA4u8M', 'oKi0WHEBic', 'NXMYYNv6b0', 'vrYOVLaRBs', 'RKwOzyOTbC', 'ProcessDialogKey', 'O3k0JhKH8E', 'N7Q0OsUWZn', 'qMo00xjAYR'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, ln54oQxhBJyjDrYAS1.cs	High entropy of concatenated method names: 'llBpBfaqKF', 'i4KpMKLtKM', 'yvNphg4eT7', 'uuIp4qs3QS', 'htIpQb6LTa', 'LFEpXyvaEM', 'hRJpnd3iPp', 'OR9pLvYv3m', 'pMZpGCI7mB', 'VySpRxCH21'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, aaOnasOOrmA08I2wWux.cs	High entropy of concatenated method names: 'ToString', 'uuVPs0pbO2', 'sW0PZq9j5p', 'YGAP6HZxdC', 'CDwPt2vEL8', 'sRhPHUegSC', 'aPDPgfHEiD', 'CpKP2i4k5T', 'V6ZAPMEmC6DuGgjn5Av', 'yYX4TWENGDe912wIet6'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, mi9sax1VSksVKx3i4W.cs	High entropy of concatenated method names: 'ToString', 'JGGjKk0WM2', 'wLLjWn2ccg', 'QdOj8WOEJP', 'Kh2j3cNACP', 'HVqjAaeVtr', 'khYjNQJdrB', 'O5Zj7RM64h', 'zBejaF6q77', 'bGOjxGF4Lj'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, fhC2YhcDAwMvSech5h.cs	High entropy of concatenated method names: 'hKmdfWBgZa', 'bkIdo5hHlE', 'jKldcdrHBJ', 'zl5dUCBm9W', 'spbdW0SdiX', 'tZ3d8I370V', 'kNCd3Gj9Po', 'T41dAco38e', 'DyodNK5Wcv', 'YwRd77ifp1'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	High entropy of concatenated method names: 'wQvs6CAoHK', 'JHqst1AYSi', 'csfsHBUBSe', 'hASsg2nf4M', 'Nvbs2yGBR4', 'PsuswXetGy', 'P9UspwBwrm', 'LihsDApAsA', 'lTZskd0AXJ', 'gnQsyxJBEn'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, OXWBBDZiEOUKc1d7yd.cs	High entropy of concatenated method names: 'TRHOpaT0Vt', 'PlsODTmIlr', 'UpmOy6e5jY', 'Nj3Ol4G8lP', 'zGyOd73OAa', 'VlCOjj6heu', 'XO3sE6VuwirSZT7uHu', 'q3abZFMZxWGujkhqNg', 'MkHOObaBmH', 'n2QOsbiXwd'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, sgAmBSv3yqo7QmRnDX.cs	High entropy of concatenated method names: 'CPTTix6L8c', 'X8uTVX2B1r', 'XRsEJv1ZFN', 'HJaEO0Z68T', 'L4STKKl5Pj', 'RctTobYrA3', 'alKT5A3KAh', 'B3BTcspxpP', 'N91TU9CetX', 'TdUT1BBgPc'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, mDCJGi5n5IiQBlF3Di.cs	High entropy of concatenated method names: 'S3TILcpQ7A', 'RXDIG6GMCv', 'LjaIFREEr3', 'hRsIWJL1Un', 'aNVI3KlhOP', 'gHgIA35HM2', 'pItI7Lox0R', 'xRbIaVBxZf', 'NNuIfQac9s', 'VneIKxGuNg'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, MIx6NdzWM7MNjAuofV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GtlYI4ViXC', 'juSYdXK7jl', 'pFoYjSkd16', 'X9mYTl6ls7', 'M47YELOrub', 'rn5YYGC9xq', 'PfhYPGO6xi'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, bAavlCFj6heusMkO2Q.cs	High entropy of concatenated method names: 'uCXw6Cd9Qs', 'norwHSFiOv', 'Xmuw2Shpj4', 'TFawpSD3jg', 'NmAwDChp3H', 'tQj2C9HQNV', 'iY22vPX5lT', 'mHL2eqgOAj', 'yiv2iC3Vyh', 'VGP2qRYjyB'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, gaT0VtLolsTmIlrt70.cs	High entropy of concatenated method names: 'pFyHcA5puL', 'uLuHU7oUQU', 'UCXH1pebDx', 'Gh5H9oMQet', 's4MHCoD6UR', 'jBlHvK4r2d', 'LGaHeau0m0', 'bv8HiDUWNm', 'BhbHqRaANe', 'VAXHVwyjX2'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, E8lPECR9BGmgOhGy73.cs	High entropy of concatenated method names: 'umZ2Q3xvQg', 'De72naqrFM', 'cIdg8NNGIN', 'bPpg3IEPRv', 'Wf5gAFeo9e', 'bssgNnQp0Y', 'b4Qg7JYw9C', 'LF2galNlit', 'qUHgxFfEqB', 'Sk5gfByYvR'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, ihr2IjOsiu7TSCME1ab.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kjRPcSNw5R', 'u8IPUd7IPQ', 'gjQP17G3Tf', 'dfLP9eJQkt', 'k5kPCc0ltQ', 'u71PvxMVCV', 'pFjPe9gvOw'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, NlPEcCGpm6e5jYfj34.cs	High entropy of concatenated method names: 'hWdg4OKsDI', 'TjAgXXi1Xn', 'fAEgLh7IcP', 'e7ygGVkm7K', 'F2FgdZGG4f', 'gA2gjjccsk', 'FmcgTf73jX', 'qlegExEAwG', 'U0TgYKB5Hx', 'IEOgPYvrlq'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, wYLaRBisUKwyOTbCK3.cs	High entropy of concatenated method names: 'qPuEtpNlAn', 'uwJEH0O0A1', 'aCfEgxmJJF', 'gnGE2GZsK3', 'mrYEwXOmDD', 'xqfEpPfa1C', 'gUUEDdQcgR', 'WYNEkev6ur', 'PmMEyGRxro', 'XIYElZeOhc'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, d2ad8ROJHVErhE8p8b9.cs	High entropy of concatenated method names: 'dWMYBBVMCT', 'qeRYMHy2hs', 'dqZYhGPPKn', 'p5HY4BNZp8', 'yR0YQpGmLJ', 'G9rYXGoAol', 'XJqYnWL9H7', 'YejYLeXnXj', 'LtgYGHrR3O', 's4KYRqFog0'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, oAseWL02DMjjqFMBXR.cs	High entropy of concatenated method names: 'myEhhQGH2', 'O9H48we8m', 'z4FX9JQSK', 'fOpnw1waF', 'It1G6pAl1', 'DOTRQbLGc', 'SuM6owUF4JYX2kbFMj', 'BusdXRGObGaO7AviEp', 'ocQE4x1eR', 'xumPPJTcK'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, NjAYRtVR1ISG2pUfbe.cs	High entropy of concatenated method names: 'nUGYOgDKyw', 'pwqYsaSXK9', 'kyBYZPkKhc', 'dskYtkGA4q', 'UM4YHLgrcf', 'DUkY2mkv1v', 'FMiYw07QAJ', 'NITEedw8xv', 'bFEEi4Kj1O', 'yFsEqNuCv7'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, dDoUytHr6ppWvIHaSy.cs	High entropy of concatenated method names: 'Dispose', 'netOqA4u8M', 'oKi0WHEBic', 'NXMYYNv6b0', 'vrYOVLaRBs', 'RKwOzyOTbC', 'ProcessDialogKey', 'O3k0JhKH8E', 'N7Q0OsUWZn', 'qMo00xjAYR'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, ln54oQxhBJyjDrYAS1.cs	High entropy of concatenated method names: 'llBpBfaqKF', 'i4KpMKLtKM', 'yvNphg4eT7', 'uuIp4qs3QS', 'htIpQb6LTa', 'LFEpXyvaEM', 'hRJpnd3iPp', 'OR9pLvYv3m', 'pMZpGCI7mB', 'VySpRxCH21'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, aaOnasOOrmA08I2wWux.cs	High entropy of concatenated method names: 'ToString', 'uuVPs0pbO2', 'sW0PZq9j5p', 'YGAP6HZxdC', 'CDwPt2vEL8', 'sRhPHUegSC', 'aPDPgfHEiD', 'CpKP2i4k5T', 'V6ZAPMEmC6DuGgjn5Av', 'yYX4TWENGDe912wIet6'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, mi9sax1VSksVKx3i4W.cs	High entropy of concatenated method names: 'ToString', 'JGGjKk0WM2', 'wLLjWn2ccg', 'QdOj8WOEJP', 'Kh2j3cNACP', 'HVqjAaeVtr', 'khYjNQJdrB', 'O5Zj7RM64h', 'zBejaF6q77', 'bGOjxGF4Lj'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, fhC2YhcDAwMvSech5h.cs	High entropy of concatenated method names: 'hKmdfWBgZa', 'bkIdo5hHlE', 'jKldcdrHBJ', 'zl5dUCBm9W', 'spbdW0SdiX', 'tZ3d8I370V', 'kNCd3Gj9Po', 'T41dAco38e', 'DyodNK5Wcv', 'YwRd77ifp1'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	High entropy of concatenated method names: 'wQvs6CAoHK', 'JHqst1AYSi', 'csfsHBUBSe', 'hASsg2nf4M', 'Nvbs2yGBR4', 'PsuswXetGy', 'P9UspwBwrm', 'LihsDApAsA', 'lTZskd0AXJ', 'gnQsyxJBEn'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, OXWBBDZiEOUKc1d7yd.cs	High entropy of concatenated method names: 'TRHOpaT0Vt', 'PlsODTmIlr', 'UpmOy6e5jY', 'Nj3Ol4G8lP', 'zGyOd73OAa', 'VlCOjj6heu', 'XO3sE6VuwirSZT7uHu', 'q3abZFMZxWGujkhqNg', 'MkHOObaBmH', 'n2QOsbiXwd'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, sgAmBSv3yqo7QmRnDX.cs	High entropy of concatenated method names: 'CPTTix6L8c', 'X8uTVX2B1r', 'XRsEJv1ZFN', 'HJaEO0Z68T', 'L4STKKl5Pj', 'RctTobYrA3', 'alKT5A3KAh', 'B3BTcspxpP', 'N91TU9CetX', 'TdUT1BBgPc'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, mDCJGi5n5IiQBlF3Di.cs	High entropy of concatenated method names: 'S3TILcpQ7A', 'RXDIG6GMCv', 'LjaIFREEr3', 'hRsIWJL1Un', 'aNVI3KlhOP', 'gHgIA35HM2', 'pItI7Lox0R', 'xRbIaVBxZf', 'NNuIfQac9s', 'VneIKxGuNg'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, MIx6NdzWM7MNjAuofV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GtlYI4ViXC', 'juSYdXK7jl', 'pFoYjSkd16', 'X9mYTl6ls7', 'M47YELOrub', 'rn5YYGC9xq', 'PfhYPGO6xi'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, bAavlCFj6heusMkO2Q.cs	High entropy of concatenated method names: 'uCXw6Cd9Qs', 'norwHSFiOv', 'Xmuw2Shpj4', 'TFawpSD3jg', 'NmAwDChp3H', 'tQj2C9HQNV', 'iY22vPX5lT', 'mHL2eqgOAj', 'yiv2iC3Vyh', 'VGP2qRYjyB'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, gaT0VtLolsTmIlrt70.cs	High entropy of concatenated method names: 'pFyHcA5puL', 'uLuHU7oUQU', 'UCXH1pebDx', 'Gh5H9oMQet', 's4MHCoD6UR', 'jBlHvK4r2d', 'LGaHeau0m0', 'bv8HiDUWNm', 'BhbHqRaANe', 'VAXHVwyjX2'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, E8lPECR9BGmgOhGy73.cs	High entropy of concatenated method names: 'umZ2Q3xvQg', 'De72naqrFM', 'cIdg8NNGIN', 'bPpg3IEPRv', 'Wf5gAFeo9e', 'bssgNnQp0Y', 'b4Qg7JYw9C', 'LF2galNlit', 'qUHgxFfEqB', 'Sk5gfByYvR'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, ihr2IjOsiu7TSCME1ab.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kjRPcSNw5R', 'u8IPUd7IPQ', 'gjQP17G3Tf', 'dfLP9eJQkt', 'k5kPCc0ltQ', 'u71PvxMVCV', 'pFjPe9gvOw'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, NlPEcCGpm6e5jYfj34.cs	High entropy of concatenated method names: 'hWdg4OKsDI', 'TjAgXXi1Xn', 'fAEgLh7IcP', 'e7ygGVkm7K', 'F2FgdZGG4f', 'gA2gjjccsk', 'FmcgTf73jX', 'qlegExEAwG', 'U0TgYKB5Hx', 'IEOgPYvrlq'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, wYLaRBisUKwyOTbCK3.cs	High entropy of concatenated method names: 'qPuEtpNlAn', 'uwJEH0O0A1', 'aCfEgxmJJF', 'gnGE2GZsK3', 'mrYEwXOmDD', 'xqfEpPfa1C', 'gUUEDdQcgR', 'WYNEkev6ur', 'PmMEyGRxro', 'XIYElZeOhc'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, d2ad8ROJHVErhE8p8b9.cs	High entropy of concatenated method names: 'dWMYBBVMCT', 'qeRYMHy2hs', 'dqZYhGPPKn', 'p5HY4BNZp8', 'yR0YQpGmLJ', 'G9rYXGoAol', 'XJqYnWL9H7', 'YejYLeXnXj', 'LtgYGHrR3O', 's4KYRqFog0'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, oAseWL02DMjjqFMBXR.cs	High entropy of concatenated method names: 'myEhhQGH2', 'O9H48we8m', 'z4FX9JQSK', 'fOpnw1waF', 'It1G6pAl1', 'DOTRQbLGc', 'SuM6owUF4JYX2kbFMj', 'BusdXRGObGaO7AviEp', 'ocQE4x1eR', 'xumPPJTcK'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, NjAYRtVR1ISG2pUfbe.cs	High entropy of concatenated method names: 'nUGYOgDKyw', 'pwqYsaSXK9', 'kyBYZPkKhc', 'dskYtkGA4q', 'UM4YHLgrcf', 'DUkY2mkv1v', 'FMiYw07QAJ', 'NITEedw8xv', 'bFEEi4Kj1O', 'yFsEqNuCv7'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, dDoUytHr6ppWvIHaSy.cs	High entropy of concatenated method names: 'Dispose', 'netOqA4u8M', 'oKi0WHEBic', 'NXMYYNv6b0', 'vrYOVLaRBs', 'RKwOzyOTbC', 'ProcessDialogKey', 'O3k0JhKH8E', 'N7Q0OsUWZn', 'qMo00xjAYR'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, ln54oQxhBJyjDrYAS1.cs	High entropy of concatenated method names: 'llBpBfaqKF', 'i4KpMKLtKM', 'yvNphg4eT7', 'uuIp4qs3QS', 'htIpQb6LTa', 'LFEpXyvaEM', 'hRJpnd3iPp', 'OR9pLvYv3m', 'pMZpGCI7mB', 'VySpRxCH21'

Drops PE files

Source: C:\Users\user\Desktop\PO#86637.exe

File created: C:\Users\user\AppData\Roaming\Fyepece.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\PO#86637.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: PO#86637.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Fyepece.exe PID: 1160, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 1470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 2E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 14D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 7DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 8DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 8F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 9F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: A5A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: B5A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: C5A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Memory allocated: 1A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Memory allocated: 3320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Memory allocated: 3040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Memory allocated: 7ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Memory allocated: 8ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Memory allocated: 9070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Memory allocated: A070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Memory allocated: A600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Memory allocated: B600000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\PO#86637.exe

Code function: 11_2_0196096E rdtsc

11_2_0196096E

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4214			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2784			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\PO#86637.exe	API coverage: 0.7 %
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	API coverage: 0.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\PO#86637.exe TID: 7956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7496	Thread sleep count: 4214 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7476	Thread sleep count: 96 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 964	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1988	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3184	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7748	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7728	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe TID: 4476	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe TID: 3068	Thread sleep time: -30000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\PO#86637.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\PO#86637.exe

Code function: 11_2_0196096E rdtsc

11_2_0196096E

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\PO#86637.exe

Code function: 11_2_004173A3 LdrLoadDll,

11_2_004173A3

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A019F mov eax, dword ptr fs:[00000030h]	11_2_019A019F
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A019F mov eax, dword ptr fs:[00000030h]	11_2_019A019F
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A019F mov eax, dword ptr fs:[00000030h]	11_2_019A019F
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A019F mov eax, dword ptr fs:[00000030h]	11_2_019A019F
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191A197 mov eax, dword ptr fs:[00000030h]	11_2_0191A197
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191A197 mov eax, dword ptr fs:[00000030h]	11_2_0191A197
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191A197 mov eax, dword ptr fs:[00000030h]	11_2_0191A197
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01960185 mov eax, dword ptr fs:[00000030h]	11_2_01960185
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019DC188 mov eax, dword ptr fs:[00000030h]	11_2_019DC188
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019DC188 mov eax, dword ptr fs:[00000030h]	11_2_019DC188
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C4180 mov eax, dword ptr fs:[00000030h]	11_2_019C4180
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C4180 mov eax, dword ptr fs:[00000030h]	11_2_019C4180
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E1D0 mov eax, dword ptr fs:[00000030h]	11_2_0199E1D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E1D0 mov eax, dword ptr fs:[00000030h]	11_2_0199E1D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E1D0 mov ecx, dword ptr fs:[00000030h]	11_2_0199E1D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E1D0 mov eax, dword ptr fs:[00000030h]	11_2_0199E1D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E1D0 mov eax, dword ptr fs:[00000030h]	11_2_0199E1D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E61C3 mov eax, dword ptr fs:[00000030h]	11_2_019E61C3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E61C3 mov eax, dword ptr fs:[00000030h]	11_2_019E61C3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019501F8 mov eax, dword ptr fs:[00000030h]	11_2_019501F8
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F61E5 mov eax, dword ptr fs:[00000030h]	11_2_019F61E5
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CA118 mov ecx, dword ptr fs:[00000030h]	11_2_019CA118
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CA118 mov eax, dword ptr fs:[00000030h]	11_2_019CA118
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CA118 mov eax, dword ptr fs:[00000030h]	11_2_019CA118
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CA118 mov eax, dword ptr fs:[00000030h]	11_2_019CA118
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E0115 mov eax, dword ptr fs:[00000030h]	11_2_019E0115
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE10E mov eax, dword ptr fs:[00000030h]	11_2_019CE10E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE10E mov ecx, dword ptr fs:[00000030h]	11_2_019CE10E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE10E mov eax, dword ptr fs:[00000030h]	11_2_019CE10E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE10E mov eax, dword ptr fs:[00000030h]	11_2_019CE10E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE10E mov ecx, dword ptr fs:[00000030h]	11_2_019CE10E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE10E mov eax, dword ptr fs:[00000030h]	11_2_019CE10E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE10E mov eax, dword ptr fs:[00000030h]	11_2_019CE10E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE10E mov ecx, dword ptr fs:[00000030h]	11_2_019CE10E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE10E mov eax, dword ptr fs:[00000030h]	11_2_019CE10E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE10E mov ecx, dword ptr fs:[00000030h]	11_2_019CE10E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01950124 mov eax, dword ptr fs:[00000030h]	11_2_01950124
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B8158 mov eax, dword ptr fs:[00000030h]	11_2_019B8158
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01926154 mov eax, dword ptr fs:[00000030h]	11_2_01926154
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01926154 mov eax, dword ptr fs:[00000030h]	11_2_01926154
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191C156 mov eax, dword ptr fs:[00000030h]	11_2_0191C156
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B4144 mov eax, dword ptr fs:[00000030h]	11_2_019B4144
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B4144 mov eax, dword ptr fs:[00000030h]	11_2_019B4144
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B4144 mov ecx, dword ptr fs:[00000030h]	11_2_019B4144
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B4144 mov eax, dword ptr fs:[00000030h]	11_2_019B4144
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B4144 mov eax, dword ptr fs:[00000030h]	11_2_019B4144
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4164 mov eax, dword ptr fs:[00000030h]	11_2_019F4164
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4164 mov eax, dword ptr fs:[00000030h]	11_2_019F4164
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192208A mov eax, dword ptr fs:[00000030h]	11_2_0192208A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E60B8 mov eax, dword ptr fs:[00000030h]	11_2_019E60B8
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E60B8 mov ecx, dword ptr fs:[00000030h]	11_2_019E60B8
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019180A0 mov eax, dword ptr fs:[00000030h]	11_2_019180A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B80A8 mov eax, dword ptr fs:[00000030h]	11_2_019B80A8
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A20DE mov eax, dword ptr fs:[00000030h]	11_2_019A20DE
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191C0F0 mov eax, dword ptr fs:[00000030h]	11_2_0191C0F0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019620F0 mov ecx, dword ptr fs:[00000030h]	11_2_019620F0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191A0E3 mov ecx, dword ptr fs:[00000030h]	11_2_0191A0E3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A60E0 mov eax, dword ptr fs:[00000030h]	11_2_019A60E0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019280E9 mov eax, dword ptr fs:[00000030h]	11_2_019280E9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193E016 mov eax, dword ptr fs:[00000030h]	11_2_0193E016
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193E016 mov eax, dword ptr fs:[00000030h]	11_2_0193E016
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193E016 mov eax, dword ptr fs:[00000030h]	11_2_0193E016
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193E016 mov eax, dword ptr fs:[00000030h]	11_2_0193E016
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A4000 mov ecx, dword ptr fs:[00000030h]	11_2_019A4000
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]	11_2_019C2000
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]	11_2_019C2000
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]	11_2_019C2000
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]	11_2_019C2000
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]	11_2_019C2000
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]	11_2_019C2000
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]	11_2_019C2000
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]	11_2_019C2000
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B6030 mov eax, dword ptr fs:[00000030h]	11_2_019B6030
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191A020 mov eax, dword ptr fs:[00000030h]	11_2_0191A020
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191C020 mov eax, dword ptr fs:[00000030h]	11_2_0191C020
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01922050 mov eax, dword ptr fs:[00000030h]	11_2_01922050
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A6050 mov eax, dword ptr fs:[00000030h]	11_2_019A6050
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194C073 mov eax, dword ptr fs:[00000030h]	11_2_0194C073
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01918397 mov eax, dword ptr fs:[00000030h]	11_2_01918397
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01918397 mov eax, dword ptr fs:[00000030h]	11_2_01918397
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01918397 mov eax, dword ptr fs:[00000030h]	11_2_01918397
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191E388 mov eax, dword ptr fs:[00000030h]	11_2_0191E388
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191E388 mov eax, dword ptr fs:[00000030h]	11_2_0191E388
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191E388 mov eax, dword ptr fs:[00000030h]	11_2_0191E388
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194438F mov eax, dword ptr fs:[00000030h]	11_2_0194438F
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194438F mov eax, dword ptr fs:[00000030h]	11_2_0194438F
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE3DB mov eax, dword ptr fs:[00000030h]	11_2_019CE3DB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE3DB mov eax, dword ptr fs:[00000030h]	11_2_019CE3DB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE3DB mov ecx, dword ptr fs:[00000030h]	11_2_019CE3DB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE3DB mov eax, dword ptr fs:[00000030h]	11_2_019CE3DB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C43D4 mov eax, dword ptr fs:[00000030h]	11_2_019C43D4
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C43D4 mov eax, dword ptr fs:[00000030h]	11_2_019C43D4
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019DC3CD mov eax, dword ptr fs:[00000030h]	11_2_019DC3CD
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A3C0 mov eax, dword ptr fs:[00000030h]	11_2_0192A3C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A3C0 mov eax, dword ptr fs:[00000030h]	11_2_0192A3C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A3C0 mov eax, dword ptr fs:[00000030h]	11_2_0192A3C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A3C0 mov eax, dword ptr fs:[00000030h]	11_2_0192A3C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A3C0 mov eax, dword ptr fs:[00000030h]	11_2_0192A3C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A3C0 mov eax, dword ptr fs:[00000030h]	11_2_0192A3C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019283C0 mov eax, dword ptr fs:[00000030h]	11_2_019283C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019283C0 mov eax, dword ptr fs:[00000030h]	11_2_019283C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019283C0 mov eax, dword ptr fs:[00000030h]	11_2_019283C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019283C0 mov eax, dword ptr fs:[00000030h]	11_2_019283C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A63C0 mov eax, dword ptr fs:[00000030h]	11_2_019A63C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193E3F0 mov eax, dword ptr fs:[00000030h]	11_2_0193E3F0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193E3F0 mov eax, dword ptr fs:[00000030h]	11_2_0193E3F0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193E3F0 mov eax, dword ptr fs:[00000030h]	11_2_0193E3F0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019563FF mov eax, dword ptr fs:[00000030h]	11_2_019563FF
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]	11_2_019303E9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]	11_2_019303E9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]	11_2_019303E9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]	11_2_019303E9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]	11_2_019303E9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]	11_2_019303E9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]	11_2_019303E9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]	11_2_019303E9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191C310 mov ecx, dword ptr fs:[00000030h]	11_2_0191C310
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01940310 mov ecx, dword ptr fs:[00000030h]	11_2_01940310
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195A30B mov eax, dword ptr fs:[00000030h]	11_2_0195A30B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195A30B mov eax, dword ptr fs:[00000030h]	11_2_0195A30B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195A30B mov eax, dword ptr fs:[00000030h]	11_2_0195A30B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F8324 mov eax, dword ptr fs:[00000030h]	11_2_019F8324
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F8324 mov ecx, dword ptr fs:[00000030h]	11_2_019F8324
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F8324 mov eax, dword ptr fs:[00000030h]	11_2_019F8324
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F8324 mov eax, dword ptr fs:[00000030h]	11_2_019F8324
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A035C mov eax, dword ptr fs:[00000030h]	11_2_019A035C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A035C mov eax, dword ptr fs:[00000030h]	11_2_019A035C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A035C mov eax, dword ptr fs:[00000030h]	11_2_019A035C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A035C mov ecx, dword ptr fs:[00000030h]	11_2_019A035C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A035C mov eax, dword ptr fs:[00000030h]	11_2_019A035C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A035C mov eax, dword ptr fs:[00000030h]	11_2_019A035C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EA352 mov eax, dword ptr fs:[00000030h]	11_2_019EA352
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C8350 mov ecx, dword ptr fs:[00000030h]	11_2_019C8350
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F634F mov eax, dword ptr fs:[00000030h]	11_2_019F634F
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C437C mov eax, dword ptr fs:[00000030h]	11_2_019C437C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E284 mov eax, dword ptr fs:[00000030h]	11_2_0195E284
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E284 mov eax, dword ptr fs:[00000030h]	11_2_0195E284
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A0283 mov eax, dword ptr fs:[00000030h]	11_2_019A0283
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A0283 mov eax, dword ptr fs:[00000030h]	11_2_019A0283
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A0283 mov eax, dword ptr fs:[00000030h]	11_2_019A0283
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019302A0 mov eax, dword ptr fs:[00000030h]	11_2_019302A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019302A0 mov eax, dword ptr fs:[00000030h]	11_2_019302A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B62A0 mov eax, dword ptr fs:[00000030h]	11_2_019B62A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B62A0 mov ecx, dword ptr fs:[00000030h]	11_2_019B62A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B62A0 mov eax, dword ptr fs:[00000030h]	11_2_019B62A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B62A0 mov eax, dword ptr fs:[00000030h]	11_2_019B62A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B62A0 mov eax, dword ptr fs:[00000030h]	11_2_019B62A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B62A0 mov eax, dword ptr fs:[00000030h]	11_2_019B62A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F62D6 mov eax, dword ptr fs:[00000030h]	11_2_019F62D6
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A2C3 mov eax, dword ptr fs:[00000030h]	11_2_0192A2C3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A2C3 mov eax, dword ptr fs:[00000030h]	11_2_0192A2C3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A2C3 mov eax, dword ptr fs:[00000030h]	11_2_0192A2C3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A2C3 mov eax, dword ptr fs:[00000030h]	11_2_0192A2C3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A2C3 mov eax, dword ptr fs:[00000030h]	11_2_0192A2C3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019302E1 mov eax, dword ptr fs:[00000030h]	11_2_019302E1
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019302E1 mov eax, dword ptr fs:[00000030h]	11_2_019302E1
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019302E1 mov eax, dword ptr fs:[00000030h]	11_2_019302E1
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191823B mov eax, dword ptr fs:[00000030h]	11_2_0191823B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191A250 mov eax, dword ptr fs:[00000030h]	11_2_0191A250
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F625D mov eax, dword ptr fs:[00000030h]	11_2_019F625D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01926259 mov eax, dword ptr fs:[00000030h]	11_2_01926259
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019DA250 mov eax, dword ptr fs:[00000030h]	11_2_019DA250
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019DA250 mov eax, dword ptr fs:[00000030h]	11_2_019DA250
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A8243 mov eax, dword ptr fs:[00000030h]	11_2_019A8243
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A8243 mov ecx, dword ptr fs:[00000030h]	11_2_019A8243
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01924260 mov eax, dword ptr fs:[00000030h]	11_2_01924260
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01924260 mov eax, dword ptr fs:[00000030h]	11_2_01924260
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01924260 mov eax, dword ptr fs:[00000030h]	11_2_01924260
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191826B mov eax, dword ptr fs:[00000030h]	11_2_0191826B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E59C mov eax, dword ptr fs:[00000030h]	11_2_0195E59C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01922582 mov eax, dword ptr fs:[00000030h]	11_2_01922582
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01922582 mov ecx, dword ptr fs:[00000030h]	11_2_01922582
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01954588 mov eax, dword ptr fs:[00000030h]	11_2_01954588
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019445B1 mov eax, dword ptr fs:[00000030h]	11_2_019445B1
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019445B1 mov eax, dword ptr fs:[00000030h]	11_2_019445B1
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A05A7 mov eax, dword ptr fs:[00000030h]	11_2_019A05A7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A05A7 mov eax, dword ptr fs:[00000030h]	11_2_019A05A7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A05A7 mov eax, dword ptr fs:[00000030h]	11_2_019A05A7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019265D0 mov eax, dword ptr fs:[00000030h]	11_2_019265D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195A5D0 mov eax, dword ptr fs:[00000030h]	11_2_0195A5D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195A5D0 mov eax, dword ptr fs:[00000030h]	11_2_0195A5D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E5CF mov eax, dword ptr fs:[00000030h]	11_2_0195E5CF
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E5CF mov eax, dword ptr fs:[00000030h]	11_2_0195E5CF
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019225E0 mov eax, dword ptr fs:[00000030h]	11_2_019225E0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0194E5E7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0194E5E7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0194E5E7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0194E5E7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0194E5E7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0194E5E7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0194E5E7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0194E5E7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195C5ED mov eax, dword ptr fs:[00000030h]	11_2_0195C5ED
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195C5ED mov eax, dword ptr fs:[00000030h]	11_2_0195C5ED
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B6500 mov eax, dword ptr fs:[00000030h]	11_2_019B6500
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4500 mov eax, dword ptr fs:[00000030h]	11_2_019F4500
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4500 mov eax, dword ptr fs:[00000030h]	11_2_019F4500
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4500 mov eax, dword ptr fs:[00000030h]	11_2_019F4500
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4500 mov eax, dword ptr fs:[00000030h]	11_2_019F4500
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4500 mov eax, dword ptr fs:[00000030h]	11_2_019F4500
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4500 mov eax, dword ptr fs:[00000030h]	11_2_019F4500
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4500 mov eax, dword ptr fs:[00000030h]	11_2_019F4500
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930535 mov eax, dword ptr fs:[00000030h]	11_2_01930535
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930535 mov eax, dword ptr fs:[00000030h]	11_2_01930535
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930535 mov eax, dword ptr fs:[00000030h]	11_2_01930535
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930535 mov eax, dword ptr fs:[00000030h]	11_2_01930535
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930535 mov eax, dword ptr fs:[00000030h]	11_2_01930535
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930535 mov eax, dword ptr fs:[00000030h]	11_2_01930535
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E53E mov eax, dword ptr fs:[00000030h]	11_2_0194E53E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E53E mov eax, dword ptr fs:[00000030h]	11_2_0194E53E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E53E mov eax, dword ptr fs:[00000030h]	11_2_0194E53E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E53E mov eax, dword ptr fs:[00000030h]	11_2_0194E53E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E53E mov eax, dword ptr fs:[00000030h]	11_2_0194E53E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01928550 mov eax, dword ptr fs:[00000030h]	11_2_01928550
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01928550 mov eax, dword ptr fs:[00000030h]	11_2_01928550
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195656A mov eax, dword ptr fs:[00000030h]	11_2_0195656A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195656A mov eax, dword ptr fs:[00000030h]	11_2_0195656A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195656A mov eax, dword ptr fs:[00000030h]	11_2_0195656A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019DA49A mov eax, dword ptr fs:[00000030h]	11_2_019DA49A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019544B0 mov ecx, dword ptr fs:[00000030h]	11_2_019544B0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AA4B0 mov eax, dword ptr fs:[00000030h]	11_2_019AA4B0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019264AB mov eax, dword ptr fs:[00000030h]	11_2_019264AB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019204E5 mov ecx, dword ptr fs:[00000030h]	11_2_019204E5
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01958402 mov eax, dword ptr fs:[00000030h]	11_2_01958402
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01958402 mov eax, dword ptr fs:[00000030h]	11_2_01958402
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01958402 mov eax, dword ptr fs:[00000030h]	11_2_01958402
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195A430 mov eax, dword ptr fs:[00000030h]	11_2_0195A430
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191E420 mov eax, dword ptr fs:[00000030h]	11_2_0191E420
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191E420 mov eax, dword ptr fs:[00000030h]	11_2_0191E420
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191E420 mov eax, dword ptr fs:[00000030h]	11_2_0191E420
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191C427 mov eax, dword ptr fs:[00000030h]	11_2_0191C427
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A6420 mov eax, dword ptr fs:[00000030h]	11_2_019A6420
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A6420 mov eax, dword ptr fs:[00000030h]	11_2_019A6420
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A6420 mov eax, dword ptr fs:[00000030h]	11_2_019A6420
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A6420 mov eax, dword ptr fs:[00000030h]	11_2_019A6420
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A6420 mov eax, dword ptr fs:[00000030h]	11_2_019A6420
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A6420 mov eax, dword ptr fs:[00000030h]	11_2_019A6420
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A6420 mov eax, dword ptr fs:[00000030h]	11_2_019A6420
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019DA456 mov eax, dword ptr fs:[00000030h]	11_2_019DA456
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191645D mov eax, dword ptr fs:[00000030h]	11_2_0191645D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194245A mov eax, dword ptr fs:[00000030h]	11_2_0194245A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]	11_2_0195E443
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]	11_2_0195E443
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]	11_2_0195E443
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]	11_2_0195E443
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]	11_2_0195E443
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]	11_2_0195E443
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]	11_2_0195E443
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]	11_2_0195E443
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194A470 mov eax, dword ptr fs:[00000030h]	11_2_0194A470
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194A470 mov eax, dword ptr fs:[00000030h]	11_2_0194A470
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194A470 mov eax, dword ptr fs:[00000030h]	11_2_0194A470
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AC460 mov ecx, dword ptr fs:[00000030h]	11_2_019AC460
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C678E mov eax, dword ptr fs:[00000030h]	11_2_019C678E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019207AF mov eax, dword ptr fs:[00000030h]	11_2_019207AF
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D47A0 mov eax, dword ptr fs:[00000030h]	11_2_019D47A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192C7C0 mov eax, dword ptr fs:[00000030h]	11_2_0192C7C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A07C3 mov eax, dword ptr fs:[00000030h]	11_2_019A07C3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019247FB mov eax, dword ptr fs:[00000030h]	11_2_019247FB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019247FB mov eax, dword ptr fs:[00000030h]	11_2_019247FB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019427ED mov eax, dword ptr fs:[00000030h]	11_2_019427ED
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019427ED mov eax, dword ptr fs:[00000030h]	11_2_019427ED
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019427ED mov eax, dword ptr fs:[00000030h]	11_2_019427ED
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AE7E1 mov eax, dword ptr fs:[00000030h]	11_2_019AE7E1
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01920710 mov eax, dword ptr fs:[00000030h]	11_2_01920710
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01950710 mov eax, dword ptr fs:[00000030h]	11_2_01950710
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195C700 mov eax, dword ptr fs:[00000030h]	11_2_0195C700
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195273C mov eax, dword ptr fs:[00000030h]	11_2_0195273C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195273C mov ecx, dword ptr fs:[00000030h]	11_2_0195273C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195273C mov eax, dword ptr fs:[00000030h]	11_2_0195273C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199C730 mov eax, dword ptr fs:[00000030h]	11_2_0199C730
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195C720 mov eax, dword ptr fs:[00000030h]	11_2_0195C720
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195C720 mov eax, dword ptr fs:[00000030h]	11_2_0195C720
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01920750 mov eax, dword ptr fs:[00000030h]	11_2_01920750
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962750 mov eax, dword ptr fs:[00000030h]	11_2_01962750
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962750 mov eax, dword ptr fs:[00000030h]	11_2_01962750
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AE75D mov eax, dword ptr fs:[00000030h]	11_2_019AE75D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A4755 mov eax, dword ptr fs:[00000030h]	11_2_019A4755
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195674D mov esi, dword ptr fs:[00000030h]	11_2_0195674D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195674D mov eax, dword ptr fs:[00000030h]	11_2_0195674D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195674D mov eax, dword ptr fs:[00000030h]	11_2_0195674D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01928770 mov eax, dword ptr fs:[00000030h]	11_2_01928770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01924690 mov eax, dword ptr fs:[00000030h]	11_2_01924690
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01924690 mov eax, dword ptr fs:[00000030h]	11_2_01924690
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019566B0 mov eax, dword ptr fs:[00000030h]	11_2_019566B0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195C6A6 mov eax, dword ptr fs:[00000030h]	11_2_0195C6A6
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195A6C7 mov ebx, dword ptr fs:[00000030h]	11_2_0195A6C7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195A6C7 mov eax, dword ptr fs:[00000030h]	11_2_0195A6C7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E6F2 mov eax, dword ptr fs:[00000030h]	11_2_0199E6F2
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E6F2 mov eax, dword ptr fs:[00000030h]	11_2_0199E6F2
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E6F2 mov eax, dword ptr fs:[00000030h]	11_2_0199E6F2
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E6F2 mov eax, dword ptr fs:[00000030h]	11_2_0199E6F2
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A06F1 mov eax, dword ptr fs:[00000030h]	11_2_019A06F1
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A06F1 mov eax, dword ptr fs:[00000030h]	11_2_019A06F1
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962619 mov eax, dword ptr fs:[00000030h]	11_2_01962619
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E609 mov eax, dword ptr fs:[00000030h]	11_2_0199E609
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193260B mov eax, dword ptr fs:[00000030h]	11_2_0193260B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193260B mov eax, dword ptr fs:[00000030h]	11_2_0193260B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193260B mov eax, dword ptr fs:[00000030h]	11_2_0193260B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193260B mov eax, dword ptr fs:[00000030h]	11_2_0193260B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193260B mov eax, dword ptr fs:[00000030h]	11_2_0193260B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193260B mov eax, dword ptr fs:[00000030h]	11_2_0193260B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193260B mov eax, dword ptr fs:[00000030h]	11_2_0193260B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193E627 mov eax, dword ptr fs:[00000030h]	11_2_0193E627
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01956620 mov eax, dword ptr fs:[00000030h]	11_2_01956620
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01958620 mov eax, dword ptr fs:[00000030h]	11_2_01958620
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192262C mov eax, dword ptr fs:[00000030h]	11_2_0192262C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193C640 mov eax, dword ptr fs:[00000030h]	11_2_0193C640
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01952674 mov eax, dword ptr fs:[00000030h]	11_2_01952674
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E866E mov eax, dword ptr fs:[00000030h]	11_2_019E866E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E866E mov eax, dword ptr fs:[00000030h]	11_2_019E866E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195A660 mov eax, dword ptr fs:[00000030h]	11_2_0195A660
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195A660 mov eax, dword ptr fs:[00000030h]	11_2_0195A660
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A89B3 mov esi, dword ptr fs:[00000030h]	11_2_019A89B3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A89B3 mov eax, dword ptr fs:[00000030h]	11_2_019A89B3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A89B3 mov eax, dword ptr fs:[00000030h]	11_2_019A89B3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019209AD mov eax, dword ptr fs:[00000030h]	11_2_019209AD
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019209AD mov eax, dword ptr fs:[00000030h]	11_2_019209AD
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A9D0 mov eax, dword ptr fs:[00000030h]	11_2_0192A9D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A9D0 mov eax, dword ptr fs:[00000030h]	11_2_0192A9D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A9D0 mov eax, dword ptr fs:[00000030h]	11_2_0192A9D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A9D0 mov eax, dword ptr fs:[00000030h]	11_2_0192A9D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A9D0 mov eax, dword ptr fs:[00000030h]	11_2_0192A9D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A9D0 mov eax, dword ptr fs:[00000030h]	11_2_0192A9D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019549D0 mov eax, dword ptr fs:[00000030h]	11_2_019549D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EA9D3 mov eax, dword ptr fs:[00000030h]	11_2_019EA9D3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B69C0 mov eax, dword ptr fs:[00000030h]	11_2_019B69C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019529F9 mov eax, dword ptr fs:[00000030h]	11_2_019529F9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019529F9 mov eax, dword ptr fs:[00000030h]	11_2_019529F9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AE9E0 mov eax, dword ptr fs:[00000030h]	11_2_019AE9E0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AC912 mov eax, dword ptr fs:[00000030h]	11_2_019AC912
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01918918 mov eax, dword ptr fs:[00000030h]	11_2_01918918
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01918918 mov eax, dword ptr fs:[00000030h]	11_2_01918918
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E908 mov eax, dword ptr fs:[00000030h]	11_2_0199E908
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E908 mov eax, dword ptr fs:[00000030h]	11_2_0199E908
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A892A mov eax, dword ptr fs:[00000030h]	11_2_019A892A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B892B mov eax, dword ptr fs:[00000030h]	11_2_019B892B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A0946 mov eax, dword ptr fs:[00000030h]	11_2_019A0946
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4940 mov eax, dword ptr fs:[00000030h]	11_2_019F4940
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C4978 mov eax, dword ptr fs:[00000030h]	11_2_019C4978
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C4978 mov eax, dword ptr fs:[00000030h]	11_2_019C4978
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AC97C mov eax, dword ptr fs:[00000030h]	11_2_019AC97C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01946962 mov eax, dword ptr fs:[00000030h]	11_2_01946962
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01946962 mov eax, dword ptr fs:[00000030h]	11_2_01946962
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01946962 mov eax, dword ptr fs:[00000030h]	11_2_01946962
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0196096E mov eax, dword ptr fs:[00000030h]	11_2_0196096E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0196096E mov edx, dword ptr fs:[00000030h]	11_2_0196096E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0196096E mov eax, dword ptr fs:[00000030h]	11_2_0196096E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AC89D mov eax, dword ptr fs:[00000030h]	11_2_019AC89D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01920887 mov eax, dword ptr fs:[00000030h]	11_2_01920887
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E8C0 mov eax, dword ptr fs:[00000030h]	11_2_0194E8C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F08C0 mov eax, dword ptr fs:[00000030h]	11_2_019F08C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195C8F9 mov eax, dword ptr fs:[00000030h]	11_2_0195C8F9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195C8F9 mov eax, dword ptr fs:[00000030h]	11_2_0195C8F9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EA8E4 mov eax, dword ptr fs:[00000030h]	11_2_019EA8E4
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AC810 mov eax, dword ptr fs:[00000030h]	11_2_019AC810
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01942835 mov eax, dword ptr fs:[00000030h]	11_2_01942835
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01942835 mov eax, dword ptr fs:[00000030h]	11_2_01942835
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01942835 mov eax, dword ptr fs:[00000030h]	11_2_01942835
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01942835 mov ecx, dword ptr fs:[00000030h]	11_2_01942835
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01942835 mov eax, dword ptr fs:[00000030h]	11_2_01942835
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01942835 mov eax, dword ptr fs:[00000030h]	11_2_01942835
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195A830 mov eax, dword ptr fs:[00000030h]	11_2_0195A830
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C483A mov eax, dword ptr fs:[00000030h]	11_2_019C483A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C483A mov eax, dword ptr fs:[00000030h]	11_2_019C483A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01950854 mov eax, dword ptr fs:[00000030h]	11_2_01950854
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01924859 mov eax, dword ptr fs:[00000030h]	11_2_01924859
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01924859 mov eax, dword ptr fs:[00000030h]	11_2_01924859
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01932840 mov ecx, dword ptr fs:[00000030h]	11_2_01932840
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AE872 mov eax, dword ptr fs:[00000030h]	11_2_019AE872
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AE872 mov eax, dword ptr fs:[00000030h]	11_2_019AE872
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B6870 mov eax, dword ptr fs:[00000030h]	11_2_019B6870
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B6870 mov eax, dword ptr fs:[00000030h]	11_2_019B6870
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930BBE mov eax, dword ptr fs:[00000030h]	11_2_01930BBE
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930BBE mov eax, dword ptr fs:[00000030h]	11_2_01930BBE
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D4BB0 mov eax, dword ptr fs:[00000030h]	11_2_019D4BB0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D4BB0 mov eax, dword ptr fs:[00000030h]	11_2_019D4BB0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CEBD0 mov eax, dword ptr fs:[00000030h]	11_2_019CEBD0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01940BCB mov eax, dword ptr fs:[00000030h]	11_2_01940BCB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01940BCB mov eax, dword ptr fs:[00000030h]	11_2_01940BCB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01940BCB mov eax, dword ptr fs:[00000030h]	11_2_01940BCB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01920BCD mov eax, dword ptr fs:[00000030h]	11_2_01920BCD
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01920BCD mov eax, dword ptr fs:[00000030h]	11_2_01920BCD
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01920BCD mov eax, dword ptr fs:[00000030h]	11_2_01920BCD
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01928BF0 mov eax, dword ptr fs:[00000030h]	11_2_01928BF0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01928BF0 mov eax, dword ptr fs:[00000030h]	11_2_01928BF0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01928BF0 mov eax, dword ptr fs:[00000030h]	11_2_01928BF0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194EBFC mov eax, dword ptr fs:[00000030h]	11_2_0194EBFC
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019ACBF0 mov eax, dword ptr fs:[00000030h]	11_2_019ACBF0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]	11_2_0199EB1D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]	11_2_0199EB1D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]	11_2_0199EB1D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]	11_2_0199EB1D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]	11_2_0199EB1D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]	11_2_0199EB1D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]	11_2_0199EB1D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]	11_2_0199EB1D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]	11_2_0199EB1D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4B00 mov eax, dword ptr fs:[00000030h]	11_2_019F4B00
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194EB20 mov eax, dword ptr fs:[00000030h]	11_2_0194EB20
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194EB20 mov eax, dword ptr fs:[00000030h]	11_2_0194EB20
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E8B28 mov eax, dword ptr fs:[00000030h]	11_2_019E8B28
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E8B28 mov eax, dword ptr fs:[00000030h]	11_2_019E8B28
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01918B50 mov eax, dword ptr fs:[00000030h]	11_2_01918B50
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F2B57 mov eax, dword ptr fs:[00000030h]	11_2_019F2B57
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F2B57 mov eax, dword ptr fs:[00000030h]	11_2_019F2B57
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F2B57 mov eax, dword ptr fs:[00000030h]	11_2_019F2B57
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F2B57 mov eax, dword ptr fs:[00000030h]	11_2_019F2B57
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CEB50 mov eax, dword ptr fs:[00000030h]	11_2_019CEB50
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D4B4B mov eax, dword ptr fs:[00000030h]	11_2_019D4B4B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D4B4B mov eax, dword ptr fs:[00000030h]	11_2_019D4B4B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B6B40 mov eax, dword ptr fs:[00000030h]	11_2_019B6B40
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B6B40 mov eax, dword ptr fs:[00000030h]	11_2_019B6B40
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EAB40 mov eax, dword ptr fs:[00000030h]	11_2_019EAB40
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C8B42 mov eax, dword ptr fs:[00000030h]	11_2_019C8B42
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191CB7E mov eax, dword ptr fs:[00000030h]	11_2_0191CB7E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01958A90 mov edx, dword ptr fs:[00000030h]	11_2_01958A90
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]	11_2_0192EA80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]	11_2_0192EA80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]	11_2_0192EA80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]	11_2_0192EA80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]	11_2_0192EA80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]	11_2_0192EA80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]	11_2_0192EA80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]	11_2_0192EA80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]	11_2_0192EA80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4A80 mov eax, dword ptr fs:[00000030h]	11_2_019F4A80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01928AA0 mov eax, dword ptr fs:[00000030h]	11_2_01928AA0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01928AA0 mov eax, dword ptr fs:[00000030h]	11_2_01928AA0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01976AA4 mov eax, dword ptr fs:[00000030h]	11_2_01976AA4
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01920AD0 mov eax, dword ptr fs:[00000030h]	11_2_01920AD0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01954AD0 mov eax, dword ptr fs:[00000030h]	11_2_01954AD0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01954AD0 mov eax, dword ptr fs:[00000030h]	11_2_01954AD0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01976ACC mov eax, dword ptr fs:[00000030h]	11_2_01976ACC
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01976ACC mov eax, dword ptr fs:[00000030h]	11_2_01976ACC
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01976ACC mov eax, dword ptr fs:[00000030h]	11_2_01976ACC
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195AAEE mov eax, dword ptr fs:[00000030h]	11_2_0195AAEE
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195AAEE mov eax, dword ptr fs:[00000030h]	11_2_0195AAEE
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019ACA11 mov eax, dword ptr fs:[00000030h]	11_2_019ACA11
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01944A35 mov eax, dword ptr fs:[00000030h]	11_2_01944A35
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01944A35 mov eax, dword ptr fs:[00000030h]	11_2_01944A35
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195CA38 mov eax, dword ptr fs:[00000030h]	11_2_0195CA38
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195CA24 mov eax, dword ptr fs:[00000030h]	11_2_0195CA24
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194EA2E mov eax, dword ptr fs:[00000030h]	11_2_0194EA2E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01926A50 mov eax, dword ptr fs:[00000030h]	11_2_01926A50
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01926A50 mov eax, dword ptr fs:[00000030h]	11_2_01926A50
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01926A50 mov eax, dword ptr fs:[00000030h]	11_2_01926A50
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01926A50 mov eax, dword ptr fs:[00000030h]	11_2_01926A50

Enables debug privileges

Source: C:\Users\user\Desktop\PO#86637.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe"
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Fyepece.exe"
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Fyepece.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PO#86637.exe	Memory written: C:\Users\user\Desktop\PO#86637.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Memory written: C:\Users\user\AppData\Roaming\Fyepece.exe base: 400000 value starts with: 4D5A			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Fyepece.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp958F.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Users\user\Desktop\PO#86637.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Queries volume information: C:\Users\user\AppData\Roaming\Fyepece.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 11.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.PO#86637.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1583643903.0000000001400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 11.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.PO#86637.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1583643903.0000000001400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Fyepece.exe

ReversingLabs: Detection: 21%

Multi AV Scanner detection for submitted file

Source: PO#86637.exe	Virustotal: Detection: 24%			Perma Link
Source: PO#86637.exe	ReversingLabs: Detection: 21%

Yara detected FormBook

Source: Yara match	File source: 11.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.PO#86637.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1583643903.0000000001400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Fyepece.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PO#86637.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: PO#86637.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PO#86637.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RWnC.pdb source: PO#86637.exe, Fyepece.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: PO#86637.exe, 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PO#86637.exe, PO#86637.exe, 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: RWnC.pdbSHA256U source: PO#86637.exe, Fyepece.exe.0.dr

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\Fyepece.exe

Code function: 4x nop then jmp 08310CB1h

12_2_083101BC

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 11.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.PO#86637.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1583643903.0000000001400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 11.2.PO#86637.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.1583643903.0000000001400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PO#86637.exe

Contains functionality to call native functions

Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0042C283 NtClose,	11_2_0042C283
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962B60 NtClose,LdrInitializeThunk,	11_2_01962B60
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962DF0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_01962DF0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962C70 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_01962C70
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019635C0 NtCreateMutant,LdrInitializeThunk,	11_2_019635C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01964340 NtSetContextThread,	11_2_01964340
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01964650 NtSuspendThread,	11_2_01964650
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962B80 NtQueryInformationFile,	11_2_01962B80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962BA0 NtEnumerateValueKey,	11_2_01962BA0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962BF0 NtAllocateVirtualMemory,	11_2_01962BF0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962BE0 NtQueryValueKey,	11_2_01962BE0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962AB0 NtWaitForSingleObject,	11_2_01962AB0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962AD0 NtReadFile,	11_2_01962AD0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962AF0 NtWriteFile,	11_2_01962AF0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962DB0 NtEnumerateKey,	11_2_01962DB0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962DD0 NtDelayExecution,	11_2_01962DD0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962D10 NtMapViewOfSection,	11_2_01962D10
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962D00 NtSetInformationFile,	11_2_01962D00
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962D30 NtUnmapViewOfSection,	11_2_01962D30
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962CA0 NtQueryInformationToken,	11_2_01962CA0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962CC0 NtQueryVirtualMemory,	11_2_01962CC0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962CF0 NtOpenProcess,	11_2_01962CF0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962C00 NtQueryInformationProcess,	11_2_01962C00
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962C60 NtCreateKey,	11_2_01962C60
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962F90 NtProtectVirtualMemory,	11_2_01962F90
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962FB0 NtResumeThread,	11_2_01962FB0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962FA0 NtQuerySection,	11_2_01962FA0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962FE0 NtCreateFile,	11_2_01962FE0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962F30 NtCreateSection,	11_2_01962F30
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962F60 NtCreateProcessEx,	11_2_01962F60
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962E80 NtReadVirtualMemory,	11_2_01962E80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962EA0 NtAdjustPrivilegesToken,	11_2_01962EA0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962EE0 NtQueueApcThread,	11_2_01962EE0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962E30 NtWriteVirtualMemory,	11_2_01962E30
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01963090 NtSetValueKey,	11_2_01963090
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01963010 NtOpenDirectoryObject,	11_2_01963010
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019639B0 NtGetContextThread,	11_2_019639B0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01963D10 NtOpenProcessToken,	11_2_01963D10
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01963D70 NtOpenThread,	11_2_01963D70

Detected potential crypto function

Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A9E0E0	0_2_05A9E0E0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A9C468	0_2_05A9C468
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A9C478	0_2_05A9C478
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A9D0C9	0_2_05A9D0C9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A9D0D8	0_2_05A9D0D8
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A9E0D0	0_2_05A9E0D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A94D00	0_2_05A94D00
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A94CF0	0_2_05A94CF0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A9E838	0_2_05A9E838
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A9E848	0_2_05A9E848
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07484608	0_2_07484608
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_074836D0	0_2_074836D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07480040	0_2_07480040
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07480F28	0_2_07480F28
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_0748E7C8	0_2_0748E7C8
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_0748E7B8	0_2_0748E7B8
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_074836C0	0_2_074836C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_074845F9	0_2_074845F9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_074834C0	0_2_074834C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_074834B1	0_2_074834B1
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07485378	0_2_07485378
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07485331	0_2_07485331
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07485388	0_2_07485388
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_0748E382	0_2_0748E382
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_0748E390	0_2_0748E390
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07483250	0_2_07483250
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07483260	0_2_07483260
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_0748B290	0_2_0748B290
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_0748C1E0	0_2_0748C1E0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07480006	0_2_07480006
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_074830C0	0_2_074830C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_074830B0	0_2_074830B0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07480F17	0_2_07480F17
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07481E40	0_2_07481E40
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07483E40	0_2_07483E40
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07484E40	0_2_07484E40
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07484E50	0_2_07484E50
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07483E50	0_2_07483E50
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07481E50	0_2_07481E50
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_0748DE70	0_2_0748DE70
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07483EFB	0_2_07483EFB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_0748DE80	0_2_0748DE80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_0748BD79	0_2_0748BD79
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07481C40	0_2_07481C40
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07481C50	0_2_07481C50
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07482A11	0_2_07482A11
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07482A20	0_2_07482A20
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07483918	0_2_07483918
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_07483928	0_2_07483928
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0042E8E3	11_2_0042E8E3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0040FA41	11_2_0040FA41
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0040FA43	11_2_0040FA43
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_00401260	11_2_00401260
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_004023D0	11_2_004023D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_004163EE	11_2_004163EE
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_004163F3	11_2_004163F3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0040FC63	11_2_0040FC63
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_004014E0	11_2_004014E0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0040DCE3	11_2_0040DCE3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_00402F50	11_2_00402F50
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_00402730	11_2_00402730
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F01AA	11_2_019F01AA
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E41A2	11_2_019E41A2
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E81CC	11_2_019E81CC
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CA118	11_2_019CA118
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01920100	11_2_01920100
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B8158	11_2_019B8158
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C2000	11_2_019C2000
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193E3F0	11_2_0193E3F0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F03E6	11_2_019F03E6
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EA352	11_2_019EA352
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B02C0	11_2_019B02C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F0591	11_2_019F0591
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930535	11_2_01930535
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019DE4F6	11_2_019DE4F6
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D4420	11_2_019D4420
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E2446	11_2_019E2446
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192C7C0	11_2_0192C7C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01954750	11_2_01954750
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194C6E0	11_2_0194C6E0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019FA9A6	11_2_019FA9A6
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01946962	11_2_01946962
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019168B8	11_2_019168B8
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E8F0	11_2_0195E8F0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193A840	11_2_0193A840
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01932840	11_2_01932840
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E6BD7	11_2_019E6BD7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EAB40	11_2_019EAB40
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192EA80	11_2_0192EA80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01948DBF	11_2_01948DBF
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192ADE0	11_2_0192ADE0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CCD1F	11_2_019CCD1F
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193AD00	11_2_0193AD00
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0CB5	11_2_019D0CB5
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01920CF2	11_2_01920CF2
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930C00	11_2_01930C00
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AEFA0	11_2_019AEFA0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01922FC8	11_2_01922FC8
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193CFE0	11_2_0193CFE0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01950F30	11_2_01950F30
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D2F30	11_2_019D2F30
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01972F28	11_2_01972F28
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A4F40	11_2_019A4F40
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01942E90	11_2_01942E90
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019ECE93	11_2_019ECE93
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EEEDB	11_2_019EEEDB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EEE26	11_2_019EEE26
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930E59	11_2_01930E59
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193B1B0	11_2_0193B1B0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191F172	11_2_0191F172
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019FB16B	11_2_019FB16B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0196516C	11_2_0196516C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019DF0CC	11_2_019DF0CC
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019370C0	11_2_019370C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E70E9	11_2_019E70E9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EF0E0	11_2_019EF0E0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0197739A	11_2_0197739A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E132D	11_2_019E132D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191D34C	11_2_0191D34C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019352A0	11_2_019352A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194B2C0	11_2_0194B2C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D12ED	11_2_019D12ED
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CD5B0	11_2_019CD5B0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E7571	11_2_019E7571
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EF43F	11_2_019EF43F
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01921460	11_2_01921460
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EF7B0	11_2_019EF7B0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E16CC	11_2_019E16CC
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01975630	11_2_01975630
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C5910	11_2_019C5910
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01939950	11_2_01939950
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194B950	11_2_0194B950
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019338E0	11_2_019338E0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199D800	11_2_0199D800
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194FB80	11_2_0194FB80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A5BF0	11_2_019A5BF0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0196DBF9	11_2_0196DBF9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EFB76	11_2_019EFB76
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CDAAC	11_2_019CDAAC
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01975AA0	11_2_01975AA0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D1AA3	11_2_019D1AA3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019DDAC6	11_2_019DDAC6
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EFA49	11_2_019EFA49
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E7A46	11_2_019E7A46
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A3A6C	11_2_019A3A6C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194FDC0	11_2_0194FDC0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E1D5A	11_2_019E1D5A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01933D40	11_2_01933D40
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E7D73	11_2_019E7D73
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EFCF2	11_2_019EFCF2
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A9C32	11_2_019A9C32
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01931F92	11_2_01931F92
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EFFB1	11_2_019EFFB1
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EFF09	11_2_019EFF09
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01939EB0	11_2_01939EB0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF36D0	12_2_07CF36D0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF4608	12_2_07CF4608
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF0040	12_2_07CF0040
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF0F28	12_2_07CF0F28
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CFE7C8	12_2_07CFE7C8
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CFE7B8	12_2_07CFE7B8
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF36C0	12_2_07CF36C0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF45F9	12_2_07CF45F9
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF34C0	12_2_07CF34C0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF34B1	12_2_07CF34B1
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF5388	12_2_07CF5388
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CFE382	12_2_07CFE382
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CFE390	12_2_07CFE390
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF5378	12_2_07CF5378
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF5331	12_2_07CF5331
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CFB290	12_2_07CFB290
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF3250	12_2_07CF3250
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF3260	12_2_07CF3260
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CFC1E0	12_2_07CFC1E0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF30C0	12_2_07CF30C0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF30B0	12_2_07CF30B0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF0023	12_2_07CF0023
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF0F17	12_2_07CF0F17
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF3EFB	12_2_07CF3EFB
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CFDE80	12_2_07CFDE80
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF1E40	12_2_07CF1E40
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF3E40	12_2_07CF3E40
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF4E40	12_2_07CF4E40
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF1E50	12_2_07CF1E50
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF3E50	12_2_07CF3E50
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF4E50	12_2_07CF4E50
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CFDE70	12_2_07CFDE70
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CFBD93	12_2_07CFBD93
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF1C40	12_2_07CF1C40
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF1C50	12_2_07CF1C50
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF2A11	12_2_07CF2A11
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF2A20	12_2_07CF2A20
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF3918	12_2_07CF3918
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF3928	12_2_07CF3928
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DCE0E0	12_2_07DCE0E0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DC4D00	12_2_07DC4D00
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DC4CF0	12_2_07DC4CF0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DCC478	12_2_07DCC478
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DCC468	12_2_07DCC468
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DCD0D8	12_2_07DCD0D8
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DCE0D0	12_2_07DCE0D0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DCD0C9	12_2_07DCD0C9
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DCE848	12_2_07DCE848
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DCE838	12_2_07DCE838
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015E0100	18_2_015E0100
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01636000	18_2_01636000
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_016702C0	18_2_016702C0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F0535	18_2_015F0535
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F0770	18_2_015F0770
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01614750	18_2_01614750
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015EC7C0	18_2_015EC7C0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0160C6E0	18_2_0160C6E0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01606962	18_2_01606962
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F29A0	18_2_015F29A0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F2840	18_2_015F2840
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015FA840	18_2_015FA840
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0161E8F0	18_2_0161E8F0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015D68B8	18_2_015D68B8
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01628890	18_2_01628890
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015EEA80	18_2_015EEA80
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015FED7A	18_2_015FED7A
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015FAD00	18_2_015FAD00
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F8DC0	18_2_015F8DC0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015EADE0	18_2_015EADE0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01608DBF	18_2_01608DBF
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F0C00	18_2_015F0C00
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015E0CF2	18_2_015E0CF2
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01664F40	18_2_01664F40
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01632F28	18_2_01632F28
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01610F30	18_2_01610F30
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015E2FC8	18_2_015E2FC8
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0166EFA0	18_2_0166EFA0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F0E59	18_2_015F0E59
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01602E90	18_2_01602E90
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0162516C	18_2_0162516C
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015DF172	18_2_015DF172
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015FB1B0	18_2_015FB1B0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015DD34C	18_2_015DD34C
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F33F3	18_2_015F33F3
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0160D2F0	18_2_0160D2F0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0160B2C0	18_2_0160B2C0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F52A0	18_2_015F52A0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015E1460	18_2_015E1460
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_016374E0	18_2_016374E0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F3497	18_2_015F3497
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015FB730	18_2_015FB730
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F9950	18_2_015F9950
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0160B950	18_2_0160B950
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F5990	18_2_015F5990
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0165D800	18_2_0165D800
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F38E0	18_2_015F38E0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01665BF0	18_2_01665BF0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0162DBF9	18_2_0162DBF9
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0160FB80	18_2_0160FB80
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01663A6C	18_2_01663A6C
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F3D40	18_2_015F3D40
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0160FDC0	18_2_0160FDC0
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01609C20	18_2_01609C20
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_01669C32	18_2_01669C32
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F1F92	18_2_015F1F92
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_015F9EB0	18_2_015F9EB0

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: String function: 0165EA12 appears 37 times
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: String function: 01637E54 appears 97 times
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: String function: 01965130 appears 58 times
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: String function: 019AF290 appears 105 times
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: String function: 01977E54 appears 111 times
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: String function: 0199EA12 appears 86 times
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: String function: 0191B970 appears 280 times

Sample file is different than original file name gathered from version info

Source: PO#86637.exe, 00000000.00000002.1465826910.000000000A510000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs PO#86637.exe
Source: PO#86637.exe, 00000000.00000000.1407683939.0000000000B58000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRWnC.exe> vs PO#86637.exe
Source: PO#86637.exe, 00000000.00000002.1429036257.0000000000FAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO#86637.exe
Source: PO#86637.exe, 0000000B.00000002.1584084138.0000000001A1D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO#86637.exe
Source: PO#86637.exe	Binary or memory string: OriginalFilenameRWnC.exe> vs PO#86637.exe

Uses 32bit PE files

Source: PO#86637.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 11.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 11.2.PO#86637.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.1583643903.0000000001400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: PO#86637.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Fyepece.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, gaT0VtLolsTmIlrt70.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, gaT0VtLolsTmIlrt70.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	Security API names: _0020.SetAccessControl
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	Security API names: _0020.AddAccessRule
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, gaT0VtLolsTmIlrt70.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@27/15@0/0

Source: C:\Users\user\Desktop\PO#86637.exe

File created: C:\Users\user\AppData\Roaming\Fyepece.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7244:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8168:120:WilError_03

Source: C:\Users\user\Desktop\PO#86637.exe

File created: C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp

Jump to behavior

Source: PO#86637.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO#86637.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\PO#86637.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO#86637.exe	Virustotal: Detection: 24%
Source: PO#86637.exe	ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\PO#86637.exe

File read: C:\Users\user\Desktop\PO#86637.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Fyepece.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Fyepece.exe C:\Users\user\AppData\Roaming\Fyepece.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp958F.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Fyepece.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp958F.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: msvcp140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\PO#86637.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PO#86637.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO#86637.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: PO#86637.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RWnC.pdb source: PO#86637.exe, Fyepece.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: PO#86637.exe, 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: PO#86637.exe, PO#86637.exe, 0000000B.00000002.1584084138.00000000018F0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: RWnC.pdbSHA256U source: PO#86637.exe, Fyepece.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.PO#86637.exe.3ec1c20.1.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	.Net Code: fWOZhDRxOu System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	.Net Code: fWOZhDRxOu System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	.Net Code: fWOZhDRxOu System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO#86637.exe.7430000.3.raw.unpack, MainForm.cs	.Net Code: _200E_200C_200B_202B_202E_200E_200E_202D_200B_206C_202C_202B_200B_200F_200E_206F_206C_202C_202D_200E_206E_206E_200C_206D_202C_200B_200E_202B_200B_206A_202E_206A_202E_206E_206E_206A_206C_206A_206F_202E_202E System.Reflection.Assembly.Load(byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_01470DF5 pushfd ; iretd	0_2_01470DF9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A97080 pushad ; ret	0_2_05A97081
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A97082 push esp; ret	0_2_05A97089
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A9FC12 push esp; ret	0_2_05A9FC19
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 0_2_05A93E78 push eax; mov dword ptr [esp], ecx	0_2_05A93E7C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0041A87D push esp; retf	11_2_0041A87E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0040710D pushfd ; retf	11_2_0040710E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_00423916 push esi; retf	11_2_0042392E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_00423923 push esi; retf	11_2_0042392E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_004031D0 push eax; ret	11_2_004031D2
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_00418B76 push ebx; retf	11_2_00418B77
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_00423B35 push cs; retf	11_2_00423B36
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0041A3C1 push edi; retf	11_2_0041A3C7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_004143E3 push edi; iretd	11_2_004143EF
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_00423C2F push C67CA722h; ret	11_2_00423C34
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_00411DA3 push edi; iretd	11_2_00411DAF
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_00424700 push ecx; retf	11_2_00424749
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_004247A8 push edi; ret	11_2_004247AC
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019209AD push ecx; mov dword ptr [esp], ecx	11_2_019209B6
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_03120DF5 pushfd ; iretd	12_2_03120DF9
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF92E8 pushfd ; iretd	12_2_07CF92E9
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF0E8B push es; iretd	12_2_07CF0E8E
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF0E47 push 0000000Ch; iretd	12_2_07CF0E4A
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07CF0E6B push es; iretd	12_2_07CF0E72
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DC3E78 push eax; mov dword ptr [esp], ecx	12_2_07DC3E7C
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DC7080 pushad ; ret	12_2_07DC7081
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_07DC7083 push esp; ret	12_2_07DC7089
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_0831364D push FFFFFF8Bh; iretd	12_2_0831364F
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 12_2_083117AA push esp; iretd	12_2_083117AD
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0162C54F push 8B015B67h; ret	18_2_0162C554
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Code function: 18_2_0162C54D pushfd ; ret	18_2_0162C54E

Source: PO#86637.exe	Static PE information: section name: .text entropy: 7.775931986103321
Source: Fyepece.exe.0.dr	Static PE information: section name: .text entropy: 7.775931986103321

Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, aaOnasOOrmA08I2wWux.cs	High entropy of concatenated method names: 'ToString', 'uuVPs0pbO2', 'sW0PZq9j5p', 'YGAP6HZxdC', 'CDwPt2vEL8', 'sRhPHUegSC', 'aPDPgfHEiD', 'CpKP2i4k5T', 'V6ZAPMEmC6DuGgjn5Av', 'yYX4TWENGDe912wIet6'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, mi9sax1VSksVKx3i4W.cs	High entropy of concatenated method names: 'ToString', 'JGGjKk0WM2', 'wLLjWn2ccg', 'QdOj8WOEJP', 'Kh2j3cNACP', 'HVqjAaeVtr', 'khYjNQJdrB', 'O5Zj7RM64h', 'zBejaF6q77', 'bGOjxGF4Lj'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, fhC2YhcDAwMvSech5h.cs	High entropy of concatenated method names: 'hKmdfWBgZa', 'bkIdo5hHlE', 'jKldcdrHBJ', 'zl5dUCBm9W', 'spbdW0SdiX', 'tZ3d8I370V', 'kNCd3Gj9Po', 'T41dAco38e', 'DyodNK5Wcv', 'YwRd77ifp1'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	High entropy of concatenated method names: 'wQvs6CAoHK', 'JHqst1AYSi', 'csfsHBUBSe', 'hASsg2nf4M', 'Nvbs2yGBR4', 'PsuswXetGy', 'P9UspwBwrm', 'LihsDApAsA', 'lTZskd0AXJ', 'gnQsyxJBEn'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, OXWBBDZiEOUKc1d7yd.cs	High entropy of concatenated method names: 'TRHOpaT0Vt', 'PlsODTmIlr', 'UpmOy6e5jY', 'Nj3Ol4G8lP', 'zGyOd73OAa', 'VlCOjj6heu', 'XO3sE6VuwirSZT7uHu', 'q3abZFMZxWGujkhqNg', 'MkHOObaBmH', 'n2QOsbiXwd'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, sgAmBSv3yqo7QmRnDX.cs	High entropy of concatenated method names: 'CPTTix6L8c', 'X8uTVX2B1r', 'XRsEJv1ZFN', 'HJaEO0Z68T', 'L4STKKl5Pj', 'RctTobYrA3', 'alKT5A3KAh', 'B3BTcspxpP', 'N91TU9CetX', 'TdUT1BBgPc'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, mDCJGi5n5IiQBlF3Di.cs	High entropy of concatenated method names: 'S3TILcpQ7A', 'RXDIG6GMCv', 'LjaIFREEr3', 'hRsIWJL1Un', 'aNVI3KlhOP', 'gHgIA35HM2', 'pItI7Lox0R', 'xRbIaVBxZf', 'NNuIfQac9s', 'VneIKxGuNg'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, MIx6NdzWM7MNjAuofV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GtlYI4ViXC', 'juSYdXK7jl', 'pFoYjSkd16', 'X9mYTl6ls7', 'M47YELOrub', 'rn5YYGC9xq', 'PfhYPGO6xi'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, bAavlCFj6heusMkO2Q.cs	High entropy of concatenated method names: 'uCXw6Cd9Qs', 'norwHSFiOv', 'Xmuw2Shpj4', 'TFawpSD3jg', 'NmAwDChp3H', 'tQj2C9HQNV', 'iY22vPX5lT', 'mHL2eqgOAj', 'yiv2iC3Vyh', 'VGP2qRYjyB'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, gaT0VtLolsTmIlrt70.cs	High entropy of concatenated method names: 'pFyHcA5puL', 'uLuHU7oUQU', 'UCXH1pebDx', 'Gh5H9oMQet', 's4MHCoD6UR', 'jBlHvK4r2d', 'LGaHeau0m0', 'bv8HiDUWNm', 'BhbHqRaANe', 'VAXHVwyjX2'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, E8lPECR9BGmgOhGy73.cs	High entropy of concatenated method names: 'umZ2Q3xvQg', 'De72naqrFM', 'cIdg8NNGIN', 'bPpg3IEPRv', 'Wf5gAFeo9e', 'bssgNnQp0Y', 'b4Qg7JYw9C', 'LF2galNlit', 'qUHgxFfEqB', 'Sk5gfByYvR'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, ihr2IjOsiu7TSCME1ab.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kjRPcSNw5R', 'u8IPUd7IPQ', 'gjQP17G3Tf', 'dfLP9eJQkt', 'k5kPCc0ltQ', 'u71PvxMVCV', 'pFjPe9gvOw'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, NlPEcCGpm6e5jYfj34.cs	High entropy of concatenated method names: 'hWdg4OKsDI', 'TjAgXXi1Xn', 'fAEgLh7IcP', 'e7ygGVkm7K', 'F2FgdZGG4f', 'gA2gjjccsk', 'FmcgTf73jX', 'qlegExEAwG', 'U0TgYKB5Hx', 'IEOgPYvrlq'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, wYLaRBisUKwyOTbCK3.cs	High entropy of concatenated method names: 'qPuEtpNlAn', 'uwJEH0O0A1', 'aCfEgxmJJF', 'gnGE2GZsK3', 'mrYEwXOmDD', 'xqfEpPfa1C', 'gUUEDdQcgR', 'WYNEkev6ur', 'PmMEyGRxro', 'XIYElZeOhc'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, d2ad8ROJHVErhE8p8b9.cs	High entropy of concatenated method names: 'dWMYBBVMCT', 'qeRYMHy2hs', 'dqZYhGPPKn', 'p5HY4BNZp8', 'yR0YQpGmLJ', 'G9rYXGoAol', 'XJqYnWL9H7', 'YejYLeXnXj', 'LtgYGHrR3O', 's4KYRqFog0'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, oAseWL02DMjjqFMBXR.cs	High entropy of concatenated method names: 'myEhhQGH2', 'O9H48we8m', 'z4FX9JQSK', 'fOpnw1waF', 'It1G6pAl1', 'DOTRQbLGc', 'SuM6owUF4JYX2kbFMj', 'BusdXRGObGaO7AviEp', 'ocQE4x1eR', 'xumPPJTcK'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, NjAYRtVR1ISG2pUfbe.cs	High entropy of concatenated method names: 'nUGYOgDKyw', 'pwqYsaSXK9', 'kyBYZPkKhc', 'dskYtkGA4q', 'UM4YHLgrcf', 'DUkY2mkv1v', 'FMiYw07QAJ', 'NITEedw8xv', 'bFEEi4Kj1O', 'yFsEqNuCv7'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, dDoUytHr6ppWvIHaSy.cs	High entropy of concatenated method names: 'Dispose', 'netOqA4u8M', 'oKi0WHEBic', 'NXMYYNv6b0', 'vrYOVLaRBs', 'RKwOzyOTbC', 'ProcessDialogKey', 'O3k0JhKH8E', 'N7Q0OsUWZn', 'qMo00xjAYR'
Source: 0.2.PO#86637.exe.49258b0.0.raw.unpack, ln54oQxhBJyjDrYAS1.cs	High entropy of concatenated method names: 'llBpBfaqKF', 'i4KpMKLtKM', 'yvNphg4eT7', 'uuIp4qs3QS', 'htIpQb6LTa', 'LFEpXyvaEM', 'hRJpnd3iPp', 'OR9pLvYv3m', 'pMZpGCI7mB', 'VySpRxCH21'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, aaOnasOOrmA08I2wWux.cs	High entropy of concatenated method names: 'ToString', 'uuVPs0pbO2', 'sW0PZq9j5p', 'YGAP6HZxdC', 'CDwPt2vEL8', 'sRhPHUegSC', 'aPDPgfHEiD', 'CpKP2i4k5T', 'V6ZAPMEmC6DuGgjn5Av', 'yYX4TWENGDe912wIet6'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, mi9sax1VSksVKx3i4W.cs	High entropy of concatenated method names: 'ToString', 'JGGjKk0WM2', 'wLLjWn2ccg', 'QdOj8WOEJP', 'Kh2j3cNACP', 'HVqjAaeVtr', 'khYjNQJdrB', 'O5Zj7RM64h', 'zBejaF6q77', 'bGOjxGF4Lj'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, fhC2YhcDAwMvSech5h.cs	High entropy of concatenated method names: 'hKmdfWBgZa', 'bkIdo5hHlE', 'jKldcdrHBJ', 'zl5dUCBm9W', 'spbdW0SdiX', 'tZ3d8I370V', 'kNCd3Gj9Po', 'T41dAco38e', 'DyodNK5Wcv', 'YwRd77ifp1'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	High entropy of concatenated method names: 'wQvs6CAoHK', 'JHqst1AYSi', 'csfsHBUBSe', 'hASsg2nf4M', 'Nvbs2yGBR4', 'PsuswXetGy', 'P9UspwBwrm', 'LihsDApAsA', 'lTZskd0AXJ', 'gnQsyxJBEn'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, OXWBBDZiEOUKc1d7yd.cs	High entropy of concatenated method names: 'TRHOpaT0Vt', 'PlsODTmIlr', 'UpmOy6e5jY', 'Nj3Ol4G8lP', 'zGyOd73OAa', 'VlCOjj6heu', 'XO3sE6VuwirSZT7uHu', 'q3abZFMZxWGujkhqNg', 'MkHOObaBmH', 'n2QOsbiXwd'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, sgAmBSv3yqo7QmRnDX.cs	High entropy of concatenated method names: 'CPTTix6L8c', 'X8uTVX2B1r', 'XRsEJv1ZFN', 'HJaEO0Z68T', 'L4STKKl5Pj', 'RctTobYrA3', 'alKT5A3KAh', 'B3BTcspxpP', 'N91TU9CetX', 'TdUT1BBgPc'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, mDCJGi5n5IiQBlF3Di.cs	High entropy of concatenated method names: 'S3TILcpQ7A', 'RXDIG6GMCv', 'LjaIFREEr3', 'hRsIWJL1Un', 'aNVI3KlhOP', 'gHgIA35HM2', 'pItI7Lox0R', 'xRbIaVBxZf', 'NNuIfQac9s', 'VneIKxGuNg'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, MIx6NdzWM7MNjAuofV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GtlYI4ViXC', 'juSYdXK7jl', 'pFoYjSkd16', 'X9mYTl6ls7', 'M47YELOrub', 'rn5YYGC9xq', 'PfhYPGO6xi'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, bAavlCFj6heusMkO2Q.cs	High entropy of concatenated method names: 'uCXw6Cd9Qs', 'norwHSFiOv', 'Xmuw2Shpj4', 'TFawpSD3jg', 'NmAwDChp3H', 'tQj2C9HQNV', 'iY22vPX5lT', 'mHL2eqgOAj', 'yiv2iC3Vyh', 'VGP2qRYjyB'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, gaT0VtLolsTmIlrt70.cs	High entropy of concatenated method names: 'pFyHcA5puL', 'uLuHU7oUQU', 'UCXH1pebDx', 'Gh5H9oMQet', 's4MHCoD6UR', 'jBlHvK4r2d', 'LGaHeau0m0', 'bv8HiDUWNm', 'BhbHqRaANe', 'VAXHVwyjX2'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, E8lPECR9BGmgOhGy73.cs	High entropy of concatenated method names: 'umZ2Q3xvQg', 'De72naqrFM', 'cIdg8NNGIN', 'bPpg3IEPRv', 'Wf5gAFeo9e', 'bssgNnQp0Y', 'b4Qg7JYw9C', 'LF2galNlit', 'qUHgxFfEqB', 'Sk5gfByYvR'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, ihr2IjOsiu7TSCME1ab.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kjRPcSNw5R', 'u8IPUd7IPQ', 'gjQP17G3Tf', 'dfLP9eJQkt', 'k5kPCc0ltQ', 'u71PvxMVCV', 'pFjPe9gvOw'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, NlPEcCGpm6e5jYfj34.cs	High entropy of concatenated method names: 'hWdg4OKsDI', 'TjAgXXi1Xn', 'fAEgLh7IcP', 'e7ygGVkm7K', 'F2FgdZGG4f', 'gA2gjjccsk', 'FmcgTf73jX', 'qlegExEAwG', 'U0TgYKB5Hx', 'IEOgPYvrlq'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, wYLaRBisUKwyOTbCK3.cs	High entropy of concatenated method names: 'qPuEtpNlAn', 'uwJEH0O0A1', 'aCfEgxmJJF', 'gnGE2GZsK3', 'mrYEwXOmDD', 'xqfEpPfa1C', 'gUUEDdQcgR', 'WYNEkev6ur', 'PmMEyGRxro', 'XIYElZeOhc'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, d2ad8ROJHVErhE8p8b9.cs	High entropy of concatenated method names: 'dWMYBBVMCT', 'qeRYMHy2hs', 'dqZYhGPPKn', 'p5HY4BNZp8', 'yR0YQpGmLJ', 'G9rYXGoAol', 'XJqYnWL9H7', 'YejYLeXnXj', 'LtgYGHrR3O', 's4KYRqFog0'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, oAseWL02DMjjqFMBXR.cs	High entropy of concatenated method names: 'myEhhQGH2', 'O9H48we8m', 'z4FX9JQSK', 'fOpnw1waF', 'It1G6pAl1', 'DOTRQbLGc', 'SuM6owUF4JYX2kbFMj', 'BusdXRGObGaO7AviEp', 'ocQE4x1eR', 'xumPPJTcK'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, NjAYRtVR1ISG2pUfbe.cs	High entropy of concatenated method names: 'nUGYOgDKyw', 'pwqYsaSXK9', 'kyBYZPkKhc', 'dskYtkGA4q', 'UM4YHLgrcf', 'DUkY2mkv1v', 'FMiYw07QAJ', 'NITEedw8xv', 'bFEEi4Kj1O', 'yFsEqNuCv7'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, dDoUytHr6ppWvIHaSy.cs	High entropy of concatenated method names: 'Dispose', 'netOqA4u8M', 'oKi0WHEBic', 'NXMYYNv6b0', 'vrYOVLaRBs', 'RKwOzyOTbC', 'ProcessDialogKey', 'O3k0JhKH8E', 'N7Q0OsUWZn', 'qMo00xjAYR'
Source: 0.2.PO#86637.exe.49ad0d0.2.raw.unpack, ln54oQxhBJyjDrYAS1.cs	High entropy of concatenated method names: 'llBpBfaqKF', 'i4KpMKLtKM', 'yvNphg4eT7', 'uuIp4qs3QS', 'htIpQb6LTa', 'LFEpXyvaEM', 'hRJpnd3iPp', 'OR9pLvYv3m', 'pMZpGCI7mB', 'VySpRxCH21'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, aaOnasOOrmA08I2wWux.cs	High entropy of concatenated method names: 'ToString', 'uuVPs0pbO2', 'sW0PZq9j5p', 'YGAP6HZxdC', 'CDwPt2vEL8', 'sRhPHUegSC', 'aPDPgfHEiD', 'CpKP2i4k5T', 'V6ZAPMEmC6DuGgjn5Av', 'yYX4TWENGDe912wIet6'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, mi9sax1VSksVKx3i4W.cs	High entropy of concatenated method names: 'ToString', 'JGGjKk0WM2', 'wLLjWn2ccg', 'QdOj8WOEJP', 'Kh2j3cNACP', 'HVqjAaeVtr', 'khYjNQJdrB', 'O5Zj7RM64h', 'zBejaF6q77', 'bGOjxGF4Lj'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, fhC2YhcDAwMvSech5h.cs	High entropy of concatenated method names: 'hKmdfWBgZa', 'bkIdo5hHlE', 'jKldcdrHBJ', 'zl5dUCBm9W', 'spbdW0SdiX', 'tZ3d8I370V', 'kNCd3Gj9Po', 'T41dAco38e', 'DyodNK5Wcv', 'YwRd77ifp1'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, FjKGDRDtxY2NuNwEGN.cs	High entropy of concatenated method names: 'wQvs6CAoHK', 'JHqst1AYSi', 'csfsHBUBSe', 'hASsg2nf4M', 'Nvbs2yGBR4', 'PsuswXetGy', 'P9UspwBwrm', 'LihsDApAsA', 'lTZskd0AXJ', 'gnQsyxJBEn'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, OXWBBDZiEOUKc1d7yd.cs	High entropy of concatenated method names: 'TRHOpaT0Vt', 'PlsODTmIlr', 'UpmOy6e5jY', 'Nj3Ol4G8lP', 'zGyOd73OAa', 'VlCOjj6heu', 'XO3sE6VuwirSZT7uHu', 'q3abZFMZxWGujkhqNg', 'MkHOObaBmH', 'n2QOsbiXwd'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, sgAmBSv3yqo7QmRnDX.cs	High entropy of concatenated method names: 'CPTTix6L8c', 'X8uTVX2B1r', 'XRsEJv1ZFN', 'HJaEO0Z68T', 'L4STKKl5Pj', 'RctTobYrA3', 'alKT5A3KAh', 'B3BTcspxpP', 'N91TU9CetX', 'TdUT1BBgPc'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, mDCJGi5n5IiQBlF3Di.cs	High entropy of concatenated method names: 'S3TILcpQ7A', 'RXDIG6GMCv', 'LjaIFREEr3', 'hRsIWJL1Un', 'aNVI3KlhOP', 'gHgIA35HM2', 'pItI7Lox0R', 'xRbIaVBxZf', 'NNuIfQac9s', 'VneIKxGuNg'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, MIx6NdzWM7MNjAuofV.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'GtlYI4ViXC', 'juSYdXK7jl', 'pFoYjSkd16', 'X9mYTl6ls7', 'M47YELOrub', 'rn5YYGC9xq', 'PfhYPGO6xi'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, bAavlCFj6heusMkO2Q.cs	High entropy of concatenated method names: 'uCXw6Cd9Qs', 'norwHSFiOv', 'Xmuw2Shpj4', 'TFawpSD3jg', 'NmAwDChp3H', 'tQj2C9HQNV', 'iY22vPX5lT', 'mHL2eqgOAj', 'yiv2iC3Vyh', 'VGP2qRYjyB'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, gaT0VtLolsTmIlrt70.cs	High entropy of concatenated method names: 'pFyHcA5puL', 'uLuHU7oUQU', 'UCXH1pebDx', 'Gh5H9oMQet', 's4MHCoD6UR', 'jBlHvK4r2d', 'LGaHeau0m0', 'bv8HiDUWNm', 'BhbHqRaANe', 'VAXHVwyjX2'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, E8lPECR9BGmgOhGy73.cs	High entropy of concatenated method names: 'umZ2Q3xvQg', 'De72naqrFM', 'cIdg8NNGIN', 'bPpg3IEPRv', 'Wf5gAFeo9e', 'bssgNnQp0Y', 'b4Qg7JYw9C', 'LF2galNlit', 'qUHgxFfEqB', 'Sk5gfByYvR'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, ihr2IjOsiu7TSCME1ab.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'kjRPcSNw5R', 'u8IPUd7IPQ', 'gjQP17G3Tf', 'dfLP9eJQkt', 'k5kPCc0ltQ', 'u71PvxMVCV', 'pFjPe9gvOw'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, NlPEcCGpm6e5jYfj34.cs	High entropy of concatenated method names: 'hWdg4OKsDI', 'TjAgXXi1Xn', 'fAEgLh7IcP', 'e7ygGVkm7K', 'F2FgdZGG4f', 'gA2gjjccsk', 'FmcgTf73jX', 'qlegExEAwG', 'U0TgYKB5Hx', 'IEOgPYvrlq'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, wYLaRBisUKwyOTbCK3.cs	High entropy of concatenated method names: 'qPuEtpNlAn', 'uwJEH0O0A1', 'aCfEgxmJJF', 'gnGE2GZsK3', 'mrYEwXOmDD', 'xqfEpPfa1C', 'gUUEDdQcgR', 'WYNEkev6ur', 'PmMEyGRxro', 'XIYElZeOhc'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, d2ad8ROJHVErhE8p8b9.cs	High entropy of concatenated method names: 'dWMYBBVMCT', 'qeRYMHy2hs', 'dqZYhGPPKn', 'p5HY4BNZp8', 'yR0YQpGmLJ', 'G9rYXGoAol', 'XJqYnWL9H7', 'YejYLeXnXj', 'LtgYGHrR3O', 's4KYRqFog0'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, oAseWL02DMjjqFMBXR.cs	High entropy of concatenated method names: 'myEhhQGH2', 'O9H48we8m', 'z4FX9JQSK', 'fOpnw1waF', 'It1G6pAl1', 'DOTRQbLGc', 'SuM6owUF4JYX2kbFMj', 'BusdXRGObGaO7AviEp', 'ocQE4x1eR', 'xumPPJTcK'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, NjAYRtVR1ISG2pUfbe.cs	High entropy of concatenated method names: 'nUGYOgDKyw', 'pwqYsaSXK9', 'kyBYZPkKhc', 'dskYtkGA4q', 'UM4YHLgrcf', 'DUkY2mkv1v', 'FMiYw07QAJ', 'NITEedw8xv', 'bFEEi4Kj1O', 'yFsEqNuCv7'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, dDoUytHr6ppWvIHaSy.cs	High entropy of concatenated method names: 'Dispose', 'netOqA4u8M', 'oKi0WHEBic', 'NXMYYNv6b0', 'vrYOVLaRBs', 'RKwOzyOTbC', 'ProcessDialogKey', 'O3k0JhKH8E', 'N7Q0OsUWZn', 'qMo00xjAYR'
Source: 0.2.PO#86637.exe.a510000.4.raw.unpack, ln54oQxhBJyjDrYAS1.cs	High entropy of concatenated method names: 'llBpBfaqKF', 'i4KpMKLtKM', 'yvNphg4eT7', 'uuIp4qs3QS', 'htIpQb6LTa', 'LFEpXyvaEM', 'hRJpnd3iPp', 'OR9pLvYv3m', 'pMZpGCI7mB', 'VySpRxCH21'

Drops PE files

Source: C:\Users\user\Desktop\PO#86637.exe

File created: C:\Users\user\AppData\Roaming\Fyepece.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\PO#86637.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: PO#86637.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Fyepece.exe PID: 1160, type: MEMORYSTR

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 1470000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 2E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 14D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 7DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 8DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 8F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: 9F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: A5A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: B5A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Memory allocated: C5A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Memory allocated: 1A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Memory allocated: 3320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Memory allocated: 3040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Memory allocated: 7ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Memory allocated: 8ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Memory allocated: 9070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Memory allocated: A070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Memory allocated: A600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Memory allocated: B600000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\PO#86637.exe

Code function: 11_2_0196096E rdtsc

11_2_0196096E

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4214			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2784			Jump to behavior

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\PO#86637.exe	API coverage: 0.7 %
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	API coverage: 0.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\PO#86637.exe TID: 7956	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7496	Thread sleep count: 4214 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7476	Thread sleep count: 96 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 964	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1988	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3184	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7748	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe TID: 7728	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe TID: 4476	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe TID: 3068	Thread sleep time: -30000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PO#86637.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\PO#86637.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\PO#86637.exe

Code function: 11_2_0196096E rdtsc

11_2_0196096E

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\PO#86637.exe

Code function: 11_2_004173A3 LdrLoadDll,

11_2_004173A3

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A019F mov eax, dword ptr fs:[00000030h]	11_2_019A019F
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A019F mov eax, dword ptr fs:[00000030h]	11_2_019A019F
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A019F mov eax, dword ptr fs:[00000030h]	11_2_019A019F
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A019F mov eax, dword ptr fs:[00000030h]	11_2_019A019F
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191A197 mov eax, dword ptr fs:[00000030h]	11_2_0191A197
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191A197 mov eax, dword ptr fs:[00000030h]	11_2_0191A197
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191A197 mov eax, dword ptr fs:[00000030h]	11_2_0191A197
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01960185 mov eax, dword ptr fs:[00000030h]	11_2_01960185
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019DC188 mov eax, dword ptr fs:[00000030h]	11_2_019DC188
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019DC188 mov eax, dword ptr fs:[00000030h]	11_2_019DC188
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C4180 mov eax, dword ptr fs:[00000030h]	11_2_019C4180
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C4180 mov eax, dword ptr fs:[00000030h]	11_2_019C4180
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E1D0 mov eax, dword ptr fs:[00000030h]	11_2_0199E1D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E1D0 mov eax, dword ptr fs:[00000030h]	11_2_0199E1D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E1D0 mov ecx, dword ptr fs:[00000030h]	11_2_0199E1D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E1D0 mov eax, dword ptr fs:[00000030h]	11_2_0199E1D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E1D0 mov eax, dword ptr fs:[00000030h]	11_2_0199E1D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E61C3 mov eax, dword ptr fs:[00000030h]	11_2_019E61C3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E61C3 mov eax, dword ptr fs:[00000030h]	11_2_019E61C3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019501F8 mov eax, dword ptr fs:[00000030h]	11_2_019501F8
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F61E5 mov eax, dword ptr fs:[00000030h]	11_2_019F61E5
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CA118 mov ecx, dword ptr fs:[00000030h]	11_2_019CA118
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CA118 mov eax, dword ptr fs:[00000030h]	11_2_019CA118
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CA118 mov eax, dword ptr fs:[00000030h]	11_2_019CA118
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CA118 mov eax, dword ptr fs:[00000030h]	11_2_019CA118
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E0115 mov eax, dword ptr fs:[00000030h]	11_2_019E0115
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE10E mov eax, dword ptr fs:[00000030h]	11_2_019CE10E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE10E mov ecx, dword ptr fs:[00000030h]	11_2_019CE10E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE10E mov eax, dword ptr fs:[00000030h]	11_2_019CE10E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE10E mov eax, dword ptr fs:[00000030h]	11_2_019CE10E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE10E mov ecx, dword ptr fs:[00000030h]	11_2_019CE10E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE10E mov eax, dword ptr fs:[00000030h]	11_2_019CE10E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE10E mov eax, dword ptr fs:[00000030h]	11_2_019CE10E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE10E mov ecx, dword ptr fs:[00000030h]	11_2_019CE10E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE10E mov eax, dword ptr fs:[00000030h]	11_2_019CE10E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE10E mov ecx, dword ptr fs:[00000030h]	11_2_019CE10E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01950124 mov eax, dword ptr fs:[00000030h]	11_2_01950124
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B8158 mov eax, dword ptr fs:[00000030h]	11_2_019B8158
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01926154 mov eax, dword ptr fs:[00000030h]	11_2_01926154
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01926154 mov eax, dword ptr fs:[00000030h]	11_2_01926154
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191C156 mov eax, dword ptr fs:[00000030h]	11_2_0191C156
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B4144 mov eax, dword ptr fs:[00000030h]	11_2_019B4144
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B4144 mov eax, dword ptr fs:[00000030h]	11_2_019B4144
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B4144 mov ecx, dword ptr fs:[00000030h]	11_2_019B4144
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B4144 mov eax, dword ptr fs:[00000030h]	11_2_019B4144
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B4144 mov eax, dword ptr fs:[00000030h]	11_2_019B4144
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4164 mov eax, dword ptr fs:[00000030h]	11_2_019F4164
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4164 mov eax, dword ptr fs:[00000030h]	11_2_019F4164
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192208A mov eax, dword ptr fs:[00000030h]	11_2_0192208A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E60B8 mov eax, dword ptr fs:[00000030h]	11_2_019E60B8
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E60B8 mov ecx, dword ptr fs:[00000030h]	11_2_019E60B8
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019180A0 mov eax, dword ptr fs:[00000030h]	11_2_019180A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B80A8 mov eax, dword ptr fs:[00000030h]	11_2_019B80A8
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A20DE mov eax, dword ptr fs:[00000030h]	11_2_019A20DE
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191C0F0 mov eax, dword ptr fs:[00000030h]	11_2_0191C0F0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019620F0 mov ecx, dword ptr fs:[00000030h]	11_2_019620F0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191A0E3 mov ecx, dword ptr fs:[00000030h]	11_2_0191A0E3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A60E0 mov eax, dword ptr fs:[00000030h]	11_2_019A60E0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019280E9 mov eax, dword ptr fs:[00000030h]	11_2_019280E9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193E016 mov eax, dword ptr fs:[00000030h]	11_2_0193E016
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193E016 mov eax, dword ptr fs:[00000030h]	11_2_0193E016
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193E016 mov eax, dword ptr fs:[00000030h]	11_2_0193E016
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193E016 mov eax, dword ptr fs:[00000030h]	11_2_0193E016
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A4000 mov ecx, dword ptr fs:[00000030h]	11_2_019A4000
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]	11_2_019C2000
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]	11_2_019C2000
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]	11_2_019C2000
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]	11_2_019C2000
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]	11_2_019C2000
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]	11_2_019C2000
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]	11_2_019C2000
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C2000 mov eax, dword ptr fs:[00000030h]	11_2_019C2000
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B6030 mov eax, dword ptr fs:[00000030h]	11_2_019B6030
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191A020 mov eax, dword ptr fs:[00000030h]	11_2_0191A020
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191C020 mov eax, dword ptr fs:[00000030h]	11_2_0191C020
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01922050 mov eax, dword ptr fs:[00000030h]	11_2_01922050
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A6050 mov eax, dword ptr fs:[00000030h]	11_2_019A6050
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194C073 mov eax, dword ptr fs:[00000030h]	11_2_0194C073
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01918397 mov eax, dword ptr fs:[00000030h]	11_2_01918397
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01918397 mov eax, dword ptr fs:[00000030h]	11_2_01918397
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01918397 mov eax, dword ptr fs:[00000030h]	11_2_01918397
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191E388 mov eax, dword ptr fs:[00000030h]	11_2_0191E388
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191E388 mov eax, dword ptr fs:[00000030h]	11_2_0191E388
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191E388 mov eax, dword ptr fs:[00000030h]	11_2_0191E388
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194438F mov eax, dword ptr fs:[00000030h]	11_2_0194438F
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194438F mov eax, dword ptr fs:[00000030h]	11_2_0194438F
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE3DB mov eax, dword ptr fs:[00000030h]	11_2_019CE3DB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE3DB mov eax, dword ptr fs:[00000030h]	11_2_019CE3DB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE3DB mov ecx, dword ptr fs:[00000030h]	11_2_019CE3DB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CE3DB mov eax, dword ptr fs:[00000030h]	11_2_019CE3DB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C43D4 mov eax, dword ptr fs:[00000030h]	11_2_019C43D4
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C43D4 mov eax, dword ptr fs:[00000030h]	11_2_019C43D4
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019DC3CD mov eax, dword ptr fs:[00000030h]	11_2_019DC3CD
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A3C0 mov eax, dword ptr fs:[00000030h]	11_2_0192A3C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A3C0 mov eax, dword ptr fs:[00000030h]	11_2_0192A3C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A3C0 mov eax, dword ptr fs:[00000030h]	11_2_0192A3C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A3C0 mov eax, dword ptr fs:[00000030h]	11_2_0192A3C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A3C0 mov eax, dword ptr fs:[00000030h]	11_2_0192A3C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A3C0 mov eax, dword ptr fs:[00000030h]	11_2_0192A3C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019283C0 mov eax, dword ptr fs:[00000030h]	11_2_019283C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019283C0 mov eax, dword ptr fs:[00000030h]	11_2_019283C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019283C0 mov eax, dword ptr fs:[00000030h]	11_2_019283C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019283C0 mov eax, dword ptr fs:[00000030h]	11_2_019283C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A63C0 mov eax, dword ptr fs:[00000030h]	11_2_019A63C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193E3F0 mov eax, dword ptr fs:[00000030h]	11_2_0193E3F0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193E3F0 mov eax, dword ptr fs:[00000030h]	11_2_0193E3F0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193E3F0 mov eax, dword ptr fs:[00000030h]	11_2_0193E3F0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019563FF mov eax, dword ptr fs:[00000030h]	11_2_019563FF
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]	11_2_019303E9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]	11_2_019303E9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]	11_2_019303E9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]	11_2_019303E9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]	11_2_019303E9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]	11_2_019303E9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]	11_2_019303E9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019303E9 mov eax, dword ptr fs:[00000030h]	11_2_019303E9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191C310 mov ecx, dword ptr fs:[00000030h]	11_2_0191C310
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01940310 mov ecx, dword ptr fs:[00000030h]	11_2_01940310
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195A30B mov eax, dword ptr fs:[00000030h]	11_2_0195A30B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195A30B mov eax, dword ptr fs:[00000030h]	11_2_0195A30B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195A30B mov eax, dword ptr fs:[00000030h]	11_2_0195A30B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F8324 mov eax, dword ptr fs:[00000030h]	11_2_019F8324
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F8324 mov ecx, dword ptr fs:[00000030h]	11_2_019F8324
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F8324 mov eax, dword ptr fs:[00000030h]	11_2_019F8324
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F8324 mov eax, dword ptr fs:[00000030h]	11_2_019F8324
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A035C mov eax, dword ptr fs:[00000030h]	11_2_019A035C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A035C mov eax, dword ptr fs:[00000030h]	11_2_019A035C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A035C mov eax, dword ptr fs:[00000030h]	11_2_019A035C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A035C mov ecx, dword ptr fs:[00000030h]	11_2_019A035C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A035C mov eax, dword ptr fs:[00000030h]	11_2_019A035C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A035C mov eax, dword ptr fs:[00000030h]	11_2_019A035C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EA352 mov eax, dword ptr fs:[00000030h]	11_2_019EA352
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C8350 mov ecx, dword ptr fs:[00000030h]	11_2_019C8350
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F634F mov eax, dword ptr fs:[00000030h]	11_2_019F634F
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A2349 mov eax, dword ptr fs:[00000030h]	11_2_019A2349
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C437C mov eax, dword ptr fs:[00000030h]	11_2_019C437C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E284 mov eax, dword ptr fs:[00000030h]	11_2_0195E284
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E284 mov eax, dword ptr fs:[00000030h]	11_2_0195E284
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A0283 mov eax, dword ptr fs:[00000030h]	11_2_019A0283
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A0283 mov eax, dword ptr fs:[00000030h]	11_2_019A0283
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A0283 mov eax, dword ptr fs:[00000030h]	11_2_019A0283
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019302A0 mov eax, dword ptr fs:[00000030h]	11_2_019302A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019302A0 mov eax, dword ptr fs:[00000030h]	11_2_019302A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B62A0 mov eax, dword ptr fs:[00000030h]	11_2_019B62A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B62A0 mov ecx, dword ptr fs:[00000030h]	11_2_019B62A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B62A0 mov eax, dword ptr fs:[00000030h]	11_2_019B62A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B62A0 mov eax, dword ptr fs:[00000030h]	11_2_019B62A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B62A0 mov eax, dword ptr fs:[00000030h]	11_2_019B62A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B62A0 mov eax, dword ptr fs:[00000030h]	11_2_019B62A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F62D6 mov eax, dword ptr fs:[00000030h]	11_2_019F62D6
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A2C3 mov eax, dword ptr fs:[00000030h]	11_2_0192A2C3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A2C3 mov eax, dword ptr fs:[00000030h]	11_2_0192A2C3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A2C3 mov eax, dword ptr fs:[00000030h]	11_2_0192A2C3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A2C3 mov eax, dword ptr fs:[00000030h]	11_2_0192A2C3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A2C3 mov eax, dword ptr fs:[00000030h]	11_2_0192A2C3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019302E1 mov eax, dword ptr fs:[00000030h]	11_2_019302E1
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019302E1 mov eax, dword ptr fs:[00000030h]	11_2_019302E1
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019302E1 mov eax, dword ptr fs:[00000030h]	11_2_019302E1
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191823B mov eax, dword ptr fs:[00000030h]	11_2_0191823B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191A250 mov eax, dword ptr fs:[00000030h]	11_2_0191A250
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F625D mov eax, dword ptr fs:[00000030h]	11_2_019F625D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01926259 mov eax, dword ptr fs:[00000030h]	11_2_01926259
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019DA250 mov eax, dword ptr fs:[00000030h]	11_2_019DA250
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019DA250 mov eax, dword ptr fs:[00000030h]	11_2_019DA250
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A8243 mov eax, dword ptr fs:[00000030h]	11_2_019A8243
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A8243 mov ecx, dword ptr fs:[00000030h]	11_2_019A8243
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D0274 mov eax, dword ptr fs:[00000030h]	11_2_019D0274
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01924260 mov eax, dword ptr fs:[00000030h]	11_2_01924260
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01924260 mov eax, dword ptr fs:[00000030h]	11_2_01924260
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01924260 mov eax, dword ptr fs:[00000030h]	11_2_01924260
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191826B mov eax, dword ptr fs:[00000030h]	11_2_0191826B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E59C mov eax, dword ptr fs:[00000030h]	11_2_0195E59C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01922582 mov eax, dword ptr fs:[00000030h]	11_2_01922582
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01922582 mov ecx, dword ptr fs:[00000030h]	11_2_01922582
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01954588 mov eax, dword ptr fs:[00000030h]	11_2_01954588
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019445B1 mov eax, dword ptr fs:[00000030h]	11_2_019445B1
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019445B1 mov eax, dword ptr fs:[00000030h]	11_2_019445B1
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A05A7 mov eax, dword ptr fs:[00000030h]	11_2_019A05A7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A05A7 mov eax, dword ptr fs:[00000030h]	11_2_019A05A7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A05A7 mov eax, dword ptr fs:[00000030h]	11_2_019A05A7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019265D0 mov eax, dword ptr fs:[00000030h]	11_2_019265D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195A5D0 mov eax, dword ptr fs:[00000030h]	11_2_0195A5D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195A5D0 mov eax, dword ptr fs:[00000030h]	11_2_0195A5D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E5CF mov eax, dword ptr fs:[00000030h]	11_2_0195E5CF
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E5CF mov eax, dword ptr fs:[00000030h]	11_2_0195E5CF
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019225E0 mov eax, dword ptr fs:[00000030h]	11_2_019225E0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0194E5E7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0194E5E7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0194E5E7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0194E5E7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0194E5E7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0194E5E7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0194E5E7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E5E7 mov eax, dword ptr fs:[00000030h]	11_2_0194E5E7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195C5ED mov eax, dword ptr fs:[00000030h]	11_2_0195C5ED
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195C5ED mov eax, dword ptr fs:[00000030h]	11_2_0195C5ED
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B6500 mov eax, dword ptr fs:[00000030h]	11_2_019B6500
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4500 mov eax, dword ptr fs:[00000030h]	11_2_019F4500
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4500 mov eax, dword ptr fs:[00000030h]	11_2_019F4500
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4500 mov eax, dword ptr fs:[00000030h]	11_2_019F4500
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4500 mov eax, dword ptr fs:[00000030h]	11_2_019F4500
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4500 mov eax, dword ptr fs:[00000030h]	11_2_019F4500
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4500 mov eax, dword ptr fs:[00000030h]	11_2_019F4500
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4500 mov eax, dword ptr fs:[00000030h]	11_2_019F4500
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930535 mov eax, dword ptr fs:[00000030h]	11_2_01930535
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930535 mov eax, dword ptr fs:[00000030h]	11_2_01930535
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930535 mov eax, dword ptr fs:[00000030h]	11_2_01930535
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930535 mov eax, dword ptr fs:[00000030h]	11_2_01930535
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930535 mov eax, dword ptr fs:[00000030h]	11_2_01930535
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930535 mov eax, dword ptr fs:[00000030h]	11_2_01930535
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E53E mov eax, dword ptr fs:[00000030h]	11_2_0194E53E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E53E mov eax, dword ptr fs:[00000030h]	11_2_0194E53E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E53E mov eax, dword ptr fs:[00000030h]	11_2_0194E53E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E53E mov eax, dword ptr fs:[00000030h]	11_2_0194E53E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E53E mov eax, dword ptr fs:[00000030h]	11_2_0194E53E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01928550 mov eax, dword ptr fs:[00000030h]	11_2_01928550
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01928550 mov eax, dword ptr fs:[00000030h]	11_2_01928550
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195656A mov eax, dword ptr fs:[00000030h]	11_2_0195656A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195656A mov eax, dword ptr fs:[00000030h]	11_2_0195656A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195656A mov eax, dword ptr fs:[00000030h]	11_2_0195656A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019DA49A mov eax, dword ptr fs:[00000030h]	11_2_019DA49A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019544B0 mov ecx, dword ptr fs:[00000030h]	11_2_019544B0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AA4B0 mov eax, dword ptr fs:[00000030h]	11_2_019AA4B0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019264AB mov eax, dword ptr fs:[00000030h]	11_2_019264AB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019204E5 mov ecx, dword ptr fs:[00000030h]	11_2_019204E5
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01958402 mov eax, dword ptr fs:[00000030h]	11_2_01958402
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01958402 mov eax, dword ptr fs:[00000030h]	11_2_01958402
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01958402 mov eax, dword ptr fs:[00000030h]	11_2_01958402
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195A430 mov eax, dword ptr fs:[00000030h]	11_2_0195A430
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191E420 mov eax, dword ptr fs:[00000030h]	11_2_0191E420
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191E420 mov eax, dword ptr fs:[00000030h]	11_2_0191E420
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191E420 mov eax, dword ptr fs:[00000030h]	11_2_0191E420
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191C427 mov eax, dword ptr fs:[00000030h]	11_2_0191C427
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A6420 mov eax, dword ptr fs:[00000030h]	11_2_019A6420
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A6420 mov eax, dword ptr fs:[00000030h]	11_2_019A6420
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A6420 mov eax, dword ptr fs:[00000030h]	11_2_019A6420
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A6420 mov eax, dword ptr fs:[00000030h]	11_2_019A6420
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A6420 mov eax, dword ptr fs:[00000030h]	11_2_019A6420
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A6420 mov eax, dword ptr fs:[00000030h]	11_2_019A6420
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A6420 mov eax, dword ptr fs:[00000030h]	11_2_019A6420
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019DA456 mov eax, dword ptr fs:[00000030h]	11_2_019DA456
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191645D mov eax, dword ptr fs:[00000030h]	11_2_0191645D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194245A mov eax, dword ptr fs:[00000030h]	11_2_0194245A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]	11_2_0195E443
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]	11_2_0195E443
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]	11_2_0195E443
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]	11_2_0195E443
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]	11_2_0195E443
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]	11_2_0195E443
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]	11_2_0195E443
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195E443 mov eax, dword ptr fs:[00000030h]	11_2_0195E443
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194A470 mov eax, dword ptr fs:[00000030h]	11_2_0194A470
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194A470 mov eax, dword ptr fs:[00000030h]	11_2_0194A470
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194A470 mov eax, dword ptr fs:[00000030h]	11_2_0194A470
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AC460 mov ecx, dword ptr fs:[00000030h]	11_2_019AC460
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C678E mov eax, dword ptr fs:[00000030h]	11_2_019C678E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019207AF mov eax, dword ptr fs:[00000030h]	11_2_019207AF
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D47A0 mov eax, dword ptr fs:[00000030h]	11_2_019D47A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192C7C0 mov eax, dword ptr fs:[00000030h]	11_2_0192C7C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A07C3 mov eax, dword ptr fs:[00000030h]	11_2_019A07C3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019247FB mov eax, dword ptr fs:[00000030h]	11_2_019247FB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019247FB mov eax, dword ptr fs:[00000030h]	11_2_019247FB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019427ED mov eax, dword ptr fs:[00000030h]	11_2_019427ED
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019427ED mov eax, dword ptr fs:[00000030h]	11_2_019427ED
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019427ED mov eax, dword ptr fs:[00000030h]	11_2_019427ED
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AE7E1 mov eax, dword ptr fs:[00000030h]	11_2_019AE7E1
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01920710 mov eax, dword ptr fs:[00000030h]	11_2_01920710
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01950710 mov eax, dword ptr fs:[00000030h]	11_2_01950710
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195C700 mov eax, dword ptr fs:[00000030h]	11_2_0195C700
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195273C mov eax, dword ptr fs:[00000030h]	11_2_0195273C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195273C mov ecx, dword ptr fs:[00000030h]	11_2_0195273C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195273C mov eax, dword ptr fs:[00000030h]	11_2_0195273C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199C730 mov eax, dword ptr fs:[00000030h]	11_2_0199C730
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195C720 mov eax, dword ptr fs:[00000030h]	11_2_0195C720
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195C720 mov eax, dword ptr fs:[00000030h]	11_2_0195C720
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01920750 mov eax, dword ptr fs:[00000030h]	11_2_01920750
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962750 mov eax, dword ptr fs:[00000030h]	11_2_01962750
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962750 mov eax, dword ptr fs:[00000030h]	11_2_01962750
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AE75D mov eax, dword ptr fs:[00000030h]	11_2_019AE75D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A4755 mov eax, dword ptr fs:[00000030h]	11_2_019A4755
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195674D mov esi, dword ptr fs:[00000030h]	11_2_0195674D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195674D mov eax, dword ptr fs:[00000030h]	11_2_0195674D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195674D mov eax, dword ptr fs:[00000030h]	11_2_0195674D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01928770 mov eax, dword ptr fs:[00000030h]	11_2_01928770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930770 mov eax, dword ptr fs:[00000030h]	11_2_01930770
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01924690 mov eax, dword ptr fs:[00000030h]	11_2_01924690
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01924690 mov eax, dword ptr fs:[00000030h]	11_2_01924690
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019566B0 mov eax, dword ptr fs:[00000030h]	11_2_019566B0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195C6A6 mov eax, dword ptr fs:[00000030h]	11_2_0195C6A6
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195A6C7 mov ebx, dword ptr fs:[00000030h]	11_2_0195A6C7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195A6C7 mov eax, dword ptr fs:[00000030h]	11_2_0195A6C7
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E6F2 mov eax, dword ptr fs:[00000030h]	11_2_0199E6F2
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E6F2 mov eax, dword ptr fs:[00000030h]	11_2_0199E6F2
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E6F2 mov eax, dword ptr fs:[00000030h]	11_2_0199E6F2
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E6F2 mov eax, dword ptr fs:[00000030h]	11_2_0199E6F2
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A06F1 mov eax, dword ptr fs:[00000030h]	11_2_019A06F1
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A06F1 mov eax, dword ptr fs:[00000030h]	11_2_019A06F1
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01962619 mov eax, dword ptr fs:[00000030h]	11_2_01962619
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E609 mov eax, dword ptr fs:[00000030h]	11_2_0199E609
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193260B mov eax, dword ptr fs:[00000030h]	11_2_0193260B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193260B mov eax, dword ptr fs:[00000030h]	11_2_0193260B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193260B mov eax, dword ptr fs:[00000030h]	11_2_0193260B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193260B mov eax, dword ptr fs:[00000030h]	11_2_0193260B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193260B mov eax, dword ptr fs:[00000030h]	11_2_0193260B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193260B mov eax, dword ptr fs:[00000030h]	11_2_0193260B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193260B mov eax, dword ptr fs:[00000030h]	11_2_0193260B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193E627 mov eax, dword ptr fs:[00000030h]	11_2_0193E627
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01956620 mov eax, dword ptr fs:[00000030h]	11_2_01956620
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01958620 mov eax, dword ptr fs:[00000030h]	11_2_01958620
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192262C mov eax, dword ptr fs:[00000030h]	11_2_0192262C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0193C640 mov eax, dword ptr fs:[00000030h]	11_2_0193C640
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01952674 mov eax, dword ptr fs:[00000030h]	11_2_01952674
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E866E mov eax, dword ptr fs:[00000030h]	11_2_019E866E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E866E mov eax, dword ptr fs:[00000030h]	11_2_019E866E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195A660 mov eax, dword ptr fs:[00000030h]	11_2_0195A660
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195A660 mov eax, dword ptr fs:[00000030h]	11_2_0195A660
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A89B3 mov esi, dword ptr fs:[00000030h]	11_2_019A89B3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A89B3 mov eax, dword ptr fs:[00000030h]	11_2_019A89B3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A89B3 mov eax, dword ptr fs:[00000030h]	11_2_019A89B3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019329A0 mov eax, dword ptr fs:[00000030h]	11_2_019329A0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019209AD mov eax, dword ptr fs:[00000030h]	11_2_019209AD
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019209AD mov eax, dword ptr fs:[00000030h]	11_2_019209AD
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A9D0 mov eax, dword ptr fs:[00000030h]	11_2_0192A9D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A9D0 mov eax, dword ptr fs:[00000030h]	11_2_0192A9D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A9D0 mov eax, dword ptr fs:[00000030h]	11_2_0192A9D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A9D0 mov eax, dword ptr fs:[00000030h]	11_2_0192A9D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A9D0 mov eax, dword ptr fs:[00000030h]	11_2_0192A9D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192A9D0 mov eax, dword ptr fs:[00000030h]	11_2_0192A9D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019549D0 mov eax, dword ptr fs:[00000030h]	11_2_019549D0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EA9D3 mov eax, dword ptr fs:[00000030h]	11_2_019EA9D3
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B69C0 mov eax, dword ptr fs:[00000030h]	11_2_019B69C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019529F9 mov eax, dword ptr fs:[00000030h]	11_2_019529F9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019529F9 mov eax, dword ptr fs:[00000030h]	11_2_019529F9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AE9E0 mov eax, dword ptr fs:[00000030h]	11_2_019AE9E0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AC912 mov eax, dword ptr fs:[00000030h]	11_2_019AC912
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01918918 mov eax, dword ptr fs:[00000030h]	11_2_01918918
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01918918 mov eax, dword ptr fs:[00000030h]	11_2_01918918
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E908 mov eax, dword ptr fs:[00000030h]	11_2_0199E908
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199E908 mov eax, dword ptr fs:[00000030h]	11_2_0199E908
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A892A mov eax, dword ptr fs:[00000030h]	11_2_019A892A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B892B mov eax, dword ptr fs:[00000030h]	11_2_019B892B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019A0946 mov eax, dword ptr fs:[00000030h]	11_2_019A0946
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4940 mov eax, dword ptr fs:[00000030h]	11_2_019F4940
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C4978 mov eax, dword ptr fs:[00000030h]	11_2_019C4978
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C4978 mov eax, dword ptr fs:[00000030h]	11_2_019C4978
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AC97C mov eax, dword ptr fs:[00000030h]	11_2_019AC97C
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01946962 mov eax, dword ptr fs:[00000030h]	11_2_01946962
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01946962 mov eax, dword ptr fs:[00000030h]	11_2_01946962
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01946962 mov eax, dword ptr fs:[00000030h]	11_2_01946962
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0196096E mov eax, dword ptr fs:[00000030h]	11_2_0196096E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0196096E mov edx, dword ptr fs:[00000030h]	11_2_0196096E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0196096E mov eax, dword ptr fs:[00000030h]	11_2_0196096E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AC89D mov eax, dword ptr fs:[00000030h]	11_2_019AC89D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01920887 mov eax, dword ptr fs:[00000030h]	11_2_01920887
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194E8C0 mov eax, dword ptr fs:[00000030h]	11_2_0194E8C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F08C0 mov eax, dword ptr fs:[00000030h]	11_2_019F08C0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195C8F9 mov eax, dword ptr fs:[00000030h]	11_2_0195C8F9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195C8F9 mov eax, dword ptr fs:[00000030h]	11_2_0195C8F9
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EA8E4 mov eax, dword ptr fs:[00000030h]	11_2_019EA8E4
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AC810 mov eax, dword ptr fs:[00000030h]	11_2_019AC810
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01942835 mov eax, dword ptr fs:[00000030h]	11_2_01942835
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01942835 mov eax, dword ptr fs:[00000030h]	11_2_01942835
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01942835 mov eax, dword ptr fs:[00000030h]	11_2_01942835
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01942835 mov ecx, dword ptr fs:[00000030h]	11_2_01942835
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01942835 mov eax, dword ptr fs:[00000030h]	11_2_01942835
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01942835 mov eax, dword ptr fs:[00000030h]	11_2_01942835
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195A830 mov eax, dword ptr fs:[00000030h]	11_2_0195A830
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C483A mov eax, dword ptr fs:[00000030h]	11_2_019C483A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C483A mov eax, dword ptr fs:[00000030h]	11_2_019C483A
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01950854 mov eax, dword ptr fs:[00000030h]	11_2_01950854
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01924859 mov eax, dword ptr fs:[00000030h]	11_2_01924859
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01924859 mov eax, dword ptr fs:[00000030h]	11_2_01924859
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01932840 mov ecx, dword ptr fs:[00000030h]	11_2_01932840
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AE872 mov eax, dword ptr fs:[00000030h]	11_2_019AE872
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019AE872 mov eax, dword ptr fs:[00000030h]	11_2_019AE872
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B6870 mov eax, dword ptr fs:[00000030h]	11_2_019B6870
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B6870 mov eax, dword ptr fs:[00000030h]	11_2_019B6870
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930BBE mov eax, dword ptr fs:[00000030h]	11_2_01930BBE
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01930BBE mov eax, dword ptr fs:[00000030h]	11_2_01930BBE
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D4BB0 mov eax, dword ptr fs:[00000030h]	11_2_019D4BB0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D4BB0 mov eax, dword ptr fs:[00000030h]	11_2_019D4BB0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CEBD0 mov eax, dword ptr fs:[00000030h]	11_2_019CEBD0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01940BCB mov eax, dword ptr fs:[00000030h]	11_2_01940BCB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01940BCB mov eax, dword ptr fs:[00000030h]	11_2_01940BCB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01940BCB mov eax, dword ptr fs:[00000030h]	11_2_01940BCB
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01920BCD mov eax, dword ptr fs:[00000030h]	11_2_01920BCD
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01920BCD mov eax, dword ptr fs:[00000030h]	11_2_01920BCD
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01920BCD mov eax, dword ptr fs:[00000030h]	11_2_01920BCD
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01928BF0 mov eax, dword ptr fs:[00000030h]	11_2_01928BF0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01928BF0 mov eax, dword ptr fs:[00000030h]	11_2_01928BF0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01928BF0 mov eax, dword ptr fs:[00000030h]	11_2_01928BF0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194EBFC mov eax, dword ptr fs:[00000030h]	11_2_0194EBFC
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019ACBF0 mov eax, dword ptr fs:[00000030h]	11_2_019ACBF0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]	11_2_0199EB1D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]	11_2_0199EB1D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]	11_2_0199EB1D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]	11_2_0199EB1D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]	11_2_0199EB1D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]	11_2_0199EB1D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]	11_2_0199EB1D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]	11_2_0199EB1D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0199EB1D mov eax, dword ptr fs:[00000030h]	11_2_0199EB1D
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4B00 mov eax, dword ptr fs:[00000030h]	11_2_019F4B00
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194EB20 mov eax, dword ptr fs:[00000030h]	11_2_0194EB20
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194EB20 mov eax, dword ptr fs:[00000030h]	11_2_0194EB20
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E8B28 mov eax, dword ptr fs:[00000030h]	11_2_019E8B28
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019E8B28 mov eax, dword ptr fs:[00000030h]	11_2_019E8B28
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01918B50 mov eax, dword ptr fs:[00000030h]	11_2_01918B50
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F2B57 mov eax, dword ptr fs:[00000030h]	11_2_019F2B57
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F2B57 mov eax, dword ptr fs:[00000030h]	11_2_019F2B57
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F2B57 mov eax, dword ptr fs:[00000030h]	11_2_019F2B57
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F2B57 mov eax, dword ptr fs:[00000030h]	11_2_019F2B57
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019CEB50 mov eax, dword ptr fs:[00000030h]	11_2_019CEB50
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D4B4B mov eax, dword ptr fs:[00000030h]	11_2_019D4B4B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019D4B4B mov eax, dword ptr fs:[00000030h]	11_2_019D4B4B
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B6B40 mov eax, dword ptr fs:[00000030h]	11_2_019B6B40
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019B6B40 mov eax, dword ptr fs:[00000030h]	11_2_019B6B40
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019EAB40 mov eax, dword ptr fs:[00000030h]	11_2_019EAB40
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019C8B42 mov eax, dword ptr fs:[00000030h]	11_2_019C8B42
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0191CB7E mov eax, dword ptr fs:[00000030h]	11_2_0191CB7E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01958A90 mov edx, dword ptr fs:[00000030h]	11_2_01958A90
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]	11_2_0192EA80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]	11_2_0192EA80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]	11_2_0192EA80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]	11_2_0192EA80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]	11_2_0192EA80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]	11_2_0192EA80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]	11_2_0192EA80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]	11_2_0192EA80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0192EA80 mov eax, dword ptr fs:[00000030h]	11_2_0192EA80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019F4A80 mov eax, dword ptr fs:[00000030h]	11_2_019F4A80
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01928AA0 mov eax, dword ptr fs:[00000030h]	11_2_01928AA0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01928AA0 mov eax, dword ptr fs:[00000030h]	11_2_01928AA0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01976AA4 mov eax, dword ptr fs:[00000030h]	11_2_01976AA4
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01920AD0 mov eax, dword ptr fs:[00000030h]	11_2_01920AD0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01954AD0 mov eax, dword ptr fs:[00000030h]	11_2_01954AD0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01954AD0 mov eax, dword ptr fs:[00000030h]	11_2_01954AD0
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01976ACC mov eax, dword ptr fs:[00000030h]	11_2_01976ACC
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01976ACC mov eax, dword ptr fs:[00000030h]	11_2_01976ACC
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01976ACC mov eax, dword ptr fs:[00000030h]	11_2_01976ACC
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195AAEE mov eax, dword ptr fs:[00000030h]	11_2_0195AAEE
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195AAEE mov eax, dword ptr fs:[00000030h]	11_2_0195AAEE
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_019ACA11 mov eax, dword ptr fs:[00000030h]	11_2_019ACA11
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01944A35 mov eax, dword ptr fs:[00000030h]	11_2_01944A35
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01944A35 mov eax, dword ptr fs:[00000030h]	11_2_01944A35
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195CA38 mov eax, dword ptr fs:[00000030h]	11_2_0195CA38
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0195CA24 mov eax, dword ptr fs:[00000030h]	11_2_0195CA24
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_0194EA2E mov eax, dword ptr fs:[00000030h]	11_2_0194EA2E
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01926A50 mov eax, dword ptr fs:[00000030h]	11_2_01926A50
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01926A50 mov eax, dword ptr fs:[00000030h]	11_2_01926A50
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01926A50 mov eax, dword ptr fs:[00000030h]	11_2_01926A50
Source: C:\Users\user\Desktop\PO#86637.exe	Code function: 11_2_01926A50 mov eax, dword ptr fs:[00000030h]	11_2_01926A50

Enables debug privileges

Source: C:\Users\user\Desktop\PO#86637.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe"
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Fyepece.exe"
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Fyepece.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\PO#86637.exe	Memory written: C:\Users\user\Desktop\PO#86637.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Memory written: C:\Users\user\AppData\Roaming\Fyepece.exe base: 400000 value starts with: 4D5A			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PO#86637.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\Fyepece.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Process created: C:\Users\user\Desktop\PO#86637.exe "C:\Users\user\Desktop\PO#86637.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Fyepece" /XML "C:\Users\user\AppData\Local\Temp\tmp958F.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Process created: C:\Users\user\AppData\Roaming\Fyepece.exe "C:\Users\user\AppData\Roaming\Fyepece.exe"	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Users\user\Desktop\PO#86637.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#86637.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Queries volume information: C:\Users\user\AppData\Roaming\Fyepece.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Fyepece.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO#86637.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 11.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.PO#86637.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1583643903.0000000001400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 11.2.PO#86637.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.PO#86637.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.1583643903.0000000001400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1583282671.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

ID:	1522678
Product:	CloudBasic
Start time:	15:19:12
Start date:	30.09.2024
Sample:	PO#86637.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c38fe2b4f5b0ebd3333a88fd42752f63
SHA1:	16db98340dac46d1ed93b119d165aaa5521d631c
SHA256:	3850da992cb6ca0cd6bcaafd65baeee9f420c3f878cf0aa6fc47fc5472e395cc
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fyepece.exe.log	CSV text	A6AE821E85EB04F10E67C9D65E129C47	8B3295F40A2F7DCA294DE5502CFE6A751239DB2C	BD5DE47C737626F6A162CDFE9476DE310476B56FAF917092DF2D9CD4059A6A41
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#86637.exe.log	CSV text	A6AE821E85EB04F10E67C9D65E129C47	8B3295F40A2F7DCA294DE5502CFE6A751239DB2C	BD5DE47C737626F6A162CDFE9476DE310476B56FAF917092DF2D9CD4059A6A41
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	4DC84D28CF28EAE82806A5390E5721C8	66B6385EB104A782AD3737F2C302DEC0231ADEA2	1B89BFB0F44C267035B5BC9B2A8692FF29440C0FEE71C636B377751DAF6911C0
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1zh2ec0p.2tx.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2l42hrkm.5di.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gug4f3b2.1io.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kihdwwr2.d4p.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ll4ia3nd.xnu.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ocdxhmix.ws1.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sdfpjben.qaz.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wmefsfy0.5ii.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\tmp7AF2.tmp	XML 1.0 document, ASCII text	9FA013C7CF188E7ECE29C73E88FB167D	698F5094ED5BF5533C1E42EAA2A40D0B29AC2EC7	7A57B0943F094B4FADB8000D562BF87A354DC09E8D18FD69FB9DDDB41FE46E29
C:\Users\user\AppData\Local\Temp\tmp958F.tmp	XML 1.0 document, ASCII text	9FA013C7CF188E7ECE29C73E88FB167D	698F5094ED5BF5533C1E42EAA2A40D0B29AC2EC7	7A57B0943F094B4FADB8000D562BF87A354DC09E8D18FD69FB9DDDB41FE46E29
C:\Users\user\AppData\Roaming\Fyepece.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C38FE2B4F5B0EBD3333A88FD42752F63	16DB98340DAC46D1ED93B119D165AAA5521D631C	3850DA992CB6CA0CD6BCAAFD65BAEEE9F420C3F878CF0AA6FC47FC5472E395CC
C:\Users\user\AppData\Roaming\Fyepece.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report
PO#86637.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report PO#86637.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
PO#86637.exe

Malware Threat Intel
Provided by