Windows Analysis Report
VFylJFPzqX.exe

Overview

General Information

Sample name:	VFylJFPzqX.exe renamed because original name is a hash value
Original sample name:	acb23b92beb1de31d7175c94f94854887bc0b2adb90faddc89bf1b14b1bd1a4b.exe
Analysis ID:	1524408
MD5:	e9e768aa357a7e34348c69e41444964d
SHA1:	4930b85e20b7967cf0afb1d9ae9ae57ca4d373c9
SHA256:	acb23b92beb1de31d7175c94f94854887bc0b2adb90faddc89bf1b14b1bd1a4b
Tags:	172-67-165-197exeuser-JAMESWT_MHT
Infos:

Detection

DarkTortilla, FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

Yara detected FormBook

.NET source code contains method to dynamically call methods (often used by packers)

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Query firmware table information (likely to detect VMs)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: VFylJFPzqX.exe

Avira: detected

Found malware configuration

Source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.freakyressop.xyz/igbn/"], "decoy": ["daolangfans.com", "creatievecontentpeople.com", "cargizmos.net", "azure1224.xyz", "shopahava.com", "recursum.com", "rumblerain.com", "betmonde396.com", "webinarcerdaskanindonesia.com", "telemaca.com", "hellohurt.com", "peaceprairie.com", "johntheonlinearborist.com", "pilotbxprt.store", "creatingsobriety.com", "getrightspt.com", "104456.com", "travelsofwray.com", "americagroupperu.com", "silberscore.net", "history-poker.site", "readypacks.com", "shillay-live.com", "dx-plastic.com", "fargrerike.com", "s5agents.com", "heatherbbmoore.com", "bangunrumahkreasi.com", "noticeupluy.com", "monicadenis.com", "cothmtest.com", "broomventures.tech", "livewey.net", "df9aztgr1r8i3f.life", "dxttkk.xyz", "musiclessonsandmore.com", "prolongdogslife.com", "gbraises.com", "rusticramble.online", "wellumatheraphy.com", "0658585.com", "nftcopyrights.xyz", "progresivetrade.co", "enet-insaat.com", "validationsystems.online", "mckinleyint.com", "ryanfabius.com", "madhikpahi.website", "readthearchitecture.com", "southforkranchliving.com", "linku-trans.com", "mlharquitectura.com", "brasilbikeshopsc.com", "disneychannelmusicstore.com", "sparksbeauteinc.com", "zmjob.net", "adakis.net", "mouldeddoorsupplier.com", "itk.world", "macherie-kumamoto.com", "123-tecnicos.com", "zalogneked.com", "fliptrade.cfd", "beyoncaeurope.com"]}

Multi AV Scanner detection for submitted file

Source: VFylJFPzqX.exe

ReversingLabs: Detection: 73%

Yara detected FormBook

Source: Yara match	File source: 3.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: VFylJFPzqX.exe

Joe Sandbox ML: detected

Source: VFylJFPzqX.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: AddInProcess32.pdb source: AddInProcess32.exe, 00000003.00000000.1427689911.0000000000CC2000.00000002.00000001.01000000.0000000C.sdmp, explorer.exe, 00000004.00000002.2373426103.00000000106CF000.00000004.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2664288495.0000000002678000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2669741591.000000000489F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000010.00000002.2679117867.000000000A6FF000.00000004.80000000.00040000.00000000.sdmp, AddInProcess32.exe.0.dr
Source:	Binary string: cmmon32.pdb source: AddInProcess32.exe, 00000003.00000002.1519369707.0000000001338000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.1519293726.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 00000005.00000002.2660330893.00000000001F0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: AddInProcess32.exe, 00000003.00000002.1519369707.0000000001338000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.1519293726.00000000012C0000.00000040.10000000.00040000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2660330893.00000000001F0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2668080386.0000000004350000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2668080386.00000000044EE000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.1519005091.0000000003FFE000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.1520648011.00000000041A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000003.00000002.1519534517.0000000001790000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 00000005.00000002.2668080386.0000000004350000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2668080386.00000000044EE000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.1519005091.0000000003FFE000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000003.1520648011.00000000041A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000003.00000000.1427689911.0000000000CC2000.00000002.00000001.01000000.0000000C.sdmp, explorer.exe, 00000004.00000002.2373426103.00000000106CF000.00000004.80000000.00040000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2664288495.0000000002678000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 00000005.00000002.2669741591.000000000489F000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000010.00000002.2679117867.000000000A6FF000.00000004.80000000.00040000.00000000.sdmp, AddInProcess32.exe.0.dr

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 4x nop then jmp 00C38F0Dh	0_2_00C389A8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 4x nop then pop ebx	3_2_00407B1A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 4x nop then pop edi	3_2_00416C92
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4x nop then pop ebx	5_2_02497B1C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4x nop then pop edi	5_2_024A6C92

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49714 -> 34.149.87.45:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49714 -> 34.149.87.45:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49714 -> 34.149.87.45:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49737 -> 191.252.4.20:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49737 -> 191.252.4.20:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49737 -> 191.252.4.20:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.freakyressop.xyz/igbn/

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /igbn/?kDKH=K36gPXxmOtT7ZhgLXiyek6cbIzcBFal5uRZotzE1UqqTN+uoUurMQ0X06uvOZOdqSzHy&Rl=YTFLi4d0T2 HTTP/1.1Host: www.mlharquitectura.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.149.87.45 34.149.87.45
Source: Joe Sandbox View	IP Address: 34.149.87.45 34.149.87.45

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 4_2_10F75F82 getaddrinfo,setsockopt,recv,

4_2_10F75F82

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: www.creatievecontentpeople.com
Source: global traffic	DNS traffic detected: DNS query: www.mlharquitectura.com
Source: global traffic	DNS traffic detected: DNS query: www.cargizmos.net
Source: global traffic	DNS traffic detected: DNS query: api.msn.com
Source: global traffic	DNS traffic detected: DNS query: www.history-poker.site
Source: global traffic	DNS traffic detected: DNS query: www.brasilbikeshopsc.com

Source: explorer.exe, 00000004.00000002.2363894406.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000005039000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000004.00000002.2363894406.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000005039000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000004.00000002.2363894406.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000005039000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000004.00000000.1463407258.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2361401175.0000000004405000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobeS
Source: explorer.exe, 00000004.00000002.2363894406.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000005039000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000004.00000000.1465481958.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000004.00000002.2363215266.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.1462901084.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.2363239402.0000000007720000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.123-tecnicos.com
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.123-tecnicos.com/igbn/
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.123-tecnicos.com/igbn/www.s5agents.com
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.123-tecnicos.comReferer:
Source: explorer.exe, 00000004.00000002.2362200277.0000000006F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.azure1224.xyz
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.azure1224.xyz/igbn/
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.azure1224.xyz/igbn/www.musiclessonsandmore.com
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.azure1224.xyzReferer:
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bangunrumahkreasi.com
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bangunrumahkreasi.com/igbn/
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bangunrumahkreasi.com/igbn/www.freakyressop.xyz
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.bangunrumahkreasi.comReferer:
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.betmonde396.com
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.betmonde396.com/igbn/
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.betmonde396.com/igbn/www.fliptrade.cfd
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.betmonde396.comReferer:
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.brasilbikeshopsc.com
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.brasilbikeshopsc.com/igbn/
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.brasilbikeshopsc.com/igbn/www.creatievecontentpeople.com
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.brasilbikeshopsc.comReferer:
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cargizmos.net
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cargizmos.net/igbn/
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cargizmos.net/igbn/www.123-tecnicos.com
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cargizmos.netReferer:
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.creatievecontentpeople.com
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.creatievecontentpeople.com/igbn/
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.creatievecontentpeople.com/igbn/www.itk.world
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.creatievecontentpeople.com/igbn/www.mlharquitectura.com
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.creatievecontentpeople.comReferer:
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.creatingsobriety.com
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.creatingsobriety.com/igbn/
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.creatingsobriety.com/igbn/www.rusticramble.online
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.creatingsobriety.comReferer:
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enet-insaat.com
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enet-insaat.com/igbn/
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enet-insaat.com/igbn/www.gbraises.com
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.enet-insaat.comReferer:
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fliptrade.cfd
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fliptrade.cfd/igbn/
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fliptrade.cfd/igbn/www.gbraises.com
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.fliptrade.cfdReferer:
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.freakyressop.xyz
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.freakyressop.xyz/igbn/
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.freakyressop.xyz/igbn/www.nftcopyrights.xyz
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.freakyressop.xyz/igbn/www.rusticramble.online
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.freakyressop.xyzReferer:
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gbraises.com
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gbraises.com/igbn/
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gbraises.com/igbn/www.bangunrumahkreasi.com
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gbraises.com/igbn/www.webinarcerdaskanindonesia.com
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.gbraises.comReferer:
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.getrightspt.com
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.getrightspt.com/igbn/
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.getrightspt.com/igbn/www.rumblerain.com
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.getrightspt.comReferer:
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.history-poker.site
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.history-poker.site/igbn/
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.history-poker.site/igbn/www.brasilbikeshopsc.com
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.history-poker.siteReferer:
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.itk.world
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.itk.world/igbn/
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.itk.world/igbn/www.betmonde396.com
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.itk.worldReferer:
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.livewey.net
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.livewey.net/igbn/
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.livewey.net/igbn/www.freakyressop.xyz
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.livewey.netReferer:
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mckinleyint.com
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mckinleyint.com/igbn/
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mckinleyint.com/igbn/www.livewey.net
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mckinleyint.comReferer:
Source: explorer.exe, 00000004.00000003.2284166438.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.0000000009237000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mlharquitectura.com
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mlharquitectura.com/igbn/
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mlharquitectura.com/igbn/www.azure1224.xyz
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mlharquitectura.com/igbn/www.cargizmos.net
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mlharquitectura.comReferer:
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.monicadenis.com
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.monicadenis.com/igbn/
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.monicadenis.com/igbn/www.mckinleyint.com
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.monicadenis.comReferer:
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.musiclessonsandmore.com
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.musiclessonsandmore.com/igbn/
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.musiclessonsandmore.com/igbn/www.monicadenis.com
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.musiclessonsandmore.comReferer:
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nftcopyrights.xyz
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nftcopyrights.xyz/igbn/
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nftcopyrights.xyz/igbn/www.noticeupluy.com
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.nftcopyrights.xyzReferer:
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.noticeupluy.com
Source: explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.noticeupluy.com/igbn/
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.noticeupluy.comReferer:
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.prolongdogslife.com
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.prolongdogslife.com/igbn/
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.prolongdogslife.com/igbn/www.enet-insaat.com
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.prolongdogslife.comReferer:
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rumblerain.com
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rumblerain.com/igbn/
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rumblerain.com/igbn/www.creatingsobriety.com
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rumblerain.comReferer:
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rusticramble.online
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rusticramble.online/igbn/
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rusticramble.online/igbn/K
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rusticramble.online/igbn/www.prolongdogslife.com
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.rusticramble.onlineReferer:
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.s5agents.com
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.s5agents.com/igbn/
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.s5agents.com/igbn/www.getrightspt.com
Source: explorer.exe, 00000004.00000003.2289858861.000000000C17D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2371254020.000000000C17F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288530916.000000000C17C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.s5agents.comReferer:
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.webinarcerdaskanindonesia.com
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.webinarcerdaskanindonesia.com/igbn/
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.webinarcerdaskanindonesia.com/igbn/www.mlharquitectura.com
Source: explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.webinarcerdaskanindonesia.comReferer:
Source: explorer.exe, 00000004.00000000.1469970738.000000000BC80000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2368129929.000000000BCA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2289901418.000000000BCA0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000004.00000000.1469970738.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000004.00000000.1469970738.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSA4
Source: explorer.exe, 00000004.00000000.1469970738.000000000BC80000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSd
Source: explorer.exe, 00000004.00000002.2362844940.000000000704E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.000000000702D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2288445621.000000000704B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000010.00000003.2437268910.00000000092FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2435222772.000000000929C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.0000000009277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/&WEb(
Source: explorer.exe, 00000010.00000003.2437268910.00000000092FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2435222772.000000000929C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.0000000009277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/RV9cu
Source: explorer.exe, 00000010.00000002.2676388545.00000000093EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000004.00000000.1465481958.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000010.00000003.2437268910.00000000092FC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2435222772.000000000929C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.0000000009277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?6i
Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
Source: explorer.exe, 00000004.00000003.2284166438.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.0000000009277000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000004.00000003.2284166438.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.00000000091FB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000010.00000003.2435222772.000000000929C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.0000000009277000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comK
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
Source: explorer.exe, 00000010.00000002.2678982121.0000000009FA0000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: explorer.exe, 00000004.00000002.2368051152.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1469970738.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2435222772.00000000093CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
Source: explorer.exe, 00000004.00000002.2368051152.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1469970738.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000010.00000003.2435222772.0000000009459000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://outlook.comE
Source: explorer.exe, 00000010.00000003.2438090528.0000000009465000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 00000004.00000002.2368051152.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1469970738.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comer
Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000010.00000003.2435222772.0000000009459000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000004.00000002.2368051152.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1469970738.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com48
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/the-no-1-question-to-ask-in-a-job-interview-acco
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000004.00000003.2289617040.0000000006F30000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2362602712.0000000006F33000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1463910498.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2670266703.0000000004F29000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364724226.0000000004F3F000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2364314104.0000000004F1D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.2682408997.000000000C39C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.2373918036.0000000010F8D000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: VFylJFPzqX.exe PID: 7764, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: AddInProcess32.exe PID: 7984, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmmon32.exe PID: 8104, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0041A330 NtCreateFile,	3_2_0041A330
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0041A3E0 NtReadFile,	3_2_0041A3E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0041A460 NtClose,	3_2_0041A460
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0041A510 NtAllocateVirtualMemory,	3_2_0041A510
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0041A32A NtCreateFile,	3_2_0041A32A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0041A3DA NtReadFile,	3_2_0041A3DA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0041A45A NtClose,	3_2_0041A45A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0041A50A NtAllocateVirtualMemory,	3_2_0041A50A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_01802BF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802B60 NtClose,LdrInitializeThunk,	3_2_01802B60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802AD0 NtReadFile,LdrInitializeThunk,	3_2_01802AD0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802DD0 NtDelayExecution,LdrInitializeThunk,	3_2_01802DD0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_01802DF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802D10 NtMapViewOfSection,LdrInitializeThunk,	3_2_01802D10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802D30 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_01802D30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802CA0 NtQueryInformationToken,LdrInitializeThunk,	3_2_01802CA0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_01802C70
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802F90 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_01802F90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802FB0 NtResumeThread,LdrInitializeThunk,	3_2_01802FB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802FE0 NtCreateFile,LdrInitializeThunk,	3_2_01802FE0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802F30 NtCreateSection,LdrInitializeThunk,	3_2_01802F30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802E80 NtReadVirtualMemory,LdrInitializeThunk,	3_2_01802E80
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_01802EA0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01804340 NtSetContextThread,	3_2_01804340
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01804650 NtSuspendThread,	3_2_01804650
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802B80 NtQueryInformationFile,	3_2_01802B80
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802BA0 NtEnumerateValueKey,	3_2_01802BA0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802BE0 NtQueryValueKey,	3_2_01802BE0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802AB0 NtWaitForSingleObject,	3_2_01802AB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802AF0 NtWriteFile,	3_2_01802AF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802DB0 NtEnumerateKey,	3_2_01802DB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802D00 NtSetInformationFile,	3_2_01802D00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802CC0 NtQueryVirtualMemory,	3_2_01802CC0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802CF0 NtOpenProcess,	3_2_01802CF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802C00 NtQueryInformationProcess,	3_2_01802C00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802C60 NtCreateKey,	3_2_01802C60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802FA0 NtQuerySection,	3_2_01802FA0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802F60 NtCreateProcessEx,	3_2_01802F60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802EE0 NtQueueApcThread,	3_2_01802EE0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01802E30 NtWriteVirtualMemory,	3_2_01802E30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01803090 NtSetValueKey,	3_2_01803090
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01803010 NtOpenDirectoryObject,	3_2_01803010
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_018035C0 NtCreateMutant,	3_2_018035C0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_018039B0 NtGetContextThread,	3_2_018039B0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01803D10 NtOpenProcessToken,	3_2_01803D10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01803D70 NtOpenThread,	3_2_01803D70
Source: C:\Windows\explorer.exe	Code function: 4_2_10F75232 NtCreateFile,	4_2_10F75232
Source: C:\Windows\explorer.exe	Code function: 4_2_10F76E12 NtProtectVirtualMemory,	4_2_10F76E12
Source: C:\Windows\explorer.exe	Code function: 4_2_10F76E0A NtProtectVirtualMemory,	4_2_10F76E0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_043C2C70
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2C60 NtCreateKey,LdrInitializeThunk,	5_2_043C2C60
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_043C2CA0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_043C2D10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_043C2DF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2DD0 NtDelayExecution,LdrInitializeThunk,	5_2_043C2DD0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_043C2EA0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2F30 NtCreateSection,LdrInitializeThunk,	5_2_043C2F30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2FE0 NtCreateFile,LdrInitializeThunk,	5_2_043C2FE0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2AD0 NtReadFile,LdrInitializeThunk,	5_2_043C2AD0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2B60 NtClose,LdrInitializeThunk,	5_2_043C2B60
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_043C2BF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_043C2BE0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C35C0 NtCreateMutant,LdrInitializeThunk,	5_2_043C35C0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C4650 NtSuspendThread,	5_2_043C4650
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C4340 NtSetContextThread,	5_2_043C4340
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2C00 NtQueryInformationProcess,	5_2_043C2C00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2CF0 NtOpenProcess,	5_2_043C2CF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2CC0 NtQueryVirtualMemory,	5_2_043C2CC0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2D30 NtUnmapViewOfSection,	5_2_043C2D30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2D00 NtSetInformationFile,	5_2_043C2D00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2DB0 NtEnumerateKey,	5_2_043C2DB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2E30 NtWriteVirtualMemory,	5_2_043C2E30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2E80 NtReadVirtualMemory,	5_2_043C2E80
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2EE0 NtQueueApcThread,	5_2_043C2EE0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2F60 NtCreateProcessEx,	5_2_043C2F60
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2FB0 NtResumeThread,	5_2_043C2FB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2FA0 NtQuerySection,	5_2_043C2FA0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2F90 NtProtectVirtualMemory,	5_2_043C2F90
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2AB0 NtWaitForSingleObject,	5_2_043C2AB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2AF0 NtWriteFile,	5_2_043C2AF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2BA0 NtEnumerateValueKey,	5_2_043C2BA0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C2B80 NtQueryInformationFile,	5_2_043C2B80
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C3010 NtOpenDirectoryObject,	5_2_043C3010
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C3090 NtSetValueKey,	5_2_043C3090
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C3D10 NtOpenProcessToken,	5_2_043C3D10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C3D70 NtOpenThread,	5_2_043C3D70
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C39B0 NtGetContextThread,	5_2_043C39B0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_024AA330 NtCreateFile,	5_2_024AA330
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_024AA3E0 NtReadFile,	5_2_024AA3E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_024AA460 NtClose,	5_2_024AA460
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_024AA510 NtAllocateVirtualMemory,	5_2_024AA510
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_024AA32A NtCreateFile,	5_2_024AA32A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_024AA3DA NtReadFile,	5_2_024AA3DA
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_024AA45A NtClose,	5_2_024AA45A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_024AA50A NtAllocateVirtualMemory,	5_2_024AA50A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_041FA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	5_2_041FA036
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_041F9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	5_2_041F9BAF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_041FA042 NtQueryInformationProcess,	5_2_041FA042
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_041F9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	5_2_041F9BB2

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\VFylJFPzqX.exe

Code function: 0_2_0A21A418 CreateProcessAsUserW,

0_2_0A21A418

Detected potential crypto function

Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_00C3C6B8	0_2_00C3C6B8
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_00C389A8	0_2_00C389A8
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_00C36A38	0_2_00C36A38
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_00C370E8	0_2_00C370E8
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_00C3C6A8	0_2_00C3C6A8
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_00C3BDE0	0_2_00C3BDE0
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_056216B8	0_2_056216B8
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_056211A8	0_2_056211A8
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05623E68	0_2_05623E68
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_056216A9	0_2_056216A9
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05621198	0_2_05621198
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0562DC2C	0_2_0562DC2C
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05623E59	0_2_05623E59
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05A20007	0_2_05A20007
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05A20040	0_2_05A20040
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E54E40	0_2_05E54E40
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E5ED28	0_2_05E5ED28
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E54E30	0_2_05E54E30
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7CCC0	0_2_05E7CCC0
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E76C48	0_2_05E76C48
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E706E0	0_2_05E706E0
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7DDA8	0_2_05E7DDA8
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7DD98	0_2_05E7DD98
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7C545	0_2_05E7C545
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7C55A	0_2_05E7C55A
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7CCB0	0_2_05E7CCB0
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7CC70	0_2_05E7CC70
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E76C38	0_2_05E76C38
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7F400	0_2_05E7F400
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7EF68	0_2_05E7EF68
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7EF59	0_2_05E7EF59
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E78729	0_2_05E78729
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E78738	0_2_05E78738
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7E6CC	0_2_05E7E6CC
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7C6A4	0_2_05E7C6A4
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7C6B9	0_2_05E7C6B9
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E77660	0_2_05E77660
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E77670	0_2_05E77670
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7A640	0_2_05E7A640
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7A650	0_2_05E7A650
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7C600	0_2_05E7C600
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7C615	0_2_05E7C615
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E781C0	0_2_05E781C0
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7F1A0	0_2_05E7F1A0
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E781B3	0_2_05E781B3
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7F190	0_2_05E7F190
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E770C8	0_2_05E770C8
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7A0A0	0_2_05E7A0A0
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7A090	0_2_05E7A090
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7F3F0	0_2_05E7F3F0
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7C240	0_2_05E7C240
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E7C231	0_2_05E7C231
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_073C3300	0_2_073C3300
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_073CE3A8	0_2_073CE3A8
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_073CA558	0_2_073CA558
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_073C79F0	0_2_073C79F0
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_073CC1E8	0_2_073CC1E8
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_073C2C75	0_2_073C2C75
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_073C3C40	0_2_073C3C40
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_073C4898	0_2_073C4898
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_073C94D8	0_2_073C94D8
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_073C5B28	0_2_073C5B28
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_073C5B18	0_2_073C5B18
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_073C7BF8	0_2_073C7BF8
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_073C7BE9	0_2_073C7BE9
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_073C9918	0_2_073C9918
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_073C9908	0_2_073C9908
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_073C3C3B	0_2_073C3C3B
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_073C4871	0_2_073C4871
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_073C94C8	0_2_073C94C8
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A214E28	0_2_0A214E28
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A2156D2	0_2_0A2156D2
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A210BA0	0_2_0A210BA0
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A2153B8	0_2_0A2153B8
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A214BF0	0_2_0A214BF0
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A210040	0_2_0A210040
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A214C48	0_2_0A214C48
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A2134E8	0_2_0A2134E8
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A21A950	0_2_0A21A950
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A213E20	0_2_0A213E20
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A213E08	0_2_0A213E08
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A214E19	0_2_0A214E19
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A217AB0	0_2_0A217AB0
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A215691	0_2_0A215691
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A210B71	0_2_0A210B71
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A21E750	0_2_0A21E750
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A213788	0_2_0A213788
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A21F7D8	0_2_0A21F7D8
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A214C39	0_2_0A214C39
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A21E438	0_2_0A21E438
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A21003E	0_2_0A21003E
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A214470	0_2_0A214470
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A2134D7	0_2_0A2134D7
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_0A218108	0_2_0A218108
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0041D856	3_2_0041D856
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0041E8F7	3_2_0041E8F7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0041E0B4	3_2_0041E0B4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_00401209	3_2_00401209
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0041DAC3	3_2_0041DAC3
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0041E3C0	3_2_0041E3C0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0041EC18	3_2_0041EC18
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0041DD44	3_2_0041DD44
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0041E5CB	3_2_0041E5CB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_00402D8A	3_2_00402D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_00409E60	3_2_00409E60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_00409E1A	3_2_00409E1A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0041DEB0	3_2_0041DEB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0041DF94	3_2_0041DF94
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_018901AA	3_2_018901AA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_018841A2	3_2_018841A2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_018881CC	3_2_018881CC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017C0100	3_2_017C0100
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0186A118	3_2_0186A118
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01858158	3_2_01858158
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01862000	3_2_01862000
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_018903E6	3_2_018903E6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017DE3F0	3_2_017DE3F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0188A352	3_2_0188A352
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_018502C0	3_2_018502C0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01870274	3_2_01870274
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01890591	3_2_01890591
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017D0535	3_2_017D0535
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0187E4F6	3_2_0187E4F6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01874420	3_2_01874420
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01882446	3_2_01882446
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017D0770	3_2_017D0770
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017F4750	3_2_017F4750
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017CC7C0	3_2_017CC7C0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017EC6E0	3_2_017EC6E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017E6962	3_2_017E6962
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0189A9A6	3_2_0189A9A6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017D29A0	3_2_017D29A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017D2840	3_2_017D2840
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017DA840	3_2_017DA840
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017FE8F0	3_2_017FE8F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017B68B8	3_2_017B68B8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01886BD7	3_2_01886BD7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0188AB40	3_2_0188AB40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017CEA80	3_2_017CEA80
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017DAD00	3_2_017DAD00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0186CD1F	3_2_0186CD1F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017CADE0	3_2_017CADE0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017E8DBF	3_2_017E8DBF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01870CB5	3_2_01870CB5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017D0C00	3_2_017D0C00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017C0CF2	3_2_017C0CF2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0184EFA0	3_2_0184EFA0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017F0F30	3_2_017F0F30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017DCFE0	3_2_017DCFE0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01812F28	3_2_01812F28
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017C2FC8	3_2_017C2FC8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01872F30	3_2_01872F30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01844F40	3_2_01844F40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0188CE93	3_2_0188CE93
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017D0E59	3_2_017D0E59
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0188EEDB	3_2_0188EEDB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0188EE26	3_2_0188EE26
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017E2E90	3_2_017E2E90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017BF172	3_2_017BF172
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017DB1B0	3_2_017DB1B0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0189B16B	3_2_0189B16B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0180516C	3_2_0180516C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0187F0CC	3_2_0187F0CC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_018870E9	3_2_018870E9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0188F0E0	3_2_0188F0E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017D70C0	3_2_017D70C0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0181739A	3_2_0181739A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017BD34C	3_2_017BD34C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0188132D	3_2_0188132D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_018712ED	3_2_018712ED
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017EB2C0	3_2_017EB2C0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017D52A0	3_2_017D52A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0186D5B0	3_2_0186D5B0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01887571	3_2_01887571
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017C1460	3_2_017C1460
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0188F43F	3_2_0188F43F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0188F7B0	3_2_0188F7B0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_018816CC	3_2_018816CC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017D9950	3_2_017D9950
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017EB950	3_2_017EB950
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01865910	3_2_01865910
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0183D800	3_2_0183D800
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017D38E0	3_2_017D38E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01845BF0	3_2_01845BF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0180DBF9	3_2_0180DBF9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0188FB76	3_2_0188FB76
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017EFB80	3_2_017EFB80
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01815AA0	3_2_01815AA0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01871AA3	3_2_01871AA3
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0186DAAC	3_2_0186DAAC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0187DAC6	3_2_0187DAC6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0188FA49	3_2_0188FA49
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01887A46	3_2_01887A46
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01843A6C	3_2_01843A6C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017D3D40	3_2_017D3D40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017EFDC0	3_2_017EFDC0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01881D5A	3_2_01881D5A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01887D73	3_2_01887D73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0188FCF2	3_2_0188FCF2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01849C32	3_2_01849C32
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0188FFB1	3_2_0188FFB1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0188FF09	3_2_0188FF09
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01793FD2	3_2_01793FD2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01793FD5	3_2_01793FD5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017D1F92	3_2_017D1F92
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017D9EB0	3_2_017D9EB0
Source: C:\Windows\explorer.exe	Code function: 4_2_10422036	4_2_10422036
Source: C:\Windows\explorer.exe	Code function: 4_2_10419082	4_2_10419082
Source: C:\Windows\explorer.exe	Code function: 4_2_1041AD02	4_2_1041AD02
Source: C:\Windows\explorer.exe	Code function: 4_2_10420912	4_2_10420912
Source: C:\Windows\explorer.exe	Code function: 4_2_104265CD	4_2_104265CD
Source: C:\Windows\explorer.exe	Code function: 4_2_10423232	4_2_10423232
Source: C:\Windows\explorer.exe	Code function: 4_2_1041DB30	4_2_1041DB30
Source: C:\Windows\explorer.exe	Code function: 4_2_1041DB32	4_2_1041DB32
Source: C:\Windows\explorer.exe	Code function: 4_2_10F75232	4_2_10F75232
Source: C:\Windows\explorer.exe	Code function: 4_2_10F6B082	4_2_10F6B082
Source: C:\Windows\explorer.exe	Code function: 4_2_10F74036	4_2_10F74036
Source: C:\Windows\explorer.exe	Code function: 4_2_10F785CD	4_2_10F785CD
Source: C:\Windows\explorer.exe	Code function: 4_2_10F6FB32	4_2_10F6FB32
Source: C:\Windows\explorer.exe	Code function: 4_2_10F6FB30	4_2_10F6FB30
Source: C:\Windows\explorer.exe	Code function: 4_2_10F72912	4_2_10F72912
Source: C:\Windows\explorer.exe	Code function: 4_2_10F6CD02	4_2_10F6CD02
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04442446	5_2_04442446
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04434420	5_2_04434420
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0443E4F6	5_2_0443E4F6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04390535	5_2_04390535
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04450591	5_2_04450591
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043AC6E0	5_2_043AC6E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04390770	5_2_04390770
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043B4750	5_2_043B4750
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0438C7C0	5_2_0438C7C0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04422000	5_2_04422000
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04418158	5_2_04418158
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04380100	5_2_04380100
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0442A118	5_2_0442A118
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_044481CC	5_2_044481CC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_044441A2	5_2_044441A2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_044501AA	5_2_044501AA
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04430274	5_2_04430274
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_044102C0	5_2_044102C0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0444A352	5_2_0444A352
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_044503E6	5_2_044503E6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0439E3F0	5_2_0439E3F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04390C00	5_2_04390C00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04380CF2	5_2_04380CF2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04430CB5	5_2_04430CB5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0439AD00	5_2_0439AD00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0442CD1F	5_2_0442CD1F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043A8DBF	5_2_043A8DBF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0438ADE0	5_2_0438ADE0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04390E59	5_2_04390E59
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0444EE26	5_2_0444EE26
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0444EEDB	5_2_0444EEDB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043A2E90	5_2_043A2E90
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0444CE93	5_2_0444CE93
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04404F40	5_2_04404F40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043B0F30	5_2_043B0F30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043D2F28	5_2_043D2F28
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04432F30	5_2_04432F30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0439CFE0	5_2_0439CFE0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0440EFA0	5_2_0440EFA0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04382FC8	5_2_04382FC8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04392840	5_2_04392840
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0439A840	5_2_0439A840
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043768B8	5_2_043768B8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043BE8F0	5_2_043BE8F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043A6962	5_2_043A6962
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043929A0	5_2_043929A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0445A9A6	5_2_0445A9A6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0438EA80	5_2_0438EA80
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0444AB40	5_2_0444AB40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04446BD7	5_2_04446BD7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04381460	5_2_04381460
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0444F43F	5_2_0444F43F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04447571	5_2_04447571
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_044595C3	5_2_044595C3
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0442D5B0	5_2_0442D5B0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043D5630	5_2_043D5630
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_044416CC	5_2_044416CC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0444F7B0	5_2_0444F7B0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0443F0CC	5_2_0443F0CC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0444F0E0	5_2_0444F0E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_044470E9	5_2_044470E9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043970C0	5_2_043970C0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0445B16B	5_2_0445B16B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0437F172	5_2_0437F172
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043C516C	5_2_043C516C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0439B1B0	5_2_0439B1B0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043952A0	5_2_043952A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_044312ED	5_2_044312ED
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043AB2C0	5_2_043AB2C0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0444132D	5_2_0444132D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0437D34C	5_2_0437D34C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043D739A	5_2_043D739A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04409C32	5_2_04409C32
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0444FCF2	5_2_0444FCF2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04441D5A	5_2_04441D5A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04447D73	5_2_04447D73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04393D40	5_2_04393D40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043AFDC0	5_2_043AFDC0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04399EB0	5_2_04399EB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0444FF09	5_2_0444FF09
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04391F92	5_2_04391F92
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04353FD5	5_2_04353FD5
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04353FD2	5_2_04353FD2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0444FFB1	5_2_0444FFB1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043FD800	5_2_043FD800
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043938E0	5_2_043938E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04425910	5_2_04425910
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04399950	5_2_04399950
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043AB950	5_2_043AB950
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04447A46	5_2_04447A46
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0444FA49	5_2_0444FA49
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04403A6C	5_2_04403A6C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0443DAC6	5_2_0443DAC6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043D5AA0	5_2_043D5AA0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04431AA3	5_2_04431AA3
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0442DAAC	5_2_0442DAAC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0444FB76	5_2_0444FB76
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_04405BF0	5_2_04405BF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043AFB80	5_2_043AFB80
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043CDBF9	5_2_043CDBF9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_024AE5CB	5_2_024AE5CB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_024AD856	5_2_024AD856
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_024AE8F7	5_2_024AE8F7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_02499E60	5_2_02499E60
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_02499E1A	5_2_02499E1A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_024ADF94	5_2_024ADF94
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_02492FB0	5_2_02492FB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_024AEC18	5_2_024AEC18
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_024ADD44	5_2_024ADD44
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_02492D8A	5_2_02492D8A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_02492D90	5_2_02492D90
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_041FA036	5_2_041FA036
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_041F2D02	5_2_041F2D02
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_041FE5CD	5_2_041FE5CD
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_041F1082	5_2_041F1082
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_041F8912	5_2_041F8912
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_041FB232	5_2_041FB232
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_041F5B32	5_2_041F5B32
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_041F5B30	5_2_041F5B30

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 001F554A appears 43 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 0440F290 appears 105 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 043FEA12 appears 86 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 0437B970 appears 280 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 043C5130 appears 58 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 001F65D7 appears 33 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 043D7E54 appears 111 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 017BB970 appears 280 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 01817E54 appears 102 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 01805130 appears 58 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 0183EA12 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: String function: 0184F290 appears 105 times

One or more processes crash

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4084 -s 3228

Sample file is different than original file name gathered from version info

Source: VFylJFPzqX.exe, 00000000.00000000.1405625354.0000000000198000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameICQ.exe0 vs VFylJFPzqX.exe
Source: VFylJFPzqX.exe, 00000000.00000002.1487301628.0000000005801000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAddInProcess32.exeT vs VFylJFPzqX.exe
Source: VFylJFPzqX.exe, 00000000.00000002.1486863721.00000000055F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSbKopBnfhlkIJ.dll< vs VFylJFPzqX.exe
Source: VFylJFPzqX.exe, 00000000.00000002.1485081729.0000000003571000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSbKopBnfhlkIJ.dll< vs VFylJFPzqX.exe
Source: VFylJFPzqX.exe, 00000000.00000002.1468193156.00000000006FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs VFylJFPzqX.exe
Source: VFylJFPzqX.exe, 00000000.00000002.1489902249.0000000007520000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRunPe2-(dll).dll: vs VFylJFPzqX.exe
Source: VFylJFPzqX.exe	Binary or memory string: OriginalFilenameICQ.exe0 vs VFylJFPzqX.exe

Yara signature match

Source: 3.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.1518903340.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2667218858.0000000004120000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1485081729.0000000003683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1485081729.000000000376A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.2682408997.000000000C39C000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1485081729.000000000362E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.2373918036.0000000010F8D000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2666460671.00000000040F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2661042601.0000000002490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: VFylJFPzqX.exe PID: 7764, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: AddInProcess32.exe PID: 7984, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmmon32.exe PID: 8104, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/9@6/1

Source: C:\Users\user\Desktop\VFylJFPzqX.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VFylJFPzqX.exe.log

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4084
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8156:120:WilError_03

Source: unknown	Process created: C:\Users\user\Desktop\VFylJFPzqX.exe "C:\Users\user\Desktop\VFylJFPzqX.exe"
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe "C:\Users\user\AppData\Local\Temp\AddInProcess32.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe "C:\Windows\SysWOW64\cmmon32.exe"
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\AddInProcess32.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4084 -s 3228
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe "C:\Users\user\AppData\Local\Temp\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe "C:\Windows\SysWOW64\cmmon32.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\AddInProcess32.exe"	Jump to behavior

Source: Yara match	File source: 0.2.VFylJFPzqX.exe.35a2f70.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VFylJFPzqX.exe.55f0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VFylJFPzqX.exe.35a2f70.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.VFylJFPzqX.exe.55f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1486863721.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1471351039.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1485081729.0000000003571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: VFylJFPzqX.exe PID: 7764, type: MEMORYSTR

Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E759E5 push esp; retf	0_2_05E759E6
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E75970 push eax; retf	0_2_05E75971
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_05E75B51 pushad ; retf	0_2_05E75B52
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Code function: 0_2_073C5E20 push edx; iretd	0_2_073C5E21
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0041D4D2 push eax; ret	3_2_0041D4D8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0041D4DB push eax; ret	3_2_0041D542
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0041D485 push eax; ret	3_2_0041D4D8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0041D53C push eax; ret	3_2_0041D542
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0179225F pushad ; ret	3_2_017927F9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017927FA pushad ; ret	3_2_017927F9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_017C09AD push ecx; mov dword ptr [esp], ecx	3_2_017C09B6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_0179283D push eax; iretd	3_2_01792858
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Code function: 3_2_01791368 push eax; iretd	3_2_01791369
Source: C:\Windows\explorer.exe	Code function: 4_2_104269B5 push esp; retn 0000h	4_2_10426AE7
Source: C:\Windows\explorer.exe	Code function: 4_2_10426B02 push esp; retn 0000h	4_2_10426B03
Source: C:\Windows\explorer.exe	Code function: 4_2_10426B1E push esp; retn 0000h	4_2_10426B1F
Source: C:\Windows\explorer.exe	Code function: 4_2_10F789B5 push esp; retn 0000h	4_2_10F78AE7
Source: C:\Windows\explorer.exe	Code function: 4_2_10F78B1E push esp; retn 0000h	4_2_10F78B1F
Source: C:\Windows\explorer.exe	Code function: 4_2_10F78B02 push esp; retn 0000h	4_2_10F78B03
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_001F74CD push ecx; ret	5_2_001F74E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043527FA pushad ; ret	5_2_043527F9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0435225F pushad ; ret	5_2_043527F9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_0435283D push eax; iretd	5_2_04352858
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_043809AD push ecx; mov dword ptr [esp], ecx	5_2_043809B6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_024AD4DB push eax; ret	5_2_024AD542
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_024AD4D2 push eax; ret	5_2_024AD4D8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_024AD485 push eax; ret	5_2_024AD4D8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_024AD53C push eax; ret	5_2_024AD542
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_024ADC8C push ss; retf	5_2_024ADC8D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_041FE9B5 push esp; retn 0000h	5_2_041FEAE7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_041FEB1E push esp; retn 0000h	5_2_041FEB1F

Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	API/Special instruction interceptor: Address: 7FFBCB7B0774
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	API/Special instruction interceptor: Address: 7FFBCB7AD8A4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\cmmon32.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\cmmon32.exe	API/Special instruction interceptor: Address: 7FFBCB7B0774
Source: C:\Windows\SysWOW64\cmmon32.exe	API/Special instruction interceptor: Address: 7FFBCB7AD944
Source: C:\Windows\SysWOW64\cmmon32.exe	API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Windows\SysWOW64\cmmon32.exe	API/Special instruction interceptor: Address: 7FFBCB7AD544
Source: C:\Windows\SysWOW64\cmmon32.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\cmmon32.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\cmmon32.exe	API/Special instruction interceptor: Address: 7FFBCB7AD8A4
Source: C:\Windows\SysWOW64\cmmon32.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 2499904 second address: 249990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 2499B7E second address: 2499B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Memory allocated: C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Memory allocated: 2570000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Memory allocated: 23F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Memory allocated: 7C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Memory allocated: 8C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Memory allocated: 8E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Memory allocated: 9E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Memory allocated: A220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Memory allocated: B220000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Memory allocated: C220000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1769	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 8165	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 877	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 873	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Window / User API: threadDelayed 9828	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 432
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 424

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	API coverage: 1.7 %
Source: C:\Windows\SysWOW64\cmmon32.exe	API coverage: 1.8 %

Source: C:\Users\user\Desktop\VFylJFPzqX.exe TID: 7916	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe TID: 7784	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1296	Thread sleep count: 1769 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1296	Thread sleep time: -3538000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1296	Thread sleep count: 8165 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1296	Thread sleep time: -16330000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 7264	Thread sleep count: 142 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 7264	Thread sleep time: -284000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 7264	Thread sleep count: 9828 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 7264	Thread sleep time: -19656000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: explorer.exe, 00000004.00000002.2364455621.0000000009330000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
Source: VFylJFPzqX.exe, 00000000.00000002.1486863721.00000000055F0000.00000004.08000000.00040000.00000000.sdmp, VFylJFPzqX.exe, 00000000.00000002.1485081729.0000000003571000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VBoxTray
Source: explorer.exe, 00000010.00000003.2379225682.00000000091C0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: VFylJFPzqX.exe, 00000000.00000002.1485081729.0000000003571000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: explorer.exe, 00000010.00000003.2375541043.0000000004FC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}PO
Source: explorer.exe, 00000010.00000002.2676388545.000000000954C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00+# cp
Source: explorer.exe, 00000010.00000002.2676388545.0000000009194000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWdWndClassiverStore\en\volume.inf_loc
Source: explorer.exe, 00000010.00000002.2670266703.0000000004FA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000010.00000003.2490095914.000000000C9AA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000004.00000002.2359671123.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00=
Source: explorer.exe, 00000004.00000002.2363894406.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.000000000941A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2435222772.00000000093CA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2438311102.00000000092D2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2435222772.000000000941B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2435222772.000000000929C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2676388545.00000000093CA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000010.00000003.2520830793.000000000C9C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000010.00000003.2520830793.000000000C9C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000010.00000003.2520830793.000000000C9C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000N%\
Source: explorer.exe, 00000010.00000003.2491757519.000000000C9EF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963H
Source: explorer.exe, 00000004.00000000.1465481958.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000010.00000002.2676388545.0000000009465000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000=
Source: explorer.exe, 00000010.00000002.2670266703.0000000004FA7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000010.00000003.2520830793.000000000C9C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000004.00000000.1465481958.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2363894406.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2284166438.00000000090DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
Source: explorer.exe, 00000004.00000002.2359671123.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000004.00000003.2284166438.0000000009255000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTcaVMWare
Source: explorer.exe, 00000010.00000003.2520830793.000000000C9C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000@v
Source: explorer.exe, 00000010.00000003.2516098392.000000000C9C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 5e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963H
Source: explorer.exe, 00000010.00000003.2520830793.000000000C9C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}t
Source: explorer.exe, 00000010.00000003.2520830793.000000000C9C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\{~2e
Source: explorer.exe, 00000010.00000002.2660398665.0000000001321000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXTerVMWare
Source: explorer.exe, 00000010.00000002.2676388545.0000000009194000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: l\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}(
Source: explorer.exe, 00000010.00000002.2676388545.0000000009277000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00
Source: explorer.exe, 00000010.00000003.2375541043.0000000004FC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\
Source: explorer.exe, 00000010.00000002.2676388545.000000000954C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD002
Source: explorer.exe, 00000010.00000003.2516098392.000000000C9C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\9507et
Source: explorer.exe, 00000010.00000002.2676388545.0000000009194000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000-
Source: explorer.exe, 00000010.00000002.2683122014.000000000C8DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}-
Source: explorer.exe, 00000010.00000002.2660398665.0000000001321000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000010.00000002.2683122014.000000000C8DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000003.2520830793.000000000C9C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}\0
Source: explorer.exe, 00000004.00000002.2359671123.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\explorer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\explorer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_001F7020 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		5_2_001F7020
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 5_2_001F71B0 SetUnhandledExceptionFilter,		5_2_001F71B0

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	NtQueueApcThread: Indirect: 0x12DA4F2			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	NtClose: Indirect: 0x12DA56C

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	Thread register set: target process: 4084	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Thread register set: target process: 4084	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Thread register set: target process: 3272	Jump to behavior

Windows Analysis Report VFylJFPzqX.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
VFylJFPzqX.exe

Malware Threat Intel
Provided by

Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: FC0008	Jump to behavior

Source: explorer.exe, 00000004.00000003.2284166438.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1462669782.0000000001091000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.1462669782.0000000001091000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.1462391746.0000000000A28000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2359671123.0000000000A20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.1462669782.0000000001091000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: explorer.exe, 00000010.00000002.2660398665.00000000012D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: *Progman-
Source: explorer.exe, 00000004.00000000.1462669782.0000000001091000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000010.00000002.2670266703.0000000004FE0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2375541043.0000000004FE0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000003.2395726054.0000000004FE0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanER\S-1-5c
Source: explorer.exe, 00000004.00000003.2284166438.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1465481958.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.2364455621.000000000936E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd]1Q

Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Queries volume information: C:\Users\user\Desktop\VFylJFPzqX.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\VFylJFPzqX.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior

Name	IP	Active
brasilbikeshopsc.com	191.252.4.20	true
td-ccm-neg-87-45.wixdns.net	34.149.87.45	true
www.mlharquitectura.com	unknown	unknown
www.creatievecontentpeople.com	unknown	unknown
www.history-poker.site	unknown	unknown
www.cargizmos.net	unknown	unknown
api.msn.com	unknown	unknown
www.brasilbikeshopsc.com	unknown	unknown

ID:	1524408
Product:	CloudBasic
Start time:	18:56:54
Start date:	02.10.2024
Sample:	VFylJFPzqX.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	e9e768aa357a7e34348c69e41444964d
SHA1:	4930b85e20b7967cf0afb1d9ae9ae57ca4d373c9
SHA256:	acb23b92beb1de31d7175c94f94854887bc0b2adb90faddc89bf1b14b1bd1a4b
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_fe8167436d6db6c6d2c4bed5d6f2d2c06e142845_f78a65ed_9dc28938-91ad-4d68-8a9f-87867cc31365\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	2B01D8AE203578B4E91AFFD2B4DE83EB	6AD485613B8BD3888FF87775766017F5282D4F06	D54D503D5B0D182A465105A42B55777F1EC80243F3C264B172524D2DE3D95BB8
C:\ProgramData\Microsoft\Windows\WER\Temp\WER4EB8.tmp.dmp	Mini DuMP crash report, 17 streams, Wed Oct 2 16:59:23 2024, 0x1205a4 type	50CABF4203478FA1EE8E97E86AA11C8E	A51E8F57CB98D97E06796E579D4DC8CB333F7884	6D3F388785F5D1BE244344EAA4CD55CD248F544BD6B29FE5DB3CDE96954ADA36
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A23.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	A037F6F643E12119A36B45B5A37A34D7	6108CC379D60CE38CF8038EB175E561A023E659E	5B0168421DB3300E94F87C71E10A9DBA8F56FF91B752DB95542E81D4A62646A1
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A53.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	00065564B531402D2995E8179794F807	4C11EDC73B3F64813225F1DDC8CA2F058AADE028	CD95FFE44CB476DACD8372A652D2A0EEEF5E5BD4FD9D64E8BE4B96AE0C21D48D
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VFylJFPzqX.exe.log	ASCII text, with CRLF line terminators	13BD7BD30A00DB52928E54B1CDC3885E	505CA675FD9C4ABAA7422D0E300BC6DDC8C4E1CC	9FDF5F0CD379E0870A8FDEA29B2AAAC93DEB66B91B41E66372CF0F3A7D3E7E14
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000012.db	data	D43EE2C1AF96AF9515F86181D714FEDC	0FDD8A1273BA02A6332660E2872A6826042AB5B6	C3924EBA84DEC346B2788BDABA2BE6FCA9C6DA0DD282F9F1FB168B932EF53CBF
C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000013.db	data	BFE555160AE823B8850B6278FB96C2FA	EBFD3E91DE012D0EFD8BAFD437DD84256476FC11	787819813FAAF053C7F25C20236FB61FF89A269FD01DC131BF00D4E719168FAC
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\Windows[2].json	JSON data	89484D8093A982ECBB37A5CE39E33BD0	9A940F3FDF273125A4AC94F324816D637BC9B832	4F46B87D2013949D3A34E45CADB8B9A74714CC5503084090BFD6C53840C5ED53
C:\Users\user\AppData\Local\Temp\AddInProcess32.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	9827FF3CDF4B83F9C86354606736CA9C	E73D73F42BB2A310F03EB1BCBB22BE2B8EB7C723	C1CF3DC8FA1C7FC00F88E07AD539979B3706CA8D69223CFFD1D58BC8F521F63A