Edit tour

Windows Analysis Report
3P5I851G78.exe

Overview

General Information

Sample name:	3P5I851G78.exe renamed because original name is a hash value
Original sample name:	010fc4f0e382f0c0de55b3fcf4b80f6284694833af9d759c584b63a7d540cf2f.exe
Analysis ID:	1634820
MD5:	02848368b72c81c30b3d30e901dc540f
SHA1:	e951099851351bc1d4ba1376c800e1151054ca75
SHA256:	010fc4f0e382f0c0de55b3fcf4b80f6284694833af9d759c584b63a7d540cf2f
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Rundll32 Execution Without CommandLine Parameters

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Tries to resolve many domain names, but no domain seems valid

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

3P5I851G78.exe (PID: 6716 cmdline: "C:\Users\user\Desktop\3P5I851G78.exe" MD5: 02848368B72C81C30B3D30E901DC540F)

powershell.exe (PID: 1400 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3P5I851G78.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7144 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

3P5I851G78.exe (PID: 3936 cmdline: "C:\Users\user\Desktop\3P5I851G78.exe" MD5: 02848368B72C81C30B3D30E901DC540F)

explorer.exe (PID: 4056 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

rundll32.exe (PID: 6696 cmdline: "C:\Windows\SysWOW64\rundll32.exe" MD5: 889B99C52A60DD49227C5E485A016679)

cmd.exe (PID: 2020 cmdline: /c del "C:\Users\user\Desktop\3P5I851G78.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 4124 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.avada-casino-tlj.buzz/bc01/"], "decoy": ["epatitis-treatment-26155.bond", "52cy67sk.bond", "nline-degree-6987776.world", "ingxingdiandeng-2033.top", "mberbreeze.cyou", "48xc300mw.autos", "obs-for-seniors-39582.bond", "tpetersburg-3-tonn.online", "egafon-parser.online", "172jh.shop", "ltraman.pro", "bqfhnys.shop", "ntercash24-cad.homes", "uhtwister.cloud", "alk-in-tubs-27353.bond", "ucas-saaad.buzz", "oko.events", "8080713.xyz", "refabricated-homes-74404.bond", "inaa.boo", "nnevateknoloji.xyz", "ar-accident-lawyer-389.today", "ianju-fvqh092.vip", "ealthandwellnessly.digital", "qzxx.top", "q8189.top", "ecurity-service-22477.bond", "ractors-42621.bond", "astamadre.shop", "tonomushotel.xyz", "cowatt.fun", "olocaustaffirmer.net", "delphi.ltd", "mmwinni.buzz", "8009.top", "nline-gaming-ox-fr.xyz", "irtyeffingrancher.info", "omotech-dz.net", "akemoneyonline.bond", "ustbookin.online", "eals.lat", "irmag.online", "eddogbrands.website", "oifulcares.net", "aming-chair-83359.bond", "ewferg.top", "areless.net", "torygame168.online", "y-language-menu.net", "iring-cleaners-2507.xyz", "inancialenlightment.info", "ar-accident-lawyer-389.today", "sicologosportugueses.online", "ajabandot.website", "oidakings.net", "2ar1.shop", "comedia.lol", "kjbrosmm.shop", "ffpage.shop", "nfluencer-marketing-17923.bond", "ebshieldsrenew.live", "lkjuy.xyz", "lussalesapp.website", "hildrens-clothing.today"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.855098590.00000000040D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.855098590.00000000040D9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.855098590.00000000040D9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1fc29:$a1: E9 92 9D FF FF C3 E8 0x4e049:$a1: E9 92 9D FF FF C3 E8 0x7b469:$a1: E9 92 9D FF FF C3 E8
00000000.00000002.855098590.00000000040D9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6bc1:$a1: 3C 30 50 4F 53 54 74 09 40 0x34fe1:$a1: 3C 30 50 4F 53 54 74 09 40 0x62401:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d500:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4b920:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x78d40:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb33f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x3975f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x66b7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16227:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x44647:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x71a67:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.855098590.00000000040D9000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa278:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa4f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38698:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38912:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x65ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x65d32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16025:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x44445:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x71865:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15b11:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x43f31:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x71351:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16127:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x44547:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x71967:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1629f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x446bf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x71adf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xaf0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x3932a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x6674a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.855098590.00000000040D9000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19189:$sqlite3step: 68 34 1C 7B E1 0x1929c:$sqlite3step: 68 34 1C 7B E1 0x475a9:$sqlite3step: 68 34 1C 7B E1 0x476bc:$sqlite3step: 68 34 1C 7B E1 0x749c9:$sqlite3step: 68 34 1C 7B E1 0x74adc:$sqlite3step: 68 34 1C 7B E1 0x191b8:$sqlite3text: 68 38 2A 90 C5 0x192dd:$sqlite3text: 68 38 2A 90 C5 0x475d8:$sqlite3text: 68 38 2A 90 C5 0x476fd:$sqlite3text: 68 38 2A 90 C5 0x749f8:$sqlite3text: 68 38 2A 90 C5 0x74b1d:$sqlite3text: 68 38 2A 90 C5 0x191cb:$sqlite3blob: 68 53 D8 7F 8C 0x192f3:$sqlite3blob: 68 53 D8 7F 8C 0x475eb:$sqlite3blob: 68 53 D8 7F 8C 0x47713:$sqlite3blob: 68 53 D8 7F 8C 0x74a0b:$sqlite3blob: 68 53 D8 7F 8C 0x74b33:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.913848993.0000000000F1F000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x2b9:$a1: E9 92 9D FF FF C3 E8
00000007.00000002.3294789959.00000000043F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.3294789959.00000000043F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3294789959.00000000043F0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1f2b9:$a1: E9 92 9D FF FF C3 E8
00000007.00000002.3294789959.00000000043F0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000007.00000002.3294789959.00000000043F0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.3294789959.00000000043F0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.3294895967.0000000004420000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.3294895967.0000000004420000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3294895967.0000000004420000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1f2b9:$a1: E9 92 9D FF FF C3 E8
00000007.00000002.3294895967.0000000004420000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000007.00000002.3294895967.0000000004420000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.3294895967.0000000004420000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.913516599.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.913516599.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.913516599.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1f2b9:$a1: E9 92 9D FF FF C3 E8
00000003.00000002.913516599.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000002.913516599.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.913516599.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.3293228083.0000000000480000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.3293228083.0000000000480000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3293228083.0000000000480000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1f2b9:$a1: E9 92 9D FF FF C3 E8
00000007.00000002.3293228083.0000000000480000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000007.00000002.3293228083.0000000000480000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.3293228083.0000000000480000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000002.3310801757.000000000E2D0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0x9e2:$a2: pass 0x9e8:$a3: email 0x9ef:$a4: login 0x9f6:$a5: signin 0xa07:$a6: persistent 0xbda:$r1: C:\Users\user\AppData\Roaming\36MO5DE4\36Mlog.ini
Process Memory Space: 3P5I851G78.exe PID: 6716	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 3P5I851G78.exe PID: 6716	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x183ce:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: 3P5I851G78.exe PID: 3936	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xe1dd:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: rundll32.exe PID: 6696	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x16e369:$a1: 3C 30 50 4F 53 54 74 09 40 0x16f4f7:$a1: 3C 30 50 4F 53 54 74 09 40 0x1ac8bd:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.3P5I851G78.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.3P5I851G78.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.3P5I851G78.exe.400000.0.unpack	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1e4b9:$a1: E9 92 9D FF FF C3 E8
3.2.3P5I851G78.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
3.2.3P5I851G78.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.3P5I851G78.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a19:$sqlite3step: 68 34 1C 7B E1 0x17b2c:$sqlite3step: 68 34 1C 7B E1 0x17a48:$sqlite3text: 68 38 2A 90 C5 0x17b6d:$sqlite3text: 68 38 2A 90 C5 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
3.2.3P5I851G78.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.3P5I851G78.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
3.2.3P5I851G78.exe.400000.0.raw.unpack	Windows_Trojan_Diceloader_15eeb7b9	unknown	unknown	0x1f2b9:$a1: E9 92 9D FF FF C3 E8
3.2.3P5I851G78.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
3.2.3P5I851G78.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.3P5I851G78.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3P5I851G78.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3P5I851G78.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\3P5I851G78.exe", ParentImage: C:\Users\user\Desktop\3P5I851G78.exe, ParentProcessId: 6716, ParentProcessName: 3P5I851G78.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3P5I851G78.exe", ProcessId: 1400, ProcessName: powershell.exe

Sigma detected: Rundll32 Execution Without CommandLine Parameters

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\SysWOW64\rundll32.exe", CommandLine: "C:\Windows\SysWOW64\rundll32.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4056, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\Windows\SysWOW64\rundll32.exe", ProcessId: 6696, ProcessName: rundll32.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3P5I851G78.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3P5I851G78.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\3P5I851G78.exe", ParentImage: C:\Users\user\Desktop\3P5I851G78.exe, ParentProcessId: 6716, ParentProcessName: 3P5I851G78.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3P5I851G78.exe", ProcessId: 1400, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 4124, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 3P5I851G78.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.avada-casino-tlj.buzz/bc01/	Avira URL Cloud: Label: malware
Source: http://www.avada-casino-tlj.buzz/bc01/www.ajabandot.website	Avira URL Cloud: Label: malware
Source: www.avada-casino-tlj.buzz/bc01/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.855098590.00000000040D9000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.avada-casino-tlj.buzz/bc01/"], "decoy": ["epatitis-treatment-26155.bond", "52cy67sk.bond", "nline-degree-6987776.world", "ingxingdiandeng-2033.top", "mberbreeze.cyou", "48xc300mw.autos", "obs-for-seniors-39582.bond", "tpetersburg-3-tonn.online", "egafon-parser.online", "172jh.shop", "ltraman.pro", "bqfhnys.shop", "ntercash24-cad.homes", "uhtwister.cloud", "alk-in-tubs-27353.bond", "ucas-saaad.buzz", "oko.events", "8080713.xyz", "refabricated-homes-74404.bond", "inaa.boo", "nnevateknoloji.xyz", "ar-accident-lawyer-389.today", "ianju-fvqh092.vip", "ealthandwellnessly.digital", "qzxx.top", "q8189.top", "ecurity-service-22477.bond", "ractors-42621.bond", "astamadre.shop", "tonomushotel.xyz", "cowatt.fun", "olocaustaffirmer.net", "delphi.ltd", "mmwinni.buzz", "8009.top", "nline-gaming-ox-fr.xyz", "irtyeffingrancher.info", "omotech-dz.net", "akemoneyonline.bond", "ustbookin.online", "eals.lat", "irmag.online", "eddogbrands.website", "oifulcares.net", "aming-chair-83359.bond", "ewferg.top", "areless.net", "torygame168.online", "y-language-menu.net", "iring-cleaners-2507.xyz", "inancialenlightment.info", "ar-accident-lawyer-389.today", "sicologosportugueses.online", "ajabandot.website", "oidakings.net", "2ar1.shop", "comedia.lol", "kjbrosmm.shop", "ffpage.shop", "nfluencer-marketing-17923.bond", "ebshieldsrenew.live", "lkjuy.xyz", "lussalesapp.website", "hildrens-clothing.today"]}

Multi AV Scanner detection for submitted file

Source: 3P5I851G78.exe	Virustotal: Detection: 77%			Perma Link
Source: 3P5I851G78.exe	ReversingLabs: Detection: 83%

Yara detected FormBook

Source: Yara match	File source: 3.2.3P5I851G78.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.3P5I851G78.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.855098590.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3294789959.00000000043F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3294895967.0000000004420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.913516599.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3293228083.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: 3P5I851G78.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3P5I851G78.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: 3P5I851G78.exe, 00000003.00000002.914290467.00000000013A0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.915857022.00000000043D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3295171067.0000000004580000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.914187722.0000000004227000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3295171067.000000000471E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 3P5I851G78.exe, 3P5I851G78.exe, 00000003.00000002.914290467.00000000013A0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000007.00000003.915857022.00000000043D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3295171067.0000000004580000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.914187722.0000000004227000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3295171067.000000000471E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: 3P5I851G78.exe, 00000003.00000002.913907607.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, 3P5I851G78.exe, 00000003.00000002.914211028.0000000001310000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000007.00000002.3293589997.0000000000540000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: 3P5I851G78.exe, 00000003.00000002.913907607.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, 3P5I851G78.exe, 00000003.00000002.914211028.0000000001310000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, 00000007.00000002.3293589997.0000000000540000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: YEZu.pdb source: 3P5I851G78.exe
Source:	Binary string: YEZu.pdbSHA256=Q source: 3P5I851G78.exe

Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 4x nop then jmp 0776AFD1h	0_2_0776A7CA
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 4x nop then jmp 0776AFD1h	0_2_0776A662
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 4x nop then jmp 0776AFD1h	0_2_0776A4F3
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 4x nop then jmp 0776AFD1h	0_2_0776A49E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 4x nop then jmp 0776AFD1h	0_2_0776A8AE
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 4x nop then jmp 0776AFD1h	0_2_0776A4C2
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 4x nop then jmp 0776AFD1h	0_2_0776A982
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 4x nop then jmp 0776AFD1h	0_2_0776A8F6
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 4x nop then pop edi	3_2_0040E461
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi	7_2_0048E461

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.avada-casino-tlj.buzz/bc01/

Source: Joe Sandbox View	IP Address: 204.79.197.203 204.79.197.203
Source: Joe Sandbox View	IP Address: 204.79.197.203 204.79.197.203

Source: global traffic

TCP traffic: 192.168.2.8:49671 -> 204.79.197.203:443

Source: unknown	DNS traffic detected: query: www.irtyeffingrancher.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ucas-saaad.buzz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.2ar1.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.mberbreeze.cyou replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.cowatt.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.lussalesapp.website replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.eddogbrands.website replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ianju-fvqh092.vip replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.olocaustaffirmer.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.kjbrosmm.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.48xc300mw.autos replaycode: Name error (3)

Source: unknown	DNS traffic detected: query: www.irtyeffingrancher.info replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ucas-saaad.buzz replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.2ar1.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.mberbreeze.cyou replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.cowatt.fun replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.lussalesapp.website replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.eddogbrands.website replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.ianju-fvqh092.vip replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.olocaustaffirmer.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.kjbrosmm.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: www.48xc300mw.autos replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: www.olocaustaffirmer.net
Source: global traffic	DNS traffic detected: DNS query: www.2ar1.shop
Source: global traffic	DNS traffic detected: DNS query: www.cowatt.fun
Source: global traffic	DNS traffic detected: DNS query: www.eddogbrands.website
Source: global traffic	DNS traffic detected: DNS query: www.irtyeffingrancher.info
Source: global traffic	DNS traffic detected: DNS query: www.48xc300mw.autos
Source: global traffic	DNS traffic detected: DNS query: www.ucas-saaad.buzz
Source: global traffic	DNS traffic detected: DNS query: www.ianju-fvqh092.vip
Source: global traffic	DNS traffic detected: DNS query: www.kjbrosmm.shop
Source: global traffic	DNS traffic detected: DNS query: www.mberbreeze.cyou
Source: global traffic	DNS traffic detected: DNS query: www.lussalesapp.website

Source: explorer.exe, 00000005.00000000.857830401.0000000007459000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.862222610.000000000974B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3075864636.0000000007491000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3303728058.0000000007498000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1782562029.0000000007495000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.853262365.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: explorer.exe, 00000005.00000000.857830401.0000000007459000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.862222610.000000000974B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3075864636.0000000007491000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3303728058.0000000007498000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1782562029.0000000007495000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.853262365.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.11.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.11.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: explorer.exe, 00000005.00000000.857830401.0000000007459000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.862222610.000000000974B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3075864636.0000000007491000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3303728058.0000000007498000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1782562029.0000000007495000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.853262365.0000000000C5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000005.00000002.3305943202.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.862222610.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crl
Source: explorer.exe, 00000005.00000002.3310613328.000000000C46D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780682027.000000000C468000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1778062210.000000000C464000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076529844.000000000C468000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.micr
Source: explorer.exe, 00000005.00000002.3304397394.0000000007940000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.861919061.00000000086A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.3305438794.0000000008680000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: 3P5I851G78.exe, 00000000.00000002.853915217.0000000003115000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 3P5I851G78.exe	String found in binary or memory: http://tempuri.org/EchipamenteDataSet.xsd
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2ar1.shop
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2ar1.shop/bc01/
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2ar1.shop/bc01/www.cowatt.fun
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.2ar1.shopReferer:
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.48xc300mw.autos
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.48xc300mw.autos/bc01/
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.48xc300mw.autos/bc01/www.ucas-saaad.buzz
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.48xc300mw.autosReferer:
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ajabandot.website
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ajabandot.website/bc01/
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ajabandot.website/bc01/www.oko.events
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ajabandot.websiteReferer:
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.avada-casino-tlj.buzz
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.avada-casino-tlj.buzz/bc01/
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.avada-casino-tlj.buzz/bc01/www.ajabandot.website
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.avada-casino-tlj.buzzReferer:
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cowatt.fun
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cowatt.fun/bc01/
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cowatt.fun/bc01/www.eddogbrands.website
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cowatt.funReferer:
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eddogbrands.website
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eddogbrands.website/bc01/
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eddogbrands.website/bc01/www.lkjuy.xyz
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.eddogbrands.websiteReferer:
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ianju-fvqh092.vip
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ianju-fvqh092.vip/bc01/
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ianju-fvqh092.vip/bc01/www.kjbrosmm.shop
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ianju-fvqh092.vipReferer:
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.irtyeffingrancher.info
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.irtyeffingrancher.info/bc01/
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.irtyeffingrancher.info/bc01/www.48xc300mw.autos
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.irtyeffingrancher.infoReferer:
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kjbrosmm.shop
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kjbrosmm.shop/bc01/
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kjbrosmm.shop/bc01/www.mberbreeze.cyou
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kjbrosmm.shopReferer:
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lkjuy.xyz
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lkjuy.xyz/bc01/
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lkjuy.xyz/bc01/www.irtyeffingrancher.info
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lkjuy.xyzReferer:
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lussalesapp.website
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lussalesapp.website/bc01/
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lussalesapp.website/bc01/www.avada-casino-tlj.buzz
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lussalesapp.websiteReferer:
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mberbreeze.cyou
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mberbreeze.cyou/bc01/
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mberbreeze.cyou/bc01/www.lussalesapp.website
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mberbreeze.cyouReferer:
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oidakings.net
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oidakings.net/bc01/
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oidakings.net/bc01/Pm
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oidakings.netReferer:
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oko.events
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oko.events/bc01/
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oko.events/bc01/www.oidakings.net
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oko.eventsReferer:
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.olocaustaffirmer.net
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.olocaustaffirmer.net/bc01/
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.olocaustaffirmer.net/bc01/www.2ar1.shop
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.olocaustaffirmer.netReferer:
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ucas-saaad.buzz
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ucas-saaad.buzz/bc01/
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ucas-saaad.buzz/bc01/www.ianju-fvqh092.vip
Source: explorer.exe, 00000005.00000003.1780345292.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.3076738989.000000000C39D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3310508252.000000000C380000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1780982012.000000000C39D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ucas-saaad.buzzReferer:
Source: explorer.exe, 00000005.00000000.867214121.000000000C201000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000005.00000002.3309574612.000000000C18E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.867214121.000000000C18E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000005.00000002.3309574612.000000000C18E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.867214121.000000000C18E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSI
Source: explorer.exe, 00000005.00000002.3309574612.000000000C18E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.867214121.000000000C18E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSd
Source: explorer.exe, 00000005.00000000.862222610.00000000095B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3305943202.00000000095B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000005.00000002.3305943202.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.862222610.00000000096DF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000005.00000000.862222610.00000000096C4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3305943202.00000000096C4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
Source: explorer.exe, 00000005.00000002.3305943202.0000000009741000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.862222610.0000000009741000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1779102746.0000000009741000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: explorer.exe, 00000005.00000000.867214121.000000000C201000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3309574612.000000000C201000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.comPh
Source: svchost.exe, 0000000B.00000003.1203070187.000002C690121000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.11.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 0000000B.00000003.1203070187.000002C6900B0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.11.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
Source: explorer.exe, 00000005.00000000.867214121.000000000C201000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3309574612.000000000C201000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000005.00000000.867214121.000000000C201000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3309574612.000000000C201000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com_
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000005.00000002.3309574612.000000000C18E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.867214121.000000000C18E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000005.00000000.867214121.000000000C201000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3309574612.000000000C201000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comTM~1
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000005.00000002.3300695016.0000000007386000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Source: unknown

Network traffic detected: HTTP traffic on port 49671 -> 443

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.2.3P5I851G78.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.3P5I851G78.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.855098590.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3294789959.00000000043F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3294895967.0000000004420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.913516599.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3293228083.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.3P5I851G78.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 3.2.3P5I851G78.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.3P5I851G78.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.3P5I851G78.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.3P5I851G78.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 3.2.3P5I851G78.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.3P5I851G78.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.3P5I851G78.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.855098590.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000000.00000002.855098590.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.855098590.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.855098590.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.913848993.0000000000F1F000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000007.00000002.3294789959.00000000043F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000007.00000002.3294789959.00000000043F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3294789959.00000000043F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.3294789959.00000000043F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.3294895967.0000000004420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000007.00000002.3294895967.0000000004420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3294895967.0000000004420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.3294895967.0000000004420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.913516599.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000003.00000002.913516599.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.913516599.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.913516599.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.3293228083.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000007.00000002.3293228083.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3293228083.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.3293228083.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.3310801757.000000000E2D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: Process Memory Space: 3P5I851G78.exe PID: 6716, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: 3P5I851G78.exe PID: 3936, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 6696, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0041A330 NtCreateFile,	3_2_0041A330
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0041A3E0 NtReadFile,	3_2_0041A3E0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0041A460 NtClose,	3_2_0041A460
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0041A510 NtAllocateVirtualMemory,	3_2_0041A510
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0041A3DB NtReadFile,	3_2_0041A3DB
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0041A50F NtAllocateVirtualMemory,	3_2_0041A50F
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412B60 NtClose,LdrInitializeThunk,	3_2_01412B60
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_01412BF0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412AD0 NtReadFile,LdrInitializeThunk,	3_2_01412AD0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412D10 NtMapViewOfSection,LdrInitializeThunk,	3_2_01412D10
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412D30 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_01412D30
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412DD0 NtDelayExecution,LdrInitializeThunk,	3_2_01412DD0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_01412DF0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_01412C70
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412CA0 NtQueryInformationToken,LdrInitializeThunk,	3_2_01412CA0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412F30 NtCreateSection,LdrInitializeThunk,	3_2_01412F30
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412FE0 NtCreateFile,LdrInitializeThunk,	3_2_01412FE0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412F90 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_01412F90
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412FB0 NtResumeThread,LdrInitializeThunk,	3_2_01412FB0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412E80 NtReadVirtualMemory,LdrInitializeThunk,	3_2_01412E80
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_01412EA0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01414340 NtSetContextThread,	3_2_01414340
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01414650 NtSuspendThread,	3_2_01414650
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412BE0 NtQueryValueKey,	3_2_01412BE0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412B80 NtQueryInformationFile,	3_2_01412B80
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412BA0 NtEnumerateValueKey,	3_2_01412BA0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412AF0 NtWriteFile,	3_2_01412AF0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412AB0 NtWaitForSingleObject,	3_2_01412AB0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412D00 NtSetInformationFile,	3_2_01412D00
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412DB0 NtEnumerateKey,	3_2_01412DB0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412C60 NtCreateKey,	3_2_01412C60
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412C00 NtQueryInformationProcess,	3_2_01412C00
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412CC0 NtQueryVirtualMemory,	3_2_01412CC0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412CF0 NtOpenProcess,	3_2_01412CF0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412F60 NtCreateProcessEx,	3_2_01412F60
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412FA0 NtQuerySection,	3_2_01412FA0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412E30 NtWriteVirtualMemory,	3_2_01412E30
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412EE0 NtQueueApcThread,	3_2_01412EE0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01413010 NtOpenDirectoryObject,	3_2_01413010
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01413090 NtSetValueKey,	3_2_01413090
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014135C0 NtCreateMutant,	3_2_014135C0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014139B0 NtGetContextThread,	3_2_014139B0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01413D70 NtOpenThread,	3_2_01413D70
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01413D10 NtOpenProcessToken,	3_2_01413D10
Source: C:\Windows\explorer.exe	Code function: 5_2_0E2B8232 NtCreateFile,	5_2_0E2B8232
Source: C:\Windows\explorer.exe	Code function: 5_2_0E2B9E12 NtProtectVirtualMemory,	5_2_0E2B9E12
Source: C:\Windows\explorer.exe	Code function: 5_2_0E2B9E0A NtProtectVirtualMemory,	5_2_0E2B9E0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00545CF1 NtQueryInformationToken,NtQueryInformationToken,RtlNtStatusToDosError,	7_2_00545CF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_005440B1 NtQuerySystemInformation,	7_2_005440B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00545D6A NtOpenProcessToken,RtlNtStatusToDosError,NtClose,QueryActCtxW,NtOpenProcessToken,NtSetInformationToken,NtClose,	7_2_00545D6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00544136 HeapSetInformation,NtSetInformationProcess,AttachConsole,LocalAlloc,LoadLibraryExW,GetProcAddress,SetErrorMode,FreeLibrary,LocalFree,DeactivateActCtx,ReleaseActCtx,FreeLibrary,LocalFree,FreeConsole,ExitProcess,	7_2_00544136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_045F2C70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2C60 NtCreateKey,LdrInitializeThunk,	7_2_045F2C60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_045F2CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_045F2D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2DD0 NtDelayExecution,LdrInitializeThunk,	7_2_045F2DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_045F2DF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_045F2EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2F30 NtCreateSection,LdrInitializeThunk,	7_2_045F2F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2FE0 NtCreateFile,LdrInitializeThunk,	7_2_045F2FE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2AD0 NtReadFile,LdrInitializeThunk,	7_2_045F2AD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2B60 NtClose,LdrInitializeThunk,	7_2_045F2B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_045F2BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2BE0 NtQueryValueKey,LdrInitializeThunk,	7_2_045F2BE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F35C0 NtCreateMutant,LdrInitializeThunk,	7_2_045F35C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F4650 NtSuspendThread,	7_2_045F4650
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F4340 NtSetContextThread,	7_2_045F4340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2C00 NtQueryInformationProcess,	7_2_045F2C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2CC0 NtQueryVirtualMemory,	7_2_045F2CC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2CF0 NtOpenProcess,	7_2_045F2CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2D00 NtSetInformationFile,	7_2_045F2D00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2D30 NtUnmapViewOfSection,	7_2_045F2D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2DB0 NtEnumerateKey,	7_2_045F2DB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2E30 NtWriteVirtualMemory,	7_2_045F2E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2EE0 NtQueueApcThread,	7_2_045F2EE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2E80 NtReadVirtualMemory,	7_2_045F2E80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2F60 NtCreateProcessEx,	7_2_045F2F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2F90 NtProtectVirtualMemory,	7_2_045F2F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2FB0 NtResumeThread,	7_2_045F2FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2FA0 NtQuerySection,	7_2_045F2FA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2AF0 NtWriteFile,	7_2_045F2AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2AB0 NtWaitForSingleObject,	7_2_045F2AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2B80 NtQueryInformationFile,	7_2_045F2B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F2BA0 NtEnumerateValueKey,	7_2_045F2BA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F3010 NtOpenDirectoryObject,	7_2_045F3010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F3090 NtSetValueKey,	7_2_045F3090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F3D70 NtOpenThread,	7_2_045F3D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F3D10 NtOpenProcessToken,	7_2_045F3D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F39B0 NtGetContextThread,	7_2_045F39B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0049A330 NtCreateFile,	7_2_0049A330
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0049A3E0 NtReadFile,	7_2_0049A3E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0049A460 NtClose,	7_2_0049A460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0049A510 NtAllocateVirtualMemory,	7_2_0049A510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0049A3DB NtReadFile,	7_2_0049A3DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0049A50F NtAllocateVirtualMemory,	7_2_0049A50F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_048DA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	7_2_048DA036
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_048D9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	7_2_048D9BAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_048DA042 NtQueryInformationProcess,	7_2_048DA042
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_048D9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_048D9BB2

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 0_2_018E4210	0_2_018E4210
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 0_2_018E6F90	0_2_018E6F90
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 0_2_018EDE74	0_2_018EDE74
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 0_2_05750040	0_2_05750040
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 0_2_05750007	0_2_05750007
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 0_2_07416F50	0_2_07416F50
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 0_2_07415F60	0_2_07415F60
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 0_2_0741EA43	0_2_0741EA43
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 0_2_07768500	0_2_07768500
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 0_2_077684EF	0_2_077684EF
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 0_2_077664A8	0_2_077664A8
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 0_2_07766061	0_2_07766061
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 0_2_07767FF0	0_2_07767FF0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 0_2_07765C38	0_2_07765C38
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0041E857	3_2_0041E857
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0041DAED	3_2_0041DAED
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0041DA9C	3_2_0041DA9C
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0041E4DB	3_2_0041E4DB
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0041D573	3_2_0041D573
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_00402D89	3_2_00402D89
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0041EE4C	3_2_0041EE4C
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_00409E5B	3_2_00409E5B
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_00409E60	3_2_00409E60
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01468158	3_2_01468158
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D0100	3_2_013D0100
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147A118	3_2_0147A118
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014981CC	3_2_014981CC
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014A01AA	3_2_014A01AA
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014941A2	3_2_014941A2
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01472000	3_2_01472000
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0149A352	3_2_0149A352
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014A03E6	3_2_014A03E6
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013EE3F0	3_2_013EE3F0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01480274	3_2_01480274
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014602C0	3_2_014602C0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0535	3_2_013E0535
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014A0591	3_2_014A0591
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01492446	3_2_01492446
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01484420	3_2_01484420
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0148E4F6	3_2_0148E4F6
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01404750	3_2_01404750
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0770	3_2_013E0770
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DC7C0	3_2_013DC7C0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FC6E0	3_2_013FC6E0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F6962	3_2_013F6962
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E29A0	3_2_013E29A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014AA9A6	3_2_014AA9A6
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013EA840	3_2_013EA840
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E2840	3_2_013E2840
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013C68B8	3_2_013C68B8
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140E8F0	3_2_0140E8F0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0149AB40	3_2_0149AB40
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01496BD7	3_2_01496BD7
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DEA80	3_2_013DEA80
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013EAD00	3_2_013EAD00
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147CD1F	3_2_0147CD1F
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F8DBF	3_2_013F8DBF
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DADE0	3_2_013DADE0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0C00	3_2_013E0C00
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D0CF2	3_2_013D0CF2
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01480CB5	3_2_01480CB5
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01454F40	3_2_01454F40
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01422F28	3_2_01422F28
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01400F30	3_2_01400F30
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01482F30	3_2_01482F30
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013ECFE0	3_2_013ECFE0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145EFA0	3_2_0145EFA0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D2FC8	3_2_013D2FC8
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0E59	3_2_013E0E59
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0149EE26	3_2_0149EE26
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0149EEDB	3_2_0149EEDB
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F2E90	3_2_013F2E90
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0149CE93	3_2_0149CE93
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014AB16B	3_2_014AB16B
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0141516C	3_2_0141516C
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013CF172	3_2_013CF172
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013EB1B0	3_2_013EB1B0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0148F0CC	3_2_0148F0CC
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014970E9	3_2_014970E9
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0149F0E0	3_2_0149F0E0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E70C0	3_2_013E70C0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0149132D	3_2_0149132D
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013CD34C	3_2_013CD34C
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0142739A	3_2_0142739A
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E52A0	3_2_013E52A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014812ED	3_2_014812ED
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FB2C0	3_2_013FB2C0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01497571	3_2_01497571
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147D5B0	3_2_0147D5B0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D1460	3_2_013D1460
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0149F43F	3_2_0149F43F
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0149F7B0	3_2_0149F7B0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014916CC	3_2_014916CC
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01475910	3_2_01475910
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E9950	3_2_013E9950
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FB950	3_2_013FB950
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144D800	3_2_0144D800
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E38E0	3_2_013E38E0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0149FB76	3_2_0149FB76
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01455BF0	3_2_01455BF0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0141DBF9	3_2_0141DBF9
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FFB80	3_2_013FFB80
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0149FA49	3_2_0149FA49
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01497A46	3_2_01497A46
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01453A6C	3_2_01453A6C
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0148DAC6	3_2_0148DAC6
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01425AA0	3_2_01425AA0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147DAAC	3_2_0147DAAC
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01481AA3	3_2_01481AA3
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01491D5A	3_2_01491D5A
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01497D73	3_2_01497D73
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E3D40	3_2_013E3D40
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FFDC0	3_2_013FFDC0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01459C32	3_2_01459C32
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0149FCF2	3_2_0149FCF2
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0149FF09	3_2_0149FF09
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E1F92	3_2_013E1F92
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013A3FD2	3_2_013A3FD2
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013A3FD5	3_2_013A3FD5
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0149FFB1	3_2_0149FFB1
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E9EB0	3_2_013E9EB0
Source: C:\Windows\explorer.exe	Code function: 5_2_0BE89B30	5_2_0BE89B30
Source: C:\Windows\explorer.exe	Code function: 5_2_0BE89B32	5_2_0BE89B32
Source: C:\Windows\explorer.exe	Code function: 5_2_0BE8F232	5_2_0BE8F232
Source: C:\Windows\explorer.exe	Code function: 5_2_0BE925CD	5_2_0BE925CD
Source: C:\Windows\explorer.exe	Code function: 5_2_0BE86D02	5_2_0BE86D02
Source: C:\Windows\explorer.exe	Code function: 5_2_0BE8C912	5_2_0BE8C912
Source: C:\Windows\explorer.exe	Code function: 5_2_0BE85082	5_2_0BE85082
Source: C:\Windows\explorer.exe	Code function: 5_2_0BE8E036	5_2_0BE8E036
Source: C:\Windows\explorer.exe	Code function: 5_2_0E2B8232	5_2_0E2B8232
Source: C:\Windows\explorer.exe	Code function: 5_2_0E2B7036	5_2_0E2B7036
Source: C:\Windows\explorer.exe	Code function: 5_2_0E2AE082	5_2_0E2AE082
Source: C:\Windows\explorer.exe	Code function: 5_2_0E2B2B32	5_2_0E2B2B32
Source: C:\Windows\explorer.exe	Code function: 5_2_0E2B2B30	5_2_0E2B2B30
Source: C:\Windows\explorer.exe	Code function: 5_2_0E2AFD02	5_2_0E2AFD02
Source: C:\Windows\explorer.exe	Code function: 5_2_0E2B5912	5_2_0E2B5912
Source: C:\Windows\explorer.exe	Code function: 5_2_0E2BB5CD	5_2_0E2BB5CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04672446	7_2_04672446
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04664420	7_2_04664420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0466E4F6	7_2_0466E4F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045C0535	7_2_045C0535
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04680591	7_2_04680591
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045DC6E0	7_2_045DC6E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045E4750	7_2_045E4750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045C0770	7_2_045C0770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045BC7C0	7_2_045BC7C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04652000	7_2_04652000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04648158	7_2_04648158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045B0100	7_2_045B0100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0465A118	7_2_0465A118
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_046781CC	7_2_046781CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_046801AA	7_2_046801AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_046741A2	7_2_046741A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04660274	7_2_04660274
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_046402C0	7_2_046402C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0467A352	7_2_0467A352
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_046803E6	7_2_046803E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045CE3F0	7_2_045CE3F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045C0C00	7_2_045C0C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045B0CF2	7_2_045B0CF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04660CB5	7_2_04660CB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045CAD00	7_2_045CAD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0465CD1F	7_2_0465CD1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045BADE0	7_2_045BADE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045D8DBF	7_2_045D8DBF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045C0E59	7_2_045C0E59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0467EE26	7_2_0467EE26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0467EEDB	7_2_0467EEDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045D2E90	7_2_045D2E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0467CE93	7_2_0467CE93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04634F40	7_2_04634F40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04602F28	7_2_04602F28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04662F30	7_2_04662F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045E0F30	7_2_045E0F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045B2FC8	7_2_045B2FC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045CCFE0	7_2_045CCFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0463EFA0	7_2_0463EFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045CA840	7_2_045CA840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045C2840	7_2_045C2840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045EE8F0	7_2_045EE8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045A68B8	7_2_045A68B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045D6962	7_2_045D6962
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0468A9A6	7_2_0468A9A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045C29A0	7_2_045C29A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045BEA80	7_2_045BEA80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0467AB40	7_2_0467AB40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04676BD7	7_2_04676BD7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045B1460	7_2_045B1460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0467F43F	7_2_0467F43F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04677571	7_2_04677571
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_046895C3	7_2_046895C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0465D5B0	7_2_0465D5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04605630	7_2_04605630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_046716CC	7_2_046716CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0467F7B0	7_2_0467F7B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0467F0E0	7_2_0467F0E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045C70C0	7_2_045C70C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0466F0CC	7_2_0466F0CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0468B16B	7_2_0468B16B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045AF172	7_2_045AF172
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045F516C	7_2_045F516C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045CB1B0	7_2_045CB1B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_046612ED	7_2_046612ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045DB2C0	7_2_045DB2C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045C52A0	7_2_045C52A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045AD34C	7_2_045AD34C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0467132D	7_2_0467132D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0460739A	7_2_0460739A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04639C32	7_2_04639C32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0467FCF2	7_2_0467FCF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04677D73	7_2_04677D73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045C3D40	7_2_045C3D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04671D5A	7_2_04671D5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045DFDC0	7_2_045DFDC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045C9EB0	7_2_045C9EB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0467FF09	7_2_0467FF09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04583FD2	7_2_04583FD2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04583FD5	7_2_04583FD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045C1F92	7_2_045C1F92
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0467FFB1	7_2_0467FFB1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0462D800	7_2_0462D800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045C38E0	7_2_045C38E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045C9950	7_2_045C9950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045DB950	7_2_045DB950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04655910	7_2_04655910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04633A6C	7_2_04633A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04677A46	7_2_04677A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0467FA49	7_2_0467FA49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0466DAC6	7_2_0466DAC6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04605AA0	7_2_04605AA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04661AA3	7_2_04661AA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0465DAAC	7_2_0465DAAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0467FB76	7_2_0467FB76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_04635BF0	7_2_04635BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045FDBF9	7_2_045FDBF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045DFB80	7_2_045DFB80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0049E4CE	7_2_0049E4CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0049D573	7_2_0049D573
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0049E857	7_2_0049E857
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0049DA9C	7_2_0049DA9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00482D89	7_2_00482D89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00482D90	7_2_00482D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0049EE4C	7_2_0049EE4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00489E5B	7_2_00489E5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00489E60	7_2_00489E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00482FB0	7_2_00482FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_048DA036	7_2_048DA036
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_048DE5CD	7_2_048DE5CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_048D2D02	7_2_048D2D02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_048D1082	7_2_048D1082
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_048D8912	7_2_048D8912
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_048DB232	7_2_048DB232
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_048D5B30	7_2_048D5B30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_048D5B32	7_2_048D5B32

Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: String function: 0145F290 appears 105 times
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: String function: 013CB970 appears 280 times
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: String function: 01427E54 appears 102 times
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: String function: 0144EA12 appears 86 times
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: String function: 01415130 appears 58 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0463F290 appears 105 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 045AB970 appears 280 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04607E54 appears 111 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 045F5130 appears 58 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 0462EA12 appears 86 times

Source: 3P5I851G78.exe, 00000000.00000000.825396087.0000000000E0C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameYEZu.exe8 vs 3P5I851G78.exe
Source: 3P5I851G78.exe, 00000000.00000002.857589805.00000000076D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 3P5I851G78.exe
Source: 3P5I851G78.exe, 00000000.00000002.856943890.00000000073E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs 3P5I851G78.exe
Source: 3P5I851G78.exe, 00000000.00000002.837827845.000000000139E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 3P5I851G78.exe
Source: 3P5I851G78.exe, 00000000.00000002.853915217.0000000003121000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs 3P5I851G78.exe
Source: 3P5I851G78.exe, 00000003.00000002.913907607.0000000000F5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs 3P5I851G78.exe
Source: 3P5I851G78.exe, 00000003.00000002.913907607.0000000000F37000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs 3P5I851G78.exe
Source: 3P5I851G78.exe, 00000003.00000002.914290467.00000000014CD000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 3P5I851G78.exe
Source: 3P5I851G78.exe, 00000003.00000002.914211028.000000000131C000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRUNDLL32.EXEj% vs 3P5I851G78.exe
Source: 3P5I851G78.exe	Binary or memory string: OriginalFilenameYEZu.exe8 vs 3P5I851G78.exe

Source: 3P5I851G78.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.3P5I851G78.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 3.2.3P5I851G78.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.3P5I851G78.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.3P5I851G78.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.3P5I851G78.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 3.2.3P5I851G78.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.3P5I851G78.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.3P5I851G78.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.855098590.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000000.00000002.855098590.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.855098590.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.855098590.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.913848993.0000000000F1F000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000007.00000002.3294789959.00000000043F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000007.00000002.3294789959.00000000043F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3294789959.00000000043F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.3294789959.00000000043F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.3294895967.0000000004420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000007.00000002.3294895967.0000000004420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3294895967.0000000004420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.3294895967.0000000004420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.913516599.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000003.00000002.913516599.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.913516599.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.913516599.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.3293228083.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000007.00000002.3293228083.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3293228083.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.3293228083.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.3310801757.000000000E2D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: Process Memory Space: 3P5I851G78.exe PID: 6716, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: 3P5I851G78.exe PID: 3936, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 6696, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: 3P5I851G78.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, Attqs9I4XaQw8dR5ep.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, Attqs9I4XaQw8dR5ep.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, NnE4Gv1rLj40w0G79X.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, NnE4Gv1rLj40w0G79X.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, NnE4Gv1rLj40w0G79X.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@262/8@11/2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_00543C66 LoadLibraryExW,GetLastError,FormatMessageW,RtlImageNtHeader,SetProcessMitigationPolicy,

7_2_00543C66

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_0054205A CoCreateInstance,

7_2_0054205A

Source: C:\Users\user\Desktop\3P5I851G78.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3P5I851G78.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yvmkkv4v.ipv.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Command line argument: WLDP.DLL		7_2_00544136
Source: C:\Windows\SysWOW64\rundll32.exe	Command line argument: localserver		7_2_00544136

Source: 3P5I851G78.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 3P5I851G78.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\3P5I851G78.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\3P5I851G78.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"

Source: 3P5I851G78.exe, 00000000.00000000.825321659.0000000000D42000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3294453327.0000000004322000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3296285767.0000000004B6F000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO [dbo].[Table] ([Id], [Nume], [Grupa_muschi], [Data_livrare], [Pret]) VALUES (@Id, @Nume, @Grupa_muschi, @Data_livrare, @Pret);
Source: 3P5I851G78.exe, 00000000.00000000.825321659.0000000000D42000.00000002.00000001.01000000.00000003.sdmp, rundll32.exe, 00000007.00000002.3294453327.0000000004322000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3296285767.0000000004B6F000.00000004.10000000.00040000.00000000.sdmp	Binary or memory string: UPDATE [dbo].[Table] SET [Id] = @Id, [Nume] = @Nume, [Grupa_muschi] = @Grupa_muschi, [Data_livrare] = @Data_livrare, [Pret] = @Pret WHERE (([Id] = @Original_Id) AND ([Nume] = @Original_Nume) AND ([Grupa_muschi] = @Original_Grupa_muschi) AND ([Data_livrare] = @Original_Data_livrare) AND ([Pret] = @Original_Pret));

Source: 3P5I851G78.exe	Virustotal: Detection: 77%
Source: 3P5I851G78.exe	ReversingLabs: Detection: 83%

Source: unknown	Process created: C:\Users\user\Desktop\3P5I851G78.exe "C:\Users\user\Desktop\3P5I851G78.exe"
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3P5I851G78.exe"
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process created: C:\Users\user\Desktop\3P5I851G78.exe "C:\Users\user\Desktop\3P5I851G78.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\3P5I851G78.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3P5I851G78.exe"	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process created: C:\Users\user\Desktop\3P5I851G78.exe "C:\Users\user\Desktop\3P5I851G78.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\3P5I851G78.exe"	Jump to behavior

Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior

Source: C:\Users\user\Desktop\3P5I851G78.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\3P5I851G78.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 3P5I851G78.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 3P5I851G78.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 3P5I851G78.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: 3P5I851G78.exe, 00000003.00000002.914290467.00000000013A0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.915857022.00000000043D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3295171067.0000000004580000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.914187722.0000000004227000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3295171067.000000000471E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 3P5I851G78.exe, 3P5I851G78.exe, 00000003.00000002.914290467.00000000013A0000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000007.00000003.915857022.00000000043D1000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3295171067.0000000004580000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000007.00000003.914187722.0000000004227000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000007.00000002.3295171067.000000000471E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: 3P5I851G78.exe, 00000003.00000002.913907607.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, 3P5I851G78.exe, 00000003.00000002.914211028.0000000001310000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, rundll32.exe, 00000007.00000002.3293589997.0000000000540000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: 3P5I851G78.exe, 00000003.00000002.913907607.0000000000F37000.00000004.00000020.00020000.00000000.sdmp, 3P5I851G78.exe, 00000003.00000002.914211028.0000000001310000.00000040.10000000.00040000.00000000.sdmp, rundll32.exe, 00000007.00000002.3293589997.0000000000540000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: YEZu.pdb source: 3P5I851G78.exe
Source:	Binary string: YEZu.pdbSHA256=Q source: 3P5I851G78.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 3P5I851G78.exe, Login.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, NnE4Gv1rLj40w0G79X.cs	.Net Code: gricDlP4ig System.Reflection.Assembly.Load(byte[])
Source: 0.2.3P5I851G78.exe.73e0000.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 5.2.explorer.exe.106df840.0.raw.unpack, Login.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 7.2.rundll32.exe.4b6f840.3.raw.unpack, Login.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])

Source: 3P5I851G78.exe

Static PE information: 0xDEA210F1 [Wed May 12 01:18:41 2088 UTC]

Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 0_2_07769610 pushfd ; retf	0_2_07769619
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 0_2_0776C320 pushad ; iretd	0_2_0776C32D
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 0_2_0776D395 push FFFFFF8Bh; iretd	0_2_0776D397
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0041B863 push esi; iretd	3_2_0041B866
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_00416B15 push 560BADFBh; retf	3_2_00416B1A
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0040E44C push fs; iretd	3_2_0040E453
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0041D4D2 push eax; ret	3_2_0041D4D8
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0041D4DB push eax; ret	3_2_0041D542
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0041D485 push eax; ret	3_2_0041D4D8
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0041D53C push eax; ret	3_2_0041D542
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013A225F pushad ; ret	3_2_013A27F9
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013A27FA pushad ; ret	3_2_013A27F9
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D09AD push ecx; mov dword ptr [esp], ecx	3_2_013D09B6
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013A283D push eax; iretd	3_2_013A2858
Source: C:\Windows\explorer.exe	Code function: 5_2_0BE92B02 push esp; retn 0000h	5_2_0BE92B03
Source: C:\Windows\explorer.exe	Code function: 5_2_0BE92B1E push esp; retn 0000h	5_2_0BE92B1F
Source: C:\Windows\explorer.exe	Code function: 5_2_0BE929B5 push esp; retn 0000h	5_2_0BE92AE7
Source: C:\Windows\explorer.exe	Code function: 5_2_0E2BBB02 push esp; retn 0000h	5_2_0E2BBB03
Source: C:\Windows\explorer.exe	Code function: 5_2_0E2BBB1E push esp; retn 0000h	5_2_0E2BBB1F
Source: C:\Windows\explorer.exe	Code function: 5_2_0E2BB9B5 push esp; retn 0000h	5_2_0E2BBAE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0054682D push ecx; ret	7_2_00546840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00546883 push ecx; ret	7_2_00546896
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045827FA pushad ; ret	7_2_045827F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0458225F pushad ; ret	7_2_045827F9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0458283D push eax; iretd	7_2_04582858
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_045B09AD push ecx; mov dword ptr [esp], ecx	7_2_045B09B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0458135E push eax; iretd	7_2_04581369
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0048E44C push fs; iretd	7_2_0048E453
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0049D4DB push eax; ret	7_2_0049D542
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0049D4D2 push eax; ret	7_2_0049D4D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0049D485 push eax; ret	7_2_0049D4D8

Source: 3P5I851G78.exe

Static PE information: section name: .text entropy: 7.515728887545596

Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, XuqctHqdTtyaSw03QR.cs	High entropy of concatenated method names: 'kpDVSZosNj', 'uYRVgeAtwa', 'VyRJdj4evG', 'DT9JWB32T2', 'pdmJrOk3Pp', 'TUYJBEwq81', 'ENPJ7syRc8', 'HpGJicRJ4c', 'bB6JyaadH3', 'WPBJnrIUOf'
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, ThMFiE89nZSu8w5YIL.cs	High entropy of concatenated method names: 'AiCM2ij9xW', 'njTM36idVV', 'Qg2Cp5ieK0', 'fSoClwJgCl', 'VbyMjjv5nM', 'bHKMYQIN26', 'NJbMU5uOIa', 'XHYMbLbPEm', 'jEAM68X9cv', 'ghgMxWYfBr'
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, ldQhZXll7DWVJ8p0fxS.cs	High entropy of concatenated method names: 'v7sv33lrPF', 'lX6vzicysK', 'U8TTpx7VPL', 'lTiTlEBa8J', 'PFNT9Wl79J', 'KoRTEWdBQk', 'AjPTcKYHeS', 'zjsTZdvpkg', 'oGGTKsaQL9', 'pNwTogtuy5'
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, pynNHXyOmy3HdffU08.cs	High entropy of concatenated method names: 'lb3LmuVBmn', 'nShLelj5xG', 'IblLDrVLiJ', 'C7NLk5lS8T', 'xPKLSoosJ3', 'PsXLGm98MB', 'h8NLgR60hw', 'GqZLIgrWWl', 'n16LRKJk0Y', 'lWLLqmaDwa'
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, W5HArt4CCmEmHPwRqq.cs	High entropy of concatenated method names: 'RoAPZy1oZ0', 'z0UPorIkKg', 'LGBPVbyqRU', 'VH4PL5LGvg', 'liNP1Is8Td', 'HS6VuC3wBy', 'Kc7V8kdr1b', 'skgVAVH2Gq', 'ThpV2bcpLQ', 'hIwVwVLqFT'
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, RHKFhM75AlZtioMX4k.cs	High entropy of concatenated method names: 'OchLKaopU6', 'btrLJWGQai', 'RX1LPIASwC', 'xlvP3iItfN', 'bw0Pz1qfAq', 'sDmLppnvE4', 'berLlre3WY', 'mnFL9BZoFy', 'IZeLEAmT5c', 'HEdLcisqkB'
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, Attqs9I4XaQw8dR5ep.cs	High entropy of concatenated method names: 'ssOob6bjXC', 'WZ5o6euxkp', 'SsvoxkKXr8', 'AALofNy5g2', 'IqSouqdF2y', 'DnFo85dkGY', 'uXIoAQ0ZaX', 'L59o2osnV3', 'gZeow54aCp', 'fQQo3p0Amk'
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, kRVLFRxPPdA1om01wQ.cs	High entropy of concatenated method names: 'ToString', 'gAdNj4P5j4', 'JbBNtfib8o', 'H6WNdwSsWj', 'ogkNWGHjC7', 'fUxNr6bvM9', 'bi4NBMXWp1', 'VveN74cbKC', 'frfNiTeSXV', 'apVNyHklHQ'
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, CoAOoJAP4Jm9DLDrtQ.cs	High entropy of concatenated method names: 'aebO5qD0Ip', 'AHvOM2YbK9', 'VGQOOV6TXO', 'ngfOTDNp7v', 'qDROFDknjo', 'mG0OsmfyJZ', 'Dispose', 'wePCKGwQqU', 'O7ZCo6LE9Z', 'NgVCJg7r94'
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, uteAvrlcpLqrxkTlwV2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OpkaOcxbsl', 'FYNavdQK6H', 'ElOaTMgyJ6', 'xPsaaccl42', 'r5taFVtWFu', 'r64aH0ZFIC', 'CyhasQpfjZ'
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, tDRWvHUeA4AbnwQHGO.cs	High entropy of concatenated method names: 'iBLQIQwJr1', 'mh2QRPSXrm', 'bToQ4q9LD7', 'UlkQtZJy9u', 'g7hQW3mYC8', 'q5vQrWs2rD', 'eA5Q7jmTsH', 'gSLQiHkUxE', 'aNGQnT5SwS', 'KtCQjV8E0q'
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, lBM7hsJloWh9HxwHoL.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'ARa9wLV6di', 'umX93MwaU7', 'TP49zkYJLE', 'u3QEp8IE2g', 'SuFEl6QxZs', 'DAmE9owRnM', 'UL2EE4ei8E', 'z70j3BwKyxtrX0OTwV7'
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, MHVXvicEvIY6VjtFia.cs	High entropy of concatenated method names: 'ypklLttqs9', 'GXal1Qw8dR', 'fgrl0n3o30', 'tOJlXUwuqc', 'X03l5QR25H', 'WrtlNCCmEm', 'lMshK0lAedqiGEHL2L', 'QdlO3AicmVbbyL4hIo', 'OJclliLtR8', 'mW2lETWnQR'
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, iyXJg4wAhglxAHC4go.cs	High entropy of concatenated method names: 'iRZO4iTDjM', 'JsWOtZIyxp', 'hZQOd0mDJr', 'CP0OWB0mqV', 'nnVOraGWJ3', 'RjsOBBPeX8', 'Q80O7AfLc9', 'tB9OilRA5U', 'AjVOyA6U5O', 'NCqOnRCw1i'
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, KZvlnj9oIroObZ9DMw.cs	High entropy of concatenated method names: 'qV2DjxM4u', 'jglkCHvA8', 'WmjGqgUtL', 't12gtHK2d', 'u6tRJ1nAg', 'tM6qfV6Jx', 'bxdxv3j1vtFUtcHVBm', 'qSVoL4VbaR4tTsD0MB', 'SMXCefdDL', 'fr7vXJt4h'
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, PHWj2Yz26KOvC5YYpI.cs	High entropy of concatenated method names: 'KqkvGJGSOT', 'xIuvIxsdmD', 'LAxvRjMhts', 'UZev40Ukxl', 'OfivtYX4H0', 'B9pvWgi4Yr', 'vwcvrZKePr', 'uFqvsB79p0', 'MC6vmxYh3T', 'CNTveimrHd'
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, gpOcnxorTfdAp1XbPX.cs	High entropy of concatenated method names: 'Dispose', 'hm9lwDLDrt', 'KZV9tGEacD', 'sltqdaAvNU', 'nbll3s2ykl', 'FFHlzPi8KU', 'ProcessDialogKey', 'pnP9pyXJg4', 'Vhg9llxAHC', 'Ggo99sStgt'
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, WNklqKRgrn3o30TOJU.cs	High entropy of concatenated method names: 'IWjJkg0EEn', 'uXbJGmaj8m', 'GDSJIA7DUy', 'XjPJRBVak9', 'CBXJ5tUgdC', 'n7kJNsC1Bl', 'tb3JMkuWId', 'QN2JC1DHVQ', 'BjgJOdbpOO', 'HmWJvhHGCs'
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, xStgtr3yXQJT4CDMsH.cs	High entropy of concatenated method names: 'elGvJttSBZ', 'KhBvVqOvyY', 'IOhvP5jlGT', 'BwPvLQjLer', 'uZcvOy0kTu', 'LbWv12l2h6', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, NnE4Gv1rLj40w0G79X.cs	High entropy of concatenated method names: 'Js4EZ1w4LI', 'l2YEKfoipI', 'TYEEo1kAAV', 'kivEJCDfj9', 'O86EVpsHrD', 'CTHEPTMDwy', 'rMXELSoXmO', 'Ol7E1smo4k', 'IllEhG4MKV', 'GfoE01NUv5'
Source: 0.2.3P5I851G78.exe.76d0000.1.raw.unpack, LGtpewlphXFsD4Z1bYS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'B8KvjIgeHY', 'QScvYpxFUO', 'THMvUFlf4F', 'NxDvbnsUl8', 'vw7v6q7Qtq', 'coJvx4DEUV', 'hsYvfIj8k7'

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 3P5I851G78.exe PID: 6716, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\3P5I851G78.exe	API/Special instruction interceptor: Address: 7FF9B762D324
Source: C:\Users\user\Desktop\3P5I851G78.exe	API/Special instruction interceptor: Address: 7FF9B7630774
Source: C:\Users\user\Desktop\3P5I851G78.exe	API/Special instruction interceptor: Address: 7FF9B7630154
Source: C:\Users\user\Desktop\3P5I851G78.exe	API/Special instruction interceptor: Address: 7FF9B762D8A4
Source: C:\Users\user\Desktop\3P5I851G78.exe	API/Special instruction interceptor: Address: 7FF9B762DA44
Source: C:\Users\user\Desktop\3P5I851G78.exe	API/Special instruction interceptor: Address: 7FF9B762D1E4

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\3P5I851G78.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3P5I851G78.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 489904 second address: 48990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 489B7E second address: 489B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\3P5I851G78.exe	Memory allocated: 18E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Memory allocated: 30D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Memory allocated: 50D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Memory allocated: 9260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Memory allocated: A260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Memory allocated: A460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Memory allocated: B460000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\3P5I851G78.exe

Code function: 3_2_00409AB0 rdtsc

3_2_00409AB0

Source: C:\Users\user\Desktop\3P5I851G78.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5545	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4056	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 2382	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 7561	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 872	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 993	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 8978	Jump to behavior

Source: C:\Users\user\Desktop\3P5I851G78.exe	API coverage: 1.7 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 2.0 %

Source: C:\Users\user\Desktop\3P5I851G78.exe TID: 6712	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6844	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6732	Thread sleep count: 2382 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6732	Thread sleep time: -4764000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6732	Thread sleep count: 7561 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6732	Thread sleep time: -15122000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5572	Thread sleep count: 993 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5572	Thread sleep time: -1986000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5572	Thread sleep count: 8978 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5572	Thread sleep time: -17956000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 984	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 984	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\3P5I851G78.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000005.00000003.1782300507.00000000098F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}CA
Source: explorer.exe, 00000005.00000003.3076967277.00000000031BD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000bb'
Source: explorer.exe, 00000005.00000003.1775490955.00000000097CB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000005.00000003.3081125823.000000000984F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: 3P5I851G78.exe, 00000000.00000002.837827845.000000000140A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.853262365.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000_
Source: explorer.exe, 00000005.00000003.1779102746.0000000009741000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00_
Source: explorer.exe, 00000005.00000000.853262365.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bProd_VMware_SATA
Source: explorer.exe, 00000005.00000003.1775490955.00000000097CB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000005.00000000.862222610.00000000095B2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3305943202.00000000095B2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWt mouse
Source: explorer.exe, 00000005.00000000.854752204.00000000031A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001
Source: 3P5I851G78.exe, 00000000.00000002.837827845.000000000140A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000005.00000002.3305943202.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.862222610.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3305943202.0000000009741000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.862222610.0000000009741000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.1779102746.0000000009741000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2866049001.000002C69025B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.2865414385.000002C68AC2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000005.00000003.3081125823.000000000984F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000005.00000000.854752204.00000000031A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: explorer.exe, 00000005.00000000.853262365.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Ji
Source: explorer.exe, 00000005.00000000.853262365.0000000000BD9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000o
Source: explorer.exe, 00000005.00000003.1775490955.00000000097CB000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.857830401.0000000007386000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\3P5I851G78.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\3P5I851G78.exe

Code function: 3_2_00409AB0 rdtsc

3_2_00409AB0

Source: C:\Users\user\Desktop\3P5I851G78.exe

Code function: 3_2_0040ACF0 LdrLoadDll,

3_2_0040ACF0

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_005425B2 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

7_2_005425B2

Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01464144 mov eax, dword ptr fs:[00000030h]	3_2_01464144
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01464144 mov eax, dword ptr fs:[00000030h]	3_2_01464144
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01464144 mov ecx, dword ptr fs:[00000030h]	3_2_01464144
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01464144 mov eax, dword ptr fs:[00000030h]	3_2_01464144
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01464144 mov eax, dword ptr fs:[00000030h]	3_2_01464144
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01468158 mov eax, dword ptr fs:[00000030h]	3_2_01468158
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147E10E mov eax, dword ptr fs:[00000030h]	3_2_0147E10E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147E10E mov ecx, dword ptr fs:[00000030h]	3_2_0147E10E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147E10E mov eax, dword ptr fs:[00000030h]	3_2_0147E10E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147E10E mov eax, dword ptr fs:[00000030h]	3_2_0147E10E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147E10E mov ecx, dword ptr fs:[00000030h]	3_2_0147E10E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147E10E mov eax, dword ptr fs:[00000030h]	3_2_0147E10E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147E10E mov eax, dword ptr fs:[00000030h]	3_2_0147E10E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147E10E mov ecx, dword ptr fs:[00000030h]	3_2_0147E10E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147E10E mov eax, dword ptr fs:[00000030h]	3_2_0147E10E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147E10E mov ecx, dword ptr fs:[00000030h]	3_2_0147E10E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01490115 mov eax, dword ptr fs:[00000030h]	3_2_01490115
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147A118 mov ecx, dword ptr fs:[00000030h]	3_2_0147A118
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147A118 mov eax, dword ptr fs:[00000030h]	3_2_0147A118
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147A118 mov eax, dword ptr fs:[00000030h]	3_2_0147A118
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147A118 mov eax, dword ptr fs:[00000030h]	3_2_0147A118
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01400124 mov eax, dword ptr fs:[00000030h]	3_2_01400124
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D6154 mov eax, dword ptr fs:[00000030h]	3_2_013D6154
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D6154 mov eax, dword ptr fs:[00000030h]	3_2_013D6154
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013CC156 mov eax, dword ptr fs:[00000030h]	3_2_013CC156
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014961C3 mov eax, dword ptr fs:[00000030h]	3_2_014961C3
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014961C3 mov eax, dword ptr fs:[00000030h]	3_2_014961C3
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144E1D0 mov eax, dword ptr fs:[00000030h]	3_2_0144E1D0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144E1D0 mov eax, dword ptr fs:[00000030h]	3_2_0144E1D0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144E1D0 mov ecx, dword ptr fs:[00000030h]	3_2_0144E1D0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144E1D0 mov eax, dword ptr fs:[00000030h]	3_2_0144E1D0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144E1D0 mov eax, dword ptr fs:[00000030h]	3_2_0144E1D0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013CA197 mov eax, dword ptr fs:[00000030h]	3_2_013CA197
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013CA197 mov eax, dword ptr fs:[00000030h]	3_2_013CA197
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013CA197 mov eax, dword ptr fs:[00000030h]	3_2_013CA197
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014A61E5 mov eax, dword ptr fs:[00000030h]	3_2_014A61E5
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014001F8 mov eax, dword ptr fs:[00000030h]	3_2_014001F8
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0148C188 mov eax, dword ptr fs:[00000030h]	3_2_0148C188
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0148C188 mov eax, dword ptr fs:[00000030h]	3_2_0148C188
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01410185 mov eax, dword ptr fs:[00000030h]	3_2_01410185
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01474180 mov eax, dword ptr fs:[00000030h]	3_2_01474180
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01474180 mov eax, dword ptr fs:[00000030h]	3_2_01474180
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145019F mov eax, dword ptr fs:[00000030h]	3_2_0145019F
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145019F mov eax, dword ptr fs:[00000030h]	3_2_0145019F
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145019F mov eax, dword ptr fs:[00000030h]	3_2_0145019F
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145019F mov eax, dword ptr fs:[00000030h]	3_2_0145019F
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01456050 mov eax, dword ptr fs:[00000030h]	3_2_01456050
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013CA020 mov eax, dword ptr fs:[00000030h]	3_2_013CA020
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013CC020 mov eax, dword ptr fs:[00000030h]	3_2_013CC020
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013EE016 mov eax, dword ptr fs:[00000030h]	3_2_013EE016
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013EE016 mov eax, dword ptr fs:[00000030h]	3_2_013EE016
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013EE016 mov eax, dword ptr fs:[00000030h]	3_2_013EE016
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013EE016 mov eax, dword ptr fs:[00000030h]	3_2_013EE016
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01454000 mov ecx, dword ptr fs:[00000030h]	3_2_01454000
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01472000 mov eax, dword ptr fs:[00000030h]	3_2_01472000
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01472000 mov eax, dword ptr fs:[00000030h]	3_2_01472000
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01472000 mov eax, dword ptr fs:[00000030h]	3_2_01472000
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01472000 mov eax, dword ptr fs:[00000030h]	3_2_01472000
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01472000 mov eax, dword ptr fs:[00000030h]	3_2_01472000
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01472000 mov eax, dword ptr fs:[00000030h]	3_2_01472000
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01472000 mov eax, dword ptr fs:[00000030h]	3_2_01472000
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01472000 mov eax, dword ptr fs:[00000030h]	3_2_01472000
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FC073 mov eax, dword ptr fs:[00000030h]	3_2_013FC073
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D2050 mov eax, dword ptr fs:[00000030h]	3_2_013D2050
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01466030 mov eax, dword ptr fs:[00000030h]	3_2_01466030
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014520DE mov eax, dword ptr fs:[00000030h]	3_2_014520DE
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014560E0 mov eax, dword ptr fs:[00000030h]	3_2_014560E0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014120F0 mov ecx, dword ptr fs:[00000030h]	3_2_014120F0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D208A mov eax, dword ptr fs:[00000030h]	3_2_013D208A
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013CC0F0 mov eax, dword ptr fs:[00000030h]	3_2_013CC0F0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D80E9 mov eax, dword ptr fs:[00000030h]	3_2_013D80E9
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013CA0E3 mov ecx, dword ptr fs:[00000030h]	3_2_013CA0E3
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014680A8 mov eax, dword ptr fs:[00000030h]	3_2_014680A8
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014960B8 mov eax, dword ptr fs:[00000030h]	3_2_014960B8
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014960B8 mov ecx, dword ptr fs:[00000030h]	3_2_014960B8
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01452349 mov eax, dword ptr fs:[00000030h]	3_2_01452349
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01452349 mov eax, dword ptr fs:[00000030h]	3_2_01452349
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01452349 mov eax, dword ptr fs:[00000030h]	3_2_01452349
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01452349 mov eax, dword ptr fs:[00000030h]	3_2_01452349
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01452349 mov eax, dword ptr fs:[00000030h]	3_2_01452349
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01452349 mov eax, dword ptr fs:[00000030h]	3_2_01452349
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01452349 mov eax, dword ptr fs:[00000030h]	3_2_01452349
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01452349 mov eax, dword ptr fs:[00000030h]	3_2_01452349
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01452349 mov eax, dword ptr fs:[00000030h]	3_2_01452349
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01452349 mov eax, dword ptr fs:[00000030h]	3_2_01452349
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01452349 mov eax, dword ptr fs:[00000030h]	3_2_01452349
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01452349 mov eax, dword ptr fs:[00000030h]	3_2_01452349
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01452349 mov eax, dword ptr fs:[00000030h]	3_2_01452349
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01452349 mov eax, dword ptr fs:[00000030h]	3_2_01452349
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01452349 mov eax, dword ptr fs:[00000030h]	3_2_01452349
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01478350 mov ecx, dword ptr fs:[00000030h]	3_2_01478350
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145035C mov eax, dword ptr fs:[00000030h]	3_2_0145035C
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145035C mov eax, dword ptr fs:[00000030h]	3_2_0145035C
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145035C mov eax, dword ptr fs:[00000030h]	3_2_0145035C
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145035C mov ecx, dword ptr fs:[00000030h]	3_2_0145035C
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145035C mov eax, dword ptr fs:[00000030h]	3_2_0145035C
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145035C mov eax, dword ptr fs:[00000030h]	3_2_0145035C
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0149A352 mov eax, dword ptr fs:[00000030h]	3_2_0149A352
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013CC310 mov ecx, dword ptr fs:[00000030h]	3_2_013CC310
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F0310 mov ecx, dword ptr fs:[00000030h]	3_2_013F0310
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147437C mov eax, dword ptr fs:[00000030h]	3_2_0147437C
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140A30B mov eax, dword ptr fs:[00000030h]	3_2_0140A30B
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140A30B mov eax, dword ptr fs:[00000030h]	3_2_0140A30B
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140A30B mov eax, dword ptr fs:[00000030h]	3_2_0140A30B
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0148C3CD mov eax, dword ptr fs:[00000030h]	3_2_0148C3CD
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014563C0 mov eax, dword ptr fs:[00000030h]	3_2_014563C0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014743D4 mov eax, dword ptr fs:[00000030h]	3_2_014743D4
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014743D4 mov eax, dword ptr fs:[00000030h]	3_2_014743D4
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147E3DB mov eax, dword ptr fs:[00000030h]	3_2_0147E3DB
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147E3DB mov eax, dword ptr fs:[00000030h]	3_2_0147E3DB
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147E3DB mov ecx, dword ptr fs:[00000030h]	3_2_0147E3DB
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147E3DB mov eax, dword ptr fs:[00000030h]	3_2_0147E3DB
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013C8397 mov eax, dword ptr fs:[00000030h]	3_2_013C8397
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013C8397 mov eax, dword ptr fs:[00000030h]	3_2_013C8397
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013C8397 mov eax, dword ptr fs:[00000030h]	3_2_013C8397
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F438F mov eax, dword ptr fs:[00000030h]	3_2_013F438F
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F438F mov eax, dword ptr fs:[00000030h]	3_2_013F438F
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013CE388 mov eax, dword ptr fs:[00000030h]	3_2_013CE388
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013CE388 mov eax, dword ptr fs:[00000030h]	3_2_013CE388
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013CE388 mov eax, dword ptr fs:[00000030h]	3_2_013CE388
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014063FF mov eax, dword ptr fs:[00000030h]	3_2_014063FF
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013EE3F0 mov eax, dword ptr fs:[00000030h]	3_2_013EE3F0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013EE3F0 mov eax, dword ptr fs:[00000030h]	3_2_013EE3F0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013EE3F0 mov eax, dword ptr fs:[00000030h]	3_2_013EE3F0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E03E9 mov eax, dword ptr fs:[00000030h]	3_2_013E03E9
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E03E9 mov eax, dword ptr fs:[00000030h]	3_2_013E03E9
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E03E9 mov eax, dword ptr fs:[00000030h]	3_2_013E03E9
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E03E9 mov eax, dword ptr fs:[00000030h]	3_2_013E03E9
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E03E9 mov eax, dword ptr fs:[00000030h]	3_2_013E03E9
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E03E9 mov eax, dword ptr fs:[00000030h]	3_2_013E03E9
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E03E9 mov eax, dword ptr fs:[00000030h]	3_2_013E03E9
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E03E9 mov eax, dword ptr fs:[00000030h]	3_2_013E03E9
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DA3C0 mov eax, dword ptr fs:[00000030h]	3_2_013DA3C0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DA3C0 mov eax, dword ptr fs:[00000030h]	3_2_013DA3C0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DA3C0 mov eax, dword ptr fs:[00000030h]	3_2_013DA3C0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DA3C0 mov eax, dword ptr fs:[00000030h]	3_2_013DA3C0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DA3C0 mov eax, dword ptr fs:[00000030h]	3_2_013DA3C0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DA3C0 mov eax, dword ptr fs:[00000030h]	3_2_013DA3C0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D83C0 mov eax, dword ptr fs:[00000030h]	3_2_013D83C0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D83C0 mov eax, dword ptr fs:[00000030h]	3_2_013D83C0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D83C0 mov eax, dword ptr fs:[00000030h]	3_2_013D83C0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D83C0 mov eax, dword ptr fs:[00000030h]	3_2_013D83C0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01458243 mov eax, dword ptr fs:[00000030h]	3_2_01458243
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01458243 mov ecx, dword ptr fs:[00000030h]	3_2_01458243
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013C823B mov eax, dword ptr fs:[00000030h]	3_2_013C823B
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0148A250 mov eax, dword ptr fs:[00000030h]	3_2_0148A250
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0148A250 mov eax, dword ptr fs:[00000030h]	3_2_0148A250
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01480274 mov eax, dword ptr fs:[00000030h]	3_2_01480274
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01480274 mov eax, dword ptr fs:[00000030h]	3_2_01480274
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01480274 mov eax, dword ptr fs:[00000030h]	3_2_01480274
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01480274 mov eax, dword ptr fs:[00000030h]	3_2_01480274
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01480274 mov eax, dword ptr fs:[00000030h]	3_2_01480274
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01480274 mov eax, dword ptr fs:[00000030h]	3_2_01480274
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01480274 mov eax, dword ptr fs:[00000030h]	3_2_01480274
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01480274 mov eax, dword ptr fs:[00000030h]	3_2_01480274
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01480274 mov eax, dword ptr fs:[00000030h]	3_2_01480274
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01480274 mov eax, dword ptr fs:[00000030h]	3_2_01480274
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01480274 mov eax, dword ptr fs:[00000030h]	3_2_01480274
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01480274 mov eax, dword ptr fs:[00000030h]	3_2_01480274
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013C826B mov eax, dword ptr fs:[00000030h]	3_2_013C826B
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D4260 mov eax, dword ptr fs:[00000030h]	3_2_013D4260
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D4260 mov eax, dword ptr fs:[00000030h]	3_2_013D4260
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D4260 mov eax, dword ptr fs:[00000030h]	3_2_013D4260
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D6259 mov eax, dword ptr fs:[00000030h]	3_2_013D6259
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013CA250 mov eax, dword ptr fs:[00000030h]	3_2_013CA250
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E02A0 mov eax, dword ptr fs:[00000030h]	3_2_013E02A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E02A0 mov eax, dword ptr fs:[00000030h]	3_2_013E02A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140E284 mov eax, dword ptr fs:[00000030h]	3_2_0140E284
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140E284 mov eax, dword ptr fs:[00000030h]	3_2_0140E284
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01450283 mov eax, dword ptr fs:[00000030h]	3_2_01450283
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01450283 mov eax, dword ptr fs:[00000030h]	3_2_01450283
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01450283 mov eax, dword ptr fs:[00000030h]	3_2_01450283
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E02E1 mov eax, dword ptr fs:[00000030h]	3_2_013E02E1
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E02E1 mov eax, dword ptr fs:[00000030h]	3_2_013E02E1
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E02E1 mov eax, dword ptr fs:[00000030h]	3_2_013E02E1
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014662A0 mov eax, dword ptr fs:[00000030h]	3_2_014662A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014662A0 mov ecx, dword ptr fs:[00000030h]	3_2_014662A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014662A0 mov eax, dword ptr fs:[00000030h]	3_2_014662A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014662A0 mov eax, dword ptr fs:[00000030h]	3_2_014662A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014662A0 mov eax, dword ptr fs:[00000030h]	3_2_014662A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014662A0 mov eax, dword ptr fs:[00000030h]	3_2_014662A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DA2C3 mov eax, dword ptr fs:[00000030h]	3_2_013DA2C3
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DA2C3 mov eax, dword ptr fs:[00000030h]	3_2_013DA2C3
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DA2C3 mov eax, dword ptr fs:[00000030h]	3_2_013DA2C3
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DA2C3 mov eax, dword ptr fs:[00000030h]	3_2_013DA2C3
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DA2C3 mov eax, dword ptr fs:[00000030h]	3_2_013DA2C3
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FE53E mov eax, dword ptr fs:[00000030h]	3_2_013FE53E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FE53E mov eax, dword ptr fs:[00000030h]	3_2_013FE53E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FE53E mov eax, dword ptr fs:[00000030h]	3_2_013FE53E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FE53E mov eax, dword ptr fs:[00000030h]	3_2_013FE53E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FE53E mov eax, dword ptr fs:[00000030h]	3_2_013FE53E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0535 mov eax, dword ptr fs:[00000030h]	3_2_013E0535
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0535 mov eax, dword ptr fs:[00000030h]	3_2_013E0535
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0535 mov eax, dword ptr fs:[00000030h]	3_2_013E0535
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0535 mov eax, dword ptr fs:[00000030h]	3_2_013E0535
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0535 mov eax, dword ptr fs:[00000030h]	3_2_013E0535
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0535 mov eax, dword ptr fs:[00000030h]	3_2_013E0535
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140656A mov eax, dword ptr fs:[00000030h]	3_2_0140656A
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140656A mov eax, dword ptr fs:[00000030h]	3_2_0140656A
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140656A mov eax, dword ptr fs:[00000030h]	3_2_0140656A
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01466500 mov eax, dword ptr fs:[00000030h]	3_2_01466500
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014A4500 mov eax, dword ptr fs:[00000030h]	3_2_014A4500
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014A4500 mov eax, dword ptr fs:[00000030h]	3_2_014A4500
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014A4500 mov eax, dword ptr fs:[00000030h]	3_2_014A4500
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014A4500 mov eax, dword ptr fs:[00000030h]	3_2_014A4500
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014A4500 mov eax, dword ptr fs:[00000030h]	3_2_014A4500
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014A4500 mov eax, dword ptr fs:[00000030h]	3_2_014A4500
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014A4500 mov eax, dword ptr fs:[00000030h]	3_2_014A4500
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D8550 mov eax, dword ptr fs:[00000030h]	3_2_013D8550
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D8550 mov eax, dword ptr fs:[00000030h]	3_2_013D8550
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F45B1 mov eax, dword ptr fs:[00000030h]	3_2_013F45B1
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F45B1 mov eax, dword ptr fs:[00000030h]	3_2_013F45B1
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140E5CF mov eax, dword ptr fs:[00000030h]	3_2_0140E5CF
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140E5CF mov eax, dword ptr fs:[00000030h]	3_2_0140E5CF
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140A5D0 mov eax, dword ptr fs:[00000030h]	3_2_0140A5D0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140A5D0 mov eax, dword ptr fs:[00000030h]	3_2_0140A5D0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140C5ED mov eax, dword ptr fs:[00000030h]	3_2_0140C5ED
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140C5ED mov eax, dword ptr fs:[00000030h]	3_2_0140C5ED
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D2582 mov eax, dword ptr fs:[00000030h]	3_2_013D2582
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D2582 mov ecx, dword ptr fs:[00000030h]	3_2_013D2582
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01404588 mov eax, dword ptr fs:[00000030h]	3_2_01404588
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FE5E7 mov eax, dword ptr fs:[00000030h]	3_2_013FE5E7
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FE5E7 mov eax, dword ptr fs:[00000030h]	3_2_013FE5E7
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FE5E7 mov eax, dword ptr fs:[00000030h]	3_2_013FE5E7
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FE5E7 mov eax, dword ptr fs:[00000030h]	3_2_013FE5E7
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FE5E7 mov eax, dword ptr fs:[00000030h]	3_2_013FE5E7
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FE5E7 mov eax, dword ptr fs:[00000030h]	3_2_013FE5E7
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FE5E7 mov eax, dword ptr fs:[00000030h]	3_2_013FE5E7
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FE5E7 mov eax, dword ptr fs:[00000030h]	3_2_013FE5E7
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140E59C mov eax, dword ptr fs:[00000030h]	3_2_0140E59C
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D25E0 mov eax, dword ptr fs:[00000030h]	3_2_013D25E0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014505A7 mov eax, dword ptr fs:[00000030h]	3_2_014505A7
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014505A7 mov eax, dword ptr fs:[00000030h]	3_2_014505A7
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014505A7 mov eax, dword ptr fs:[00000030h]	3_2_014505A7
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D65D0 mov eax, dword ptr fs:[00000030h]	3_2_013D65D0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140E443 mov eax, dword ptr fs:[00000030h]	3_2_0140E443
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140E443 mov eax, dword ptr fs:[00000030h]	3_2_0140E443
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140E443 mov eax, dword ptr fs:[00000030h]	3_2_0140E443
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140E443 mov eax, dword ptr fs:[00000030h]	3_2_0140E443
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140E443 mov eax, dword ptr fs:[00000030h]	3_2_0140E443
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140E443 mov eax, dword ptr fs:[00000030h]	3_2_0140E443
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140E443 mov eax, dword ptr fs:[00000030h]	3_2_0140E443
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140E443 mov eax, dword ptr fs:[00000030h]	3_2_0140E443
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013CC427 mov eax, dword ptr fs:[00000030h]	3_2_013CC427
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013CE420 mov eax, dword ptr fs:[00000030h]	3_2_013CE420
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013CE420 mov eax, dword ptr fs:[00000030h]	3_2_013CE420
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013CE420 mov eax, dword ptr fs:[00000030h]	3_2_013CE420
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0148A456 mov eax, dword ptr fs:[00000030h]	3_2_0148A456
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145C460 mov ecx, dword ptr fs:[00000030h]	3_2_0145C460
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01408402 mov eax, dword ptr fs:[00000030h]	3_2_01408402
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01408402 mov eax, dword ptr fs:[00000030h]	3_2_01408402
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01408402 mov eax, dword ptr fs:[00000030h]	3_2_01408402
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FA470 mov eax, dword ptr fs:[00000030h]	3_2_013FA470
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FA470 mov eax, dword ptr fs:[00000030h]	3_2_013FA470
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FA470 mov eax, dword ptr fs:[00000030h]	3_2_013FA470
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013C645D mov eax, dword ptr fs:[00000030h]	3_2_013C645D
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F245A mov eax, dword ptr fs:[00000030h]	3_2_013F245A
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01456420 mov eax, dword ptr fs:[00000030h]	3_2_01456420
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01456420 mov eax, dword ptr fs:[00000030h]	3_2_01456420
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01456420 mov eax, dword ptr fs:[00000030h]	3_2_01456420
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01456420 mov eax, dword ptr fs:[00000030h]	3_2_01456420
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01456420 mov eax, dword ptr fs:[00000030h]	3_2_01456420
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01456420 mov eax, dword ptr fs:[00000030h]	3_2_01456420
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01456420 mov eax, dword ptr fs:[00000030h]	3_2_01456420
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140A430 mov eax, dword ptr fs:[00000030h]	3_2_0140A430
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D64AB mov eax, dword ptr fs:[00000030h]	3_2_013D64AB
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0148A49A mov eax, dword ptr fs:[00000030h]	3_2_0148A49A
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D04E5 mov ecx, dword ptr fs:[00000030h]	3_2_013D04E5
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014044B0 mov ecx, dword ptr fs:[00000030h]	3_2_014044B0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145A4B0 mov eax, dword ptr fs:[00000030h]	3_2_0145A4B0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140674D mov esi, dword ptr fs:[00000030h]	3_2_0140674D
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140674D mov eax, dword ptr fs:[00000030h]	3_2_0140674D
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140674D mov eax, dword ptr fs:[00000030h]	3_2_0140674D
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01454755 mov eax, dword ptr fs:[00000030h]	3_2_01454755
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412750 mov eax, dword ptr fs:[00000030h]	3_2_01412750
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412750 mov eax, dword ptr fs:[00000030h]	3_2_01412750
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145E75D mov eax, dword ptr fs:[00000030h]	3_2_0145E75D
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D0710 mov eax, dword ptr fs:[00000030h]	3_2_013D0710
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140C700 mov eax, dword ptr fs:[00000030h]	3_2_0140C700
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D8770 mov eax, dword ptr fs:[00000030h]	3_2_013D8770
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0770 mov eax, dword ptr fs:[00000030h]	3_2_013E0770
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0770 mov eax, dword ptr fs:[00000030h]	3_2_013E0770
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0770 mov eax, dword ptr fs:[00000030h]	3_2_013E0770
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0770 mov eax, dword ptr fs:[00000030h]	3_2_013E0770
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0770 mov eax, dword ptr fs:[00000030h]	3_2_013E0770
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0770 mov eax, dword ptr fs:[00000030h]	3_2_013E0770
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0770 mov eax, dword ptr fs:[00000030h]	3_2_013E0770
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0770 mov eax, dword ptr fs:[00000030h]	3_2_013E0770
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0770 mov eax, dword ptr fs:[00000030h]	3_2_013E0770
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0770 mov eax, dword ptr fs:[00000030h]	3_2_013E0770
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0770 mov eax, dword ptr fs:[00000030h]	3_2_013E0770
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0770 mov eax, dword ptr fs:[00000030h]	3_2_013E0770
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01400710 mov eax, dword ptr fs:[00000030h]	3_2_01400710
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140C720 mov eax, dword ptr fs:[00000030h]	3_2_0140C720
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140C720 mov eax, dword ptr fs:[00000030h]	3_2_0140C720
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D0750 mov eax, dword ptr fs:[00000030h]	3_2_013D0750
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144C730 mov eax, dword ptr fs:[00000030h]	3_2_0144C730
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140273C mov eax, dword ptr fs:[00000030h]	3_2_0140273C
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140273C mov ecx, dword ptr fs:[00000030h]	3_2_0140273C
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140273C mov eax, dword ptr fs:[00000030h]	3_2_0140273C
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014507C3 mov eax, dword ptr fs:[00000030h]	3_2_014507C3
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D07AF mov eax, dword ptr fs:[00000030h]	3_2_013D07AF
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145E7E1 mov eax, dword ptr fs:[00000030h]	3_2_0145E7E1
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D47FB mov eax, dword ptr fs:[00000030h]	3_2_013D47FB
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D47FB mov eax, dword ptr fs:[00000030h]	3_2_013D47FB
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147678E mov eax, dword ptr fs:[00000030h]	3_2_0147678E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F27ED mov eax, dword ptr fs:[00000030h]	3_2_013F27ED
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F27ED mov eax, dword ptr fs:[00000030h]	3_2_013F27ED
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F27ED mov eax, dword ptr fs:[00000030h]	3_2_013F27ED
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014847A0 mov eax, dword ptr fs:[00000030h]	3_2_014847A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DC7C0 mov eax, dword ptr fs:[00000030h]	3_2_013DC7C0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D262C mov eax, dword ptr fs:[00000030h]	3_2_013D262C
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013EE627 mov eax, dword ptr fs:[00000030h]	3_2_013EE627
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140A660 mov eax, dword ptr fs:[00000030h]	3_2_0140A660
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140A660 mov eax, dword ptr fs:[00000030h]	3_2_0140A660
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0149866E mov eax, dword ptr fs:[00000030h]	3_2_0149866E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0149866E mov eax, dword ptr fs:[00000030h]	3_2_0149866E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01402674 mov eax, dword ptr fs:[00000030h]	3_2_01402674
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E260B mov eax, dword ptr fs:[00000030h]	3_2_013E260B
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E260B mov eax, dword ptr fs:[00000030h]	3_2_013E260B
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E260B mov eax, dword ptr fs:[00000030h]	3_2_013E260B
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E260B mov eax, dword ptr fs:[00000030h]	3_2_013E260B
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E260B mov eax, dword ptr fs:[00000030h]	3_2_013E260B
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E260B mov eax, dword ptr fs:[00000030h]	3_2_013E260B
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E260B mov eax, dword ptr fs:[00000030h]	3_2_013E260B
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144E609 mov eax, dword ptr fs:[00000030h]	3_2_0144E609
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01412619 mov eax, dword ptr fs:[00000030h]	3_2_01412619
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01406620 mov eax, dword ptr fs:[00000030h]	3_2_01406620
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01408620 mov eax, dword ptr fs:[00000030h]	3_2_01408620
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013EC640 mov eax, dword ptr fs:[00000030h]	3_2_013EC640
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140A6C7 mov ebx, dword ptr fs:[00000030h]	3_2_0140A6C7
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140A6C7 mov eax, dword ptr fs:[00000030h]	3_2_0140A6C7
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D4690 mov eax, dword ptr fs:[00000030h]	3_2_013D4690
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D4690 mov eax, dword ptr fs:[00000030h]	3_2_013D4690
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014506F1 mov eax, dword ptr fs:[00000030h]	3_2_014506F1
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014506F1 mov eax, dword ptr fs:[00000030h]	3_2_014506F1
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144E6F2 mov eax, dword ptr fs:[00000030h]	3_2_0144E6F2
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144E6F2 mov eax, dword ptr fs:[00000030h]	3_2_0144E6F2
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144E6F2 mov eax, dword ptr fs:[00000030h]	3_2_0144E6F2
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144E6F2 mov eax, dword ptr fs:[00000030h]	3_2_0144E6F2
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140C6A6 mov eax, dword ptr fs:[00000030h]	3_2_0140C6A6
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014066B0 mov eax, dword ptr fs:[00000030h]	3_2_014066B0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01450946 mov eax, dword ptr fs:[00000030h]	3_2_01450946
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013C8918 mov eax, dword ptr fs:[00000030h]	3_2_013C8918
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013C8918 mov eax, dword ptr fs:[00000030h]	3_2_013C8918
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0141096E mov eax, dword ptr fs:[00000030h]	3_2_0141096E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0141096E mov edx, dword ptr fs:[00000030h]	3_2_0141096E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0141096E mov eax, dword ptr fs:[00000030h]	3_2_0141096E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145C97C mov eax, dword ptr fs:[00000030h]	3_2_0145C97C
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01474978 mov eax, dword ptr fs:[00000030h]	3_2_01474978
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01474978 mov eax, dword ptr fs:[00000030h]	3_2_01474978
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144E908 mov eax, dword ptr fs:[00000030h]	3_2_0144E908
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144E908 mov eax, dword ptr fs:[00000030h]	3_2_0144E908
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145C912 mov eax, dword ptr fs:[00000030h]	3_2_0145C912
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F6962 mov eax, dword ptr fs:[00000030h]	3_2_013F6962
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F6962 mov eax, dword ptr fs:[00000030h]	3_2_013F6962
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F6962 mov eax, dword ptr fs:[00000030h]	3_2_013F6962
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0146892B mov eax, dword ptr fs:[00000030h]	3_2_0146892B
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145892A mov eax, dword ptr fs:[00000030h]	3_2_0145892A
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014669C0 mov eax, dword ptr fs:[00000030h]	3_2_014669C0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D09AD mov eax, dword ptr fs:[00000030h]	3_2_013D09AD
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D09AD mov eax, dword ptr fs:[00000030h]	3_2_013D09AD
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014049D0 mov eax, dword ptr fs:[00000030h]	3_2_014049D0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0149A9D3 mov eax, dword ptr fs:[00000030h]	3_2_0149A9D3
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E29A0 mov eax, dword ptr fs:[00000030h]	3_2_013E29A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E29A0 mov eax, dword ptr fs:[00000030h]	3_2_013E29A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E29A0 mov eax, dword ptr fs:[00000030h]	3_2_013E29A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E29A0 mov eax, dword ptr fs:[00000030h]	3_2_013E29A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E29A0 mov eax, dword ptr fs:[00000030h]	3_2_013E29A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E29A0 mov eax, dword ptr fs:[00000030h]	3_2_013E29A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E29A0 mov eax, dword ptr fs:[00000030h]	3_2_013E29A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E29A0 mov eax, dword ptr fs:[00000030h]	3_2_013E29A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E29A0 mov eax, dword ptr fs:[00000030h]	3_2_013E29A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E29A0 mov eax, dword ptr fs:[00000030h]	3_2_013E29A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E29A0 mov eax, dword ptr fs:[00000030h]	3_2_013E29A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E29A0 mov eax, dword ptr fs:[00000030h]	3_2_013E29A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E29A0 mov eax, dword ptr fs:[00000030h]	3_2_013E29A0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145E9E0 mov eax, dword ptr fs:[00000030h]	3_2_0145E9E0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014029F9 mov eax, dword ptr fs:[00000030h]	3_2_014029F9
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014029F9 mov eax, dword ptr fs:[00000030h]	3_2_014029F9
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DA9D0 mov eax, dword ptr fs:[00000030h]	3_2_013DA9D0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DA9D0 mov eax, dword ptr fs:[00000030h]	3_2_013DA9D0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DA9D0 mov eax, dword ptr fs:[00000030h]	3_2_013DA9D0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DA9D0 mov eax, dword ptr fs:[00000030h]	3_2_013DA9D0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DA9D0 mov eax, dword ptr fs:[00000030h]	3_2_013DA9D0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DA9D0 mov eax, dword ptr fs:[00000030h]	3_2_013DA9D0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014589B3 mov esi, dword ptr fs:[00000030h]	3_2_014589B3
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014589B3 mov eax, dword ptr fs:[00000030h]	3_2_014589B3
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014589B3 mov eax, dword ptr fs:[00000030h]	3_2_014589B3
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F2835 mov eax, dword ptr fs:[00000030h]	3_2_013F2835
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F2835 mov eax, dword ptr fs:[00000030h]	3_2_013F2835
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F2835 mov eax, dword ptr fs:[00000030h]	3_2_013F2835
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F2835 mov ecx, dword ptr fs:[00000030h]	3_2_013F2835
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F2835 mov eax, dword ptr fs:[00000030h]	3_2_013F2835
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F2835 mov eax, dword ptr fs:[00000030h]	3_2_013F2835
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01400854 mov eax, dword ptr fs:[00000030h]	3_2_01400854
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01466870 mov eax, dword ptr fs:[00000030h]	3_2_01466870
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01466870 mov eax, dword ptr fs:[00000030h]	3_2_01466870
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145E872 mov eax, dword ptr fs:[00000030h]	3_2_0145E872
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145E872 mov eax, dword ptr fs:[00000030h]	3_2_0145E872
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145C810 mov eax, dword ptr fs:[00000030h]	3_2_0145C810
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D4859 mov eax, dword ptr fs:[00000030h]	3_2_013D4859
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D4859 mov eax, dword ptr fs:[00000030h]	3_2_013D4859
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140A830 mov eax, dword ptr fs:[00000030h]	3_2_0140A830
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147483A mov eax, dword ptr fs:[00000030h]	3_2_0147483A
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147483A mov eax, dword ptr fs:[00000030h]	3_2_0147483A
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E2840 mov ecx, dword ptr fs:[00000030h]	3_2_013E2840
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0149A8E4 mov eax, dword ptr fs:[00000030h]	3_2_0149A8E4
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140C8F9 mov eax, dword ptr fs:[00000030h]	3_2_0140C8F9
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140C8F9 mov eax, dword ptr fs:[00000030h]	3_2_0140C8F9
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D0887 mov eax, dword ptr fs:[00000030h]	3_2_013D0887
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145C89D mov eax, dword ptr fs:[00000030h]	3_2_0145C89D
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FE8C0 mov eax, dword ptr fs:[00000030h]	3_2_013FE8C0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01484B4B mov eax, dword ptr fs:[00000030h]	3_2_01484B4B
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01484B4B mov eax, dword ptr fs:[00000030h]	3_2_01484B4B
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01478B42 mov eax, dword ptr fs:[00000030h]	3_2_01478B42
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01466B40 mov eax, dword ptr fs:[00000030h]	3_2_01466B40
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01466B40 mov eax, dword ptr fs:[00000030h]	3_2_01466B40
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0149AB40 mov eax, dword ptr fs:[00000030h]	3_2_0149AB40
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147EB50 mov eax, dword ptr fs:[00000030h]	3_2_0147EB50
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FEB20 mov eax, dword ptr fs:[00000030h]	3_2_013FEB20
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FEB20 mov eax, dword ptr fs:[00000030h]	3_2_013FEB20
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013CCB7E mov eax, dword ptr fs:[00000030h]	3_2_013CCB7E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144EB1D mov eax, dword ptr fs:[00000030h]	3_2_0144EB1D
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144EB1D mov eax, dword ptr fs:[00000030h]	3_2_0144EB1D
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144EB1D mov eax, dword ptr fs:[00000030h]	3_2_0144EB1D
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144EB1D mov eax, dword ptr fs:[00000030h]	3_2_0144EB1D
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144EB1D mov eax, dword ptr fs:[00000030h]	3_2_0144EB1D
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144EB1D mov eax, dword ptr fs:[00000030h]	3_2_0144EB1D
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144EB1D mov eax, dword ptr fs:[00000030h]	3_2_0144EB1D
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144EB1D mov eax, dword ptr fs:[00000030h]	3_2_0144EB1D
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144EB1D mov eax, dword ptr fs:[00000030h]	3_2_0144EB1D
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01498B28 mov eax, dword ptr fs:[00000030h]	3_2_01498B28
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01498B28 mov eax, dword ptr fs:[00000030h]	3_2_01498B28
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0BBE mov eax, dword ptr fs:[00000030h]	3_2_013E0BBE
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0BBE mov eax, dword ptr fs:[00000030h]	3_2_013E0BBE
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147EBD0 mov eax, dword ptr fs:[00000030h]	3_2_0147EBD0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145CBF0 mov eax, dword ptr fs:[00000030h]	3_2_0145CBF0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FEBFC mov eax, dword ptr fs:[00000030h]	3_2_013FEBFC
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D8BF0 mov eax, dword ptr fs:[00000030h]	3_2_013D8BF0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D8BF0 mov eax, dword ptr fs:[00000030h]	3_2_013D8BF0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D8BF0 mov eax, dword ptr fs:[00000030h]	3_2_013D8BF0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D0BCD mov eax, dword ptr fs:[00000030h]	3_2_013D0BCD
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D0BCD mov eax, dword ptr fs:[00000030h]	3_2_013D0BCD
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D0BCD mov eax, dword ptr fs:[00000030h]	3_2_013D0BCD
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F0BCB mov eax, dword ptr fs:[00000030h]	3_2_013F0BCB
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F0BCB mov eax, dword ptr fs:[00000030h]	3_2_013F0BCB
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F0BCB mov eax, dword ptr fs:[00000030h]	3_2_013F0BCB
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01484BB0 mov eax, dword ptr fs:[00000030h]	3_2_01484BB0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01484BB0 mov eax, dword ptr fs:[00000030h]	3_2_01484BB0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F4A35 mov eax, dword ptr fs:[00000030h]	3_2_013F4A35
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013F4A35 mov eax, dword ptr fs:[00000030h]	3_2_013F4A35
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013FEA2E mov eax, dword ptr fs:[00000030h]	3_2_013FEA2E
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0147EA60 mov eax, dword ptr fs:[00000030h]	3_2_0147EA60
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140CA6F mov eax, dword ptr fs:[00000030h]	3_2_0140CA6F
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140CA6F mov eax, dword ptr fs:[00000030h]	3_2_0140CA6F
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140CA6F mov eax, dword ptr fs:[00000030h]	3_2_0140CA6F
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144CA72 mov eax, dword ptr fs:[00000030h]	3_2_0144CA72
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0144CA72 mov eax, dword ptr fs:[00000030h]	3_2_0144CA72
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0145CA11 mov eax, dword ptr fs:[00000030h]	3_2_0145CA11
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140CA24 mov eax, dword ptr fs:[00000030h]	3_2_0140CA24
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0A5B mov eax, dword ptr fs:[00000030h]	3_2_013E0A5B
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013E0A5B mov eax, dword ptr fs:[00000030h]	3_2_013E0A5B
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D6A50 mov eax, dword ptr fs:[00000030h]	3_2_013D6A50
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D6A50 mov eax, dword ptr fs:[00000030h]	3_2_013D6A50
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D6A50 mov eax, dword ptr fs:[00000030h]	3_2_013D6A50
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D6A50 mov eax, dword ptr fs:[00000030h]	3_2_013D6A50
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D6A50 mov eax, dword ptr fs:[00000030h]	3_2_013D6A50
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D6A50 mov eax, dword ptr fs:[00000030h]	3_2_013D6A50
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D6A50 mov eax, dword ptr fs:[00000030h]	3_2_013D6A50
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140CA38 mov eax, dword ptr fs:[00000030h]	3_2_0140CA38
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01426ACC mov eax, dword ptr fs:[00000030h]	3_2_01426ACC
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01426ACC mov eax, dword ptr fs:[00000030h]	3_2_01426ACC
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01426ACC mov eax, dword ptr fs:[00000030h]	3_2_01426ACC
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01404AD0 mov eax, dword ptr fs:[00000030h]	3_2_01404AD0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01404AD0 mov eax, dword ptr fs:[00000030h]	3_2_01404AD0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D8AA0 mov eax, dword ptr fs:[00000030h]	3_2_013D8AA0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D8AA0 mov eax, dword ptr fs:[00000030h]	3_2_013D8AA0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140AAEE mov eax, dword ptr fs:[00000030h]	3_2_0140AAEE
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_0140AAEE mov eax, dword ptr fs:[00000030h]	3_2_0140AAEE
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DEA80 mov eax, dword ptr fs:[00000030h]	3_2_013DEA80
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DEA80 mov eax, dword ptr fs:[00000030h]	3_2_013DEA80
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DEA80 mov eax, dword ptr fs:[00000030h]	3_2_013DEA80
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DEA80 mov eax, dword ptr fs:[00000030h]	3_2_013DEA80
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DEA80 mov eax, dword ptr fs:[00000030h]	3_2_013DEA80
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DEA80 mov eax, dword ptr fs:[00000030h]	3_2_013DEA80
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DEA80 mov eax, dword ptr fs:[00000030h]	3_2_013DEA80
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DEA80 mov eax, dword ptr fs:[00000030h]	3_2_013DEA80
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013DEA80 mov eax, dword ptr fs:[00000030h]	3_2_013DEA80
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_014A4A80 mov eax, dword ptr fs:[00000030h]	3_2_014A4A80
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01408A90 mov edx, dword ptr fs:[00000030h]	3_2_01408A90
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01426AA4 mov eax, dword ptr fs:[00000030h]	3_2_01426AA4
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013D0AD0 mov eax, dword ptr fs:[00000030h]	3_2_013D0AD0
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013C6D10 mov eax, dword ptr fs:[00000030h]	3_2_013C6D10
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013C6D10 mov eax, dword ptr fs:[00000030h]	3_2_013C6D10
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013C6D10 mov eax, dword ptr fs:[00000030h]	3_2_013C6D10
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_01468D6B mov eax, dword ptr fs:[00000030h]	3_2_01468D6B
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013EAD00 mov eax, dword ptr fs:[00000030h]	3_2_013EAD00
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013EAD00 mov eax, dword ptr fs:[00000030h]	3_2_013EAD00
Source: C:\Users\user\Desktop\3P5I851G78.exe	Code function: 3_2_013EAD00 mov eax, dword ptr fs:[00000030h]	3_2_013EAD00

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_00542E62 GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

7_2_00542E62

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00546510 SetUnhandledExceptionFilter,		7_2_00546510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_005461C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		7_2_005461C0

Source: C:\Users\user\Desktop\3P5I851G78.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\3P5I851G78.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3P5I851G78.exe"
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3P5I851G78.exe"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\3P5I851G78.exe	NtQueueApcThread: Indirect: 0x12FA4F2			Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	NtClose: Indirect: 0x12FA56C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\3P5I851G78.exe

Memory written: C:\Users\user\Desktop\3P5I851G78.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\3P5I851G78.exe	Thread register set: target process: 4056			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 4056			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\3P5I851G78.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\3P5I851G78.exe

Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 540000

Jump to behavior

Source: C:\Users\user\Desktop\3P5I851G78.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\3P5I851G78.exe"	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Process created: C:\Users\user\Desktop\3P5I851G78.exe "C:\Users\user\Desktop\3P5I851G78.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\3P5I851G78.exe"	Jump to behavior

Source: explorer.exe, 00000005.00000002.3294933502.0000000001231000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.853708562.0000000001231000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.863432920.000000000988D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3293654879.0000000000C50000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.857213109.0000000004810000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.853262365.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3294933502.0000000001231000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000002.3293654879.0000000000BA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000002.3294933502.0000000001231000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.853708562.0000000001231000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\3P5I851G78.exe	Queries volume information: C:\Users\user\Desktop\3P5I851G78.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\3P5I851G78.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: unknown VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: unknown VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_00546735 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

7_2_00546735

Source: C:\Users\user\Desktop\3P5I851G78.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.2.3P5I851G78.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.3P5I851G78.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.855098590.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3294789959.00000000043F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3294895967.0000000004420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.913516599.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3293228083.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.2.3P5I851G78.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.3P5I851G78.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.855098590.00000000040D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3294789959.00000000043F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3294895967.0000000004420000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.913516599.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3293228083.0000000000480000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	512 Process Injection	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	LSASS Memory	251 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	51 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	12 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	512 Process Injection	NTDS	51 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	223 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Rundll32	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Software Packing	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Timestomp	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 DLL Side-Loading	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3P5I851G78.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
3P5I851G78.exe