Edit tour

Windows Analysis Report
0xHPSESJcg.exe

Overview

General Information

Sample name:	0xHPSESJcg.exe renamed because original name is a hash value
Original sample name:	9b7fee62771dd489a06bd73844e56c4335034872b8d0286cc456ca6077b0e149.exe
Analysis ID:	1634842
MD5:	12ae6d53e14fca4676d4857118c96e45
SHA1:	c7e5bc788ba0cc096dd96c56ecf28d8d6fa5b577
SHA256:	9b7fee62771dd489a06bd73844e56c4335034872b8d0286cc456ca6077b0e149
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a Windows Living Off The Land Binaries (LOL bins)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

0xHPSESJcg.exe (PID: 7124 cmdline: "C:\Users\user\Desktop\0xHPSESJcg.exe" MD5: 12AE6D53E14FCA4676D4857118C96E45)

powershell.exe (PID: 6476 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0xHPSESJcg.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 6116 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 1480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6880 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 2252 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TlUVldLSnDvyT" /XML "C:\Users\user\AppData\Local\Temp\tmp806A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

0xHPSESJcg.exe (PID: 6652 cmdline: "C:\Users\user\Desktop\0xHPSESJcg.exe" MD5: 12AE6D53E14FCA4676D4857118C96E45)

explorer.exe (PID: 4040 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

cmmon32.exe (PID: 7264 cmdline: "C:\Windows\SysWOW64\cmmon32.exe" MD5: DEC326E5B4D23503EA5176878DDDB683)

cmd.exe (PID: 7456 cmdline: /c del "C:\Users\user\Desktop\0xHPSESJcg.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

autoconv.exe (PID: 7392 cmdline: "C:\Windows\SysWOW64\autoconv.exe" MD5: A705C2ACED7DDB71AFB87C4ED384BED6)

cmstp.exe (PID: 7412 cmdline: "C:\Windows\SysWOW64\cmstp.exe" MD5: D7AABFAB5BEFD53BA3A27BD48F3CC675)

TlUVldLSnDvyT.exe (PID: 1324 cmdline: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe MD5: 12AE6D53E14FCA4676D4857118C96E45)

schtasks.exe (PID: 7296 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TlUVldLSnDvyT" /XML "C:\Users\user\AppData\Local\Temp\tmp95B8.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TlUVldLSnDvyT.exe (PID: 7344 cmdline: "C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe" MD5: 12AE6D53E14FCA4676D4857118C96E45)

TlUVldLSnDvyT.exe (PID: 7352 cmdline: "C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe" MD5: 12AE6D53E14FCA4676D4857118C96E45)

svchost.exe (PID: 7712 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.ravel-insurance-48465.bond/oi08/"], "decoy": ["om-masshff.top", "griculture-jobs-13665.bond", "lvosuperfood.info", "omalaysianwebsitedirectory.shop", "mandlaamasha.africa", "estimport.biz", "flrt.info", "helon.net", "log555fastbest.shop", "asinol.press", "futbffod.top", "arriage-therapy-69521.bond", "85uz.top", "oreadefensearmy.net", "fhcoy.buzz", "anda-casinoyyzz.top", "almainwebdesign.info", "odfitness.net", "odafenptss.top", "dfght.xyz", "errywang.shop", "ccountant-jobs-30905.bond", "log99facebest.shop", "om-ioiakwea.top", "yfeboi8.pro", "iv-test-13045.bond", "ocated-device.info", "elationship-coach-72760.bond", "reamanddecor.net", "uvne.info", "ttv2ud.cyou", "log88optionbest.shop", "mxtx97d.shop", "reamgetaways234.xyz", "kin-rejuvenation-70531.bond", "log88ablebest.shop", "ibrantzing.pro", "pyubxrmfgdth.shop", "atcatdogdog.shop", "32zf.top", "68shop.cyou", "omfycornerco.click", "eyryi.info", "poredmalru999romero.live", "1powerball.lat", "onstruction-jobs-78291.bond", "efenselenses.info", "ovabridge.tech", "adeupadult.pro", "estosteronepower.sbs", "cghvuwqpc.shop", "om-whupnf.top", "elegramae.beauty", "ealpains.info", "uyukgorus.click", "andscaping-services-37849.bond", "ime.shop", "dpe.bid", "om-scseq.top", "otogel.pro", "verafter.shop", "redit-card-offers-de-5398.today", "angbi-ndara.info", "1139.loan"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.903478477.0000000003C29000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.903478477.0000000003C29000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.903478477.0000000003C29000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6bc1:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d500:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb33f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x16227:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.903478477.0000000003C29000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa278:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa4f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x16025:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15b11:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x16127:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1629f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xaf0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14d8c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbc03:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c267:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.903478477.0000000003C29000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19189:$sqlite3step: 68 34 1C 7B E1 0x1929c:$sqlite3step: 68 34 1C 7B E1 0x191b8:$sqlite3text: 68 38 2A 90 C5 0x192dd:$sqlite3text: 68 38 2A 90 C5 0x191cb:$sqlite3blob: 68 53 D8 7F 8C 0x192f3:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.958611207.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.958611207.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.958611207.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000007.00000002.958611207.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.958611207.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.3341645917.00000000024A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.3341645917.00000000024A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.3341645917.00000000024A0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.3341645917.00000000024A0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.3341645917.00000000024A0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.3343061104.00000000041D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.3343061104.00000000041D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.3343061104.00000000041D0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.3343061104.00000000041D0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.3343061104.00000000041D0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.978086480.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.978086480.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.978086480.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.978086480.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.978086480.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.903478477.0000000004482000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.903478477.0000000004482000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.903478477.0000000004482000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c6b21:$a1: 3C 30 50 4F 53 54 74 09 40 0x2f3f41:$a1: 3C 30 50 4F 53 54 74 09 40 0x2dd460:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x30a880:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x2cb29f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x2f86bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x2d6187:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x3035a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.903478477.0000000004482000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x2ca1d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2ca452:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2f75f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2f7872:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x2d5f85:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x3033a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x2d5a71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x302e91:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x2d6087:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x3034a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x2d61ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x30361f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x2cae6a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x2f828a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x2d4cec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x30210c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x2cbb63:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x2f8f83:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x2dc1c7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x3095e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x2dd1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.903478477.0000000004482000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x2d90e9:$sqlite3step: 68 34 1C 7B E1 0x2d91fc:$sqlite3step: 68 34 1C 7B E1 0x306509:$sqlite3step: 68 34 1C 7B E1 0x30661c:$sqlite3step: 68 34 1C 7B E1 0x2d9118:$sqlite3text: 68 38 2A 90 C5 0x2d923d:$sqlite3text: 68 38 2A 90 C5 0x306538:$sqlite3text: 68 38 2A 90 C5 0x30665d:$sqlite3text: 68 38 2A 90 C5 0x2d912b:$sqlite3blob: 68 53 D8 7F 8C 0x2d9253:$sqlite3blob: 68 53 D8 7F 8C 0x30654b:$sqlite3blob: 68 53 D8 7F 8C 0x306673:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.3342627871.00000000040D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.3342627871.00000000040D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000B.00000002.3342627871.00000000040D0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000B.00000002.3342627871.00000000040D0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.3342627871.00000000040D0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: 0xHPSESJcg.exe PID: 7124	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 0xHPSESJcg.exe PID: 7124	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x109:$a1: 3C 30 50 4F 53 54 74 09 40 0x4bacb:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: 0xHPSESJcg.exe PID: 6652	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2ba7:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: TlUVldLSnDvyT.exe PID: 1324	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: cmmon32.exe PID: 7264	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x81b2b:$a1: 3C 30 50 4F 53 54 74 09 40 0x12d8b7:$a1: 3C 30 50 4F 53 54 74 09 40 0x17634a:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: cmstp.exe PID: 7412	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x12ace0:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 36 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.0xHPSESJcg.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
7.2.0xHPSESJcg.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
7.2.0xHPSESJcg.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
7.2.0xHPSESJcg.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
7.2.0xHPSESJcg.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a19:$sqlite3step: 68 34 1C 7B E1 0x17b2c:$sqlite3step: 68 34 1C 7B E1 0x17a48:$sqlite3text: 68 38 2A 90 C5 0x17b6d:$sqlite3text: 68 38 2A 90 C5 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
7.2.0xHPSESJcg.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
7.2.0xHPSESJcg.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
7.2.0xHPSESJcg.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
7.2.0xHPSESJcg.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
7.2.0xHPSESJcg.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x78a71:$a1: 3C 30 50 4F 53 54 74 09 40 0xa5e91:$a1: 3C 30 50 4F 53 54 74 09 40 0x8f3b0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xbc7d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x7d1ef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xaa60f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x880d7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xb54f7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7c128:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7c3a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa9548:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa97c2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x87ed5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xb52f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x879c1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xb4de1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x87fd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xb53f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8814f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb556f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x7cdba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xaa1da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x86c3c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb405c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x7dab3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xaaed3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x8e117:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xbb537:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x8f11a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x8b039:$sqlite3step: 68 34 1C 7B E1 0x8b14c:$sqlite3step: 68 34 1C 7B E1 0xb8459:$sqlite3step: 68 34 1C 7B E1 0xb856c:$sqlite3step: 68 34 1C 7B E1 0x8b068:$sqlite3text: 68 38 2A 90 C5 0x8b18d:$sqlite3text: 68 38 2A 90 C5 0xb8488:$sqlite3text: 68 38 2A 90 C5 0xb85ad:$sqlite3text: 68 38 2A 90 C5 0x8b07b:$sqlite3blob: 68 53 D8 7F 8C 0x8b1a3:$sqlite3blob: 68 53 D8 7F 8C 0xb849b:$sqlite3blob: 68 53 D8 7F 8C 0xb85c3:$sqlite3blob: 68 53 D8 7F 8C
0.2.0xHPSESJcg.exe.465d890.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0.2.0xHPSESJcg.exe.465d890.2.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0.2.0xHPSESJcg.exe.465d890.2.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xeb291:$a1: 3C 30 50 4F 53 54 74 09 40 0x1186b1:$a1: 3C 30 50 4F 53 54 74 09 40 0x101bd0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x12eff0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xefa0f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x11ce2f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xfa8f7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x127d17:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0.2.0xHPSESJcg.exe.465d890.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xee948:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xeebc2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x11bd68:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x11bfe2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xfa6f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x127b15:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xfa1e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x127601:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xfa7f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x127c17:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xfa96f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x127d8f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xef5da:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x11c9fa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xf945c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x12687c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xf02d3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x11d6f3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x100937:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x12dd57:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x10193a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0.2.0xHPSESJcg.exe.465d890.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xfd859:$sqlite3step: 68 34 1C 7B E1 0xfd96c:$sqlite3step: 68 34 1C 7B E1 0x12ac79:$sqlite3step: 68 34 1C 7B E1 0x12ad8c:$sqlite3step: 68 34 1C 7B E1 0xfd888:$sqlite3text: 68 38 2A 90 C5 0xfd9ad:$sqlite3text: 68 38 2A 90 C5 0x12aca8:$sqlite3text: 68 38 2A 90 C5 0x12adcd:$sqlite3text: 68 38 2A 90 C5 0xfd89b:$sqlite3blob: 68 53 D8 7F 8C 0xfd9c3:$sqlite3blob: 68 53 D8 7F 8C 0x12acbb:$sqlite3blob: 68 53 D8 7F 8C 0x12ade3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 15 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0xHPSESJcg.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0xHPSESJcg.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\0xHPSESJcg.exe", ParentImage: C:\Users\user\Desktop\0xHPSESJcg.exe, ParentProcessId: 7124, ParentProcessName: 0xHPSESJcg.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0xHPSESJcg.exe", ProcessId: 6476, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TlUVldLSnDvyT" /XML "C:\Users\user\AppData\Local\Temp\tmp95B8.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TlUVldLSnDvyT" /XML "C:\Users\user\AppData\Local\Temp\tmp95B8.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe, ParentImage: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe, ParentProcessId: 1324, ParentProcessName: TlUVldLSnDvyT.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TlUVldLSnDvyT" /XML "C:\Users\user\AppData\Local\Temp\tmp95B8.tmp", ProcessId: 7296, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TlUVldLSnDvyT" /XML "C:\Users\user\AppData\Local\Temp\tmp806A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TlUVldLSnDvyT" /XML "C:\Users\user\AppData\Local\Temp\tmp806A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\0xHPSESJcg.exe", ParentImage: C:\Users\user\Desktop\0xHPSESJcg.exe, ParentProcessId: 7124, ParentProcessName: 0xHPSESJcg.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TlUVldLSnDvyT" /XML "C:\Users\user\AppData\Local\Temp\tmp806A.tmp", ProcessId: 2252, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0xHPSESJcg.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0xHPSESJcg.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\0xHPSESJcg.exe", ParentImage: C:\Users\user\Desktop\0xHPSESJcg.exe, ParentProcessId: 7124, ParentProcessName: 0xHPSESJcg.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0xHPSESJcg.exe", ProcessId: 6476, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 616, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7712, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TlUVldLSnDvyT" /XML "C:\Users\user\AppData\Local\Temp\tmp806A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TlUVldLSnDvyT" /XML "C:\Users\user\AppData\Local\Temp\tmp806A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\0xHPSESJcg.exe", ParentImage: C:\Users\user\Desktop\0xHPSESJcg.exe, ParentProcessId: 7124, ParentProcessName: 0xHPSESJcg.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TlUVldLSnDvyT" /XML "C:\Users\user\AppData\Local\Temp\tmp806A.tmp", ProcessId: 2252, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T05:35:48.715918+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.9	49694	13.248.169.48	80	TCP
2025-03-11T05:36:30.499895+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.9	49695	104.21.64.1	80	TCP
2025-03-11T05:38:15.544314+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.9	49696	76.223.105.230	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 0xHPSESJcg.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.dfght.xyz/oi08/www.andscaping-services-37849.bond	Avira URL Cloud: Label: malware
Source: http://www.otogel.pro/oi08/www.oreadefensearmy.net	Avira URL Cloud: Label: malware
Source: http://www.andscaping-services-37849.bond	Avira URL Cloud: Label: malware
Source: http://www.futbffod.top	Avira URL Cloud: Label: malware
Source: http://www.uvne.info	Avira URL Cloud: Label: malware
Source: http://www.verafter.shop	Avira URL Cloud: Label: malware
Source: http://www.flrt.info	Avira URL Cloud: Label: malware
Source: http://www.onstruction-jobs-78291.bond/oi08/www.iv-test-13045.bond	Avira URL Cloud: Label: malware
Source: http://www.uvne.info/oi08/	Avira URL Cloud: Label: malware
Source: http://www.iv-test-13045.bond	Avira URL Cloud: Label: malware
Source: http://www.ime.shop/oi08/	Avira URL Cloud: Label: malware
Source: http://www.onstruction-jobs-78291.bond/oi08/	Avira URL Cloud: Label: malware
Source: http://www.verafter.shop/oi08/	Avira URL Cloud: Label: malware
Source: http://www.otogel.pro/oi08/	Avira URL Cloud: Label: malware
Source: http://www.verafter.shop/oi08/www.otogel.pro	Avira URL Cloud: Label: malware
Source: http://www.anda-casinoyyzz.top	Avira URL Cloud: Label: malware
Source: http://www.angbi-ndara.info/oi08/	Avira URL Cloud: Label: malware
Source: http://www.uvne.info/oi08/www.angbi-ndara.info	Avira URL Cloud: Label: malware
Source: http://www.ravel-insurance-48465.bond	Avira URL Cloud: Label: malware
Source: http://www.angbi-ndara.info	Avira URL Cloud: Label: malware
Source: http://www.flrt.info/oi08/www.anda-casinoyyzz.top	Avira URL Cloud: Label: malware
Source: http://www.futbffod.top/oi08/	Avira URL Cloud: Label: malware
Source: http://www.anda-casinoyyzz.top/oi08/www.onstruction-jobs-78291.bond	Avira URL Cloud: Label: malware
Source: http://www.oreadefensearmy.net	Avira URL Cloud: Label: malware
Source: http://www.futbffod.top/oi08/www.ravel-insurance-48465.bond	Avira URL Cloud: Label: malware
Source: http://www.oreadefensearmy.net/oi08/www.ime.shop	Avira URL Cloud: Label: malware
Source: http://www.angbi-ndara.info/oi08/www.flrt.info	Avira URL Cloud: Label: malware
Source: http://www.ravel-insurance-48465.bond/oi08/	Avira URL Cloud: Label: malware
Source: http://www.andscaping-services-37849.bond/oi08/www.helon.net	Avira URL Cloud: Label: malware
Source: http://www.anda-casinoyyzz.top/oi08/	Avira URL Cloud: Label: malware
Source: http://www.flrt.info/oi08/	Avira URL Cloud: Label: malware
Source: http://www.ime.shop/oi08/www.uvne.info	Avira URL Cloud: Label: malware
Source: http://www.ravel-insurance-48465.bond/oi08/www.estosteronepower.sbs	Avira URL Cloud: Label: malware
Source: http://www.andscaping-services-37849.bond/oi08/	Avira URL Cloud: Label: malware
Source: http://www.iv-test-13045.bond/oi08/www.futbffod.top	Avira URL Cloud: Label: malware
Source: http://www.helon.net	Avira URL Cloud: Label: malware
Source: http://www.dfght.xyz/oi08/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe

Avira: detection malicious, Label: TR/AD.Swotter.wmskp

Found malware configuration

Source: 00000000.00000002.903478477.0000000003C29000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.ravel-insurance-48465.bond/oi08/"], "decoy": ["om-masshff.top", "griculture-jobs-13665.bond", "lvosuperfood.info", "omalaysianwebsitedirectory.shop", "mandlaamasha.africa", "estimport.biz", "flrt.info", "helon.net", "log555fastbest.shop", "asinol.press", "futbffod.top", "arriage-therapy-69521.bond", "85uz.top", "oreadefensearmy.net", "fhcoy.buzz", "anda-casinoyyzz.top", "almainwebdesign.info", "odfitness.net", "odafenptss.top", "dfght.xyz", "errywang.shop", "ccountant-jobs-30905.bond", "log99facebest.shop", "om-ioiakwea.top", "yfeboi8.pro", "iv-test-13045.bond", "ocated-device.info", "elationship-coach-72760.bond", "reamanddecor.net", "uvne.info", "ttv2ud.cyou", "log88optionbest.shop", "mxtx97d.shop", "reamgetaways234.xyz", "kin-rejuvenation-70531.bond", "log88ablebest.shop", "ibrantzing.pro", "pyubxrmfgdth.shop", "atcatdogdog.shop", "32zf.top", "68shop.cyou", "omfycornerco.click", "eyryi.info", "poredmalru999romero.live", "1powerball.lat", "onstruction-jobs-78291.bond", "efenselenses.info", "ovabridge.tech", "adeupadult.pro", "estosteronepower.sbs", "cghvuwqpc.shop", "om-whupnf.top", "elegramae.beauty", "ealpains.info", "uyukgorus.click", "andscaping-services-37849.bond", "ime.shop", "dpe.bid", "om-scseq.top", "otogel.pro", "verafter.shop", "redit-card-offers-de-5398.today", "angbi-ndara.info", "1139.loan"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe

ReversingLabs: Detection: 71%

Multi AV Scanner detection for submitted file

Source: 0xHPSESJcg.exe	Virustotal: Detection: 77%			Perma Link
Source: 0xHPSESJcg.exe	ReversingLabs: Detection: 71%

Yara detected FormBook

Source: Yara match	File source: 7.2.0xHPSESJcg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.0xHPSESJcg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.903478477.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.958611207.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3341645917.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3343061104.00000000041D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.978086480.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.903478477.0000000004482000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3342627871.00000000040D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: 0xHPSESJcg.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0xHPSESJcg.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cmstp.pdbGCTL source: TlUVldLSnDvyT.exe, 0000000F.00000002.975329163.0000000000C18000.00000004.00000020.00020000.00000000.sdmp, TlUVldLSnDvyT.exe, 0000000F.00000002.978137337.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000011.00000002.978393520.0000000000F70000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdb source: 0xHPSESJcg.exe, 00000007.00000002.959266247.0000000001500000.00000040.10000000.00040000.00000000.sdmp, 0xHPSESJcg.exe, 00000007.00000002.959505826.0000000001517000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 0000000B.00000002.3341220811.0000000000090000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: 0xHPSESJcg.exe, 00000007.00000002.959266247.0000000001500000.00000040.10000000.00040000.00000000.sdmp, 0xHPSESJcg.exe, 00000007.00000002.959505826.0000000001517000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000002.3341220811.0000000000090000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 0xHPSESJcg.exe, 00000007.00000002.960252755.0000000001AF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000003.958993972.000000000411A000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000002.3343505636.000000000461E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000003.961393269.00000000042CC000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000002.3343505636.0000000004480000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.978446913.0000000004C10000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000003.976943572.0000000004A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000011.00000003.974848862.00000000048B6000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.978446913.0000000004DAE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 0xHPSESJcg.exe, 0xHPSESJcg.exe, 00000007.00000002.960252755.0000000001AF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 0000000B.00000003.958993972.000000000411A000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000002.3343505636.000000000461E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000003.961393269.00000000042CC000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000002.3343505636.0000000004480000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.978446913.0000000004C10000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000003.976943572.0000000004A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000011.00000003.974848862.00000000048B6000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.978446913.0000000004DAE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: TlUVldLSnDvyT.exe, 0000000F.00000002.975329163.0000000000C18000.00000004.00000020.00020000.00000000.sdmp, TlUVldLSnDvyT.exe, 0000000F.00000002.978137337.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000011.00000002.978393520.0000000000F70000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: kCe.pdb source: 0xHPSESJcg.exe, TlUVldLSnDvyT.exe.0.dr
Source:	Binary string: kCe.pdbSHA256 source: 0xHPSESJcg.exe, TlUVldLSnDvyT.exe.0.dr

Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 4x nop then pop edi	7_2_00416CBE
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 4x nop then jmp 0780BA1Fh	9_2_0780B114
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 4x nop then pop edi	11_2_024B6CBE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49696 -> 76.223.105.230:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49694 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49694 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49694 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49695 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49695 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49695 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49696 -> 76.223.105.230:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.9:49696 -> 76.223.105.230:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.ravel-insurance-48465.bond/oi08/

Source: global traffic	HTTP traffic detected: GET /oi08/?Ezu=RMV5CIftrGKaE4KNsRxPyDHZrEZqHURhjFGY8b4VBzIWFyZB8YZN96cTxcc86+L0N6xt&q6A=GbtXjbKPa HTTP/1.1Host: www.helon.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /oi08/?Ezu=HLGOigk8zC7c6l2lrMh01rQ2OJKxivxPRh38Fqcsh+790en3zOTPiNsvxvX68DUiI9Ju&q6A=GbtXjbKPa HTTP/1.1Host: www.otogel.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 8_2_0E1AEF82 getaddrinfo,setsockopt,recv,

8_2_0E1AEF82

Source: global traffic	HTTP traffic detected: GET /oi08/?Ezu=RMV5CIftrGKaE4KNsRxPyDHZrEZqHURhjFGY8b4VBzIWFyZB8YZN96cTxcc86+L0N6xt&q6A=GbtXjbKPa HTTP/1.1Host: www.helon.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /oi08/?Ezu=HLGOigk8zC7c6l2lrMh01rQ2OJKxivxPRh38Fqcsh+790en3zOTPiNsvxvX68DUiI9Ju&q6A=GbtXjbKPa HTTP/1.1Host: www.otogel.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.andscaping-services-37849.bond
Source: global traffic	DNS traffic detected: DNS query: www.helon.net
Source: global traffic	DNS traffic detected: DNS query: www.verafter.shop
Source: global traffic	DNS traffic detected: DNS query: www.otogel.pro
Source: global traffic	DNS traffic detected: DNS query: www.oreadefensearmy.net
Source: global traffic	DNS traffic detected: DNS query: www.ime.shop
Source: global traffic	DNS traffic detected: DNS query: www.uvne.info
Source: global traffic	DNS traffic detected: DNS query: www.angbi-ndara.info
Source: global traffic	DNS traffic detected: DNS query: www.flrt.info
Source: global traffic	DNS traffic detected: DNS query: www.anda-casinoyyzz.top
Source: global traffic	DNS traffic detected: DNS query: www.onstruction-jobs-78291.bond

Source: explorer.exe, 00000008.00000000.904230904.0000000009418000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3356205344.0000000009451000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.904958394.0000000009487000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.904230904.00000000093E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3356205344.0000000009418000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: explorer.exe, 00000008.00000003.3078260449.000000000949A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: svchost.exe, 00000015.00000002.2872992430.000001411DC00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: explorer.exe, 00000008.00000000.904230904.0000000009418000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3356205344.0000000009451000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.904958394.0000000009487000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.904230904.00000000093E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3356205344.0000000009418000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: qmgr.db.21.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.21.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.21.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.21.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.21.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.21.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: qmgr.db.21.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: explorer.exe, 00000008.00000000.900120846.00000000042E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3347340592.00000000042E7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe
Source: explorer.exe, 00000008.00000000.900120846.00000000042E7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3347340592.00000000042E7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.om/8j
Source: explorer.exe, 00000008.00000000.904230904.0000000009418000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3356205344.0000000009451000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.904958394.0000000009487000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.904230904.00000000093E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3356205344.0000000009418000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000008.00000000.904230904.0000000009418000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3356205344.0000000009418000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crl
Source: explorer.exe, 00000008.00000002.3360140571.000000000C1A0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000008.00000002.3355172895.00000000074E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.902947958.0000000007540000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.902925038.0000000007520000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: 0xHPSESJcg.exe, 00000000.00000002.899428590.0000000002E35000.00000004.00000800.00020000.00000000.sdmp, TlUVldLSnDvyT.exe, 00000009.00000002.947438587.0000000003257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anda-casinoyyzz.top
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anda-casinoyyzz.top/oi08/
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anda-casinoyyzz.top/oi08/www.onstruction-jobs-78291.bond
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.anda-casinoyyzz.topReferer:
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.andscaping-services-37849.bond
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.andscaping-services-37849.bond/oi08/
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.andscaping-services-37849.bond/oi08/www.helon.net
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.andscaping-services-37849.bondReferer:
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.angbi-ndara.info
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.angbi-ndara.info/oi08/
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.angbi-ndara.info/oi08/www.flrt.info
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.angbi-ndara.infoReferer:
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dfght.xyz
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dfght.xyz/oi08/
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dfght.xyz/oi08/www.andscaping-services-37849.bond
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dfght.xyzReferer:
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.estosteronepower.sbs
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.estosteronepower.sbs/oi08/
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.estosteronepower.sbsReferer:
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.flrt.info
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.flrt.info/oi08/
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.flrt.info/oi08/www.anda-casinoyyzz.top
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.flrt.infoReferer:
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.futbffod.top
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.futbffod.top/oi08/
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.futbffod.top/oi08/www.ravel-insurance-48465.bond
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.futbffod.topReferer:
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.helon.net
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.helon.net/oi08/
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.helon.net/oi08/www.verafter.shop
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.helon.netReferer:
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ime.shop
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ime.shop/oi08/
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ime.shop/oi08/www.uvne.info
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ime.shopReferer:
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iv-test-13045.bond
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iv-test-13045.bond/oi08/
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iv-test-13045.bond/oi08/www.futbffod.top
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.iv-test-13045.bondReferer:
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.onstruction-jobs-78291.bond
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.onstruction-jobs-78291.bond/oi08/
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.onstruction-jobs-78291.bond/oi08/www.iv-test-13045.bond
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.onstruction-jobs-78291.bondReferer:
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oreadefensearmy.net
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oreadefensearmy.net/oi08/
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oreadefensearmy.net/oi08/www.ime.shop
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oreadefensearmy.netReferer:
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otogel.pro
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otogel.pro/oi08/
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otogel.pro/oi08/www.oreadefensearmy.net
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.otogel.proReferer:
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ravel-insurance-48465.bond
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ravel-insurance-48465.bond/oi08/
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ravel-insurance-48465.bond/oi08/www.estosteronepower.sbs
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ravel-insurance-48465.bondReferer:
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uvne.info
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uvne.info/oi08/
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uvne.info/oi08/www.angbi-ndara.info
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uvne.infoReferer:
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.verafter.shop
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.verafter.shop/oi08/
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.verafter.shop/oi08/www.otogel.pro
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.verafter.shopReferer:
Source: explorer.exe, 00000008.00000000.909783101.000000000BF2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000008.00000000.909783101.000000000BF2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000008.00000000.909783101.000000000BF2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS0$
Source: explorer.exe, 00000008.00000000.909783101.000000000BF2F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSd$
Source: explorer.exe, 00000008.00000003.2663687116.0000000002F04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.899659666.0000000002EF0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3345065456.0000000002F04000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2666658479.0000000002F12000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3078442033.0000000002F12000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000008.00000002.3356205344.00000000093E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.904230904.00000000093E1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=A1668CA4549A443399161CE8D2237D12&timeOut=5000&oc
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000008.00000002.3356205344.00000000092E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.904230904.00000000092E4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKhb-dark
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPfv-dark
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gPi8-dark
Source: explorer.exe, 00000008.00000000.904230904.0000000009433000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: explorer.exe, 00000008.00000002.3359676279.000000000BF84000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.909783101.000000000BF2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2659150247.000000000BF81000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: qmgr.db.21.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
Source: svchost.exe, 00000015.00000003.1203476670.000001411D9F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1eBTmz.img
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AATs0AB.img
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BB1e6XdQ.img
Source: explorer.exe, 00000008.00000002.3359676279.000000000BF84000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.909783101.000000000BF2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2659150247.000000000BF81000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://parade.com/61481/toriavey/where-did-hamburgers-originate
Source: explorer.exe, 00000008.00000002.3359676279.000000000BF84000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.909783101.000000000BF2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2659150247.000000000BF81000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000008.00000000.909783101.000000000BEB3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3359171878.000000000BEB3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000008.00000002.3359676279.000000000BF84000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.909783101.000000000BF2F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.2659150247.000000000BF81000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/foodanddrink/foodnews/the-best-burger-place-in-phoenix-plus-see-the-rest-o
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/companies/kaiser-permanente-and-unions-for-75-000-striking-health-wo
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/here-s-what-house-rules-say-about-trump-serving-as-speaker-o
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-whines-to-cameras-in-ny-fraud-case-before-fleeing-to-f
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/a-second-war-could-easily-erupt-in-europe-while-everyone-s-dist
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/england-considers-raising-smoking-age-until-cigarettes-are-bann
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/nobel-prize-in-literature-to-be-announced-in-stockholm/ar-AA1hI
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-expresses-worry-about-congressional
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.stacker.com/arizona/phoenix
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.starsinsider.com/n/154870?utm_source=msn.com&utm_medium=display&utm_campaign=referral_de
Source: explorer.exe, 00000008.00000000.901154294.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3351722773.0000000006E1D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.yelp.com

Source: unknown

Network traffic detected: HTTP traffic on port 49671 -> 443

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 7.2.0xHPSESJcg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.0xHPSESJcg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.903478477.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.958611207.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3341645917.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3343061104.00000000041D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.978086480.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.903478477.0000000004482000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3342627871.00000000040D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 7.2.0xHPSESJcg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 7.2.0xHPSESJcg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.0xHPSESJcg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.0xHPSESJcg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 7.2.0xHPSESJcg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.0xHPSESJcg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.903478477.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.903478477.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.903478477.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.958611207.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.958611207.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.958611207.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.3341645917.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.3341645917.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.3341645917.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.3343061104.00000000041D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.3343061104.00000000041D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.3343061104.00000000041D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.978086480.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.978086480.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.978086480.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.903478477.0000000004482000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.903478477.0000000004482000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.903478477.0000000004482000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.3342627871.00000000040D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.3342627871.00000000040D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.3342627871.00000000040D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: 0xHPSESJcg.exe PID: 7124, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: 0xHPSESJcg.exe PID: 6652, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmmon32.exe PID: 7264, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmstp.exe PID: 7412, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041A330 NtCreateFile,	7_2_0041A330
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041A3E0 NtReadFile,	7_2_0041A3E0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041A460 NtClose,	7_2_0041A460
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041A510 NtAllocateVirtualMemory,	7_2_0041A510
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041A32A NtCreateFile,	7_2_0041A32A
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041A3DD NtReadFile,	7_2_0041A3DD
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041A45C NtClose,	7_2_0041A45C
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041A50A NtAllocateVirtualMemory,	7_2_0041A50A
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_01B62BF0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62B60 NtClose,LdrInitializeThunk,	7_2_01B62B60
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62AD0 NtReadFile,LdrInitializeThunk,	7_2_01B62AD0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_01B62DF0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62DD0 NtDelayExecution,LdrInitializeThunk,	7_2_01B62DD0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62D30 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_01B62D30
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_01B62D10
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_01B62CA0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_01B62C70
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62FB0 NtResumeThread,LdrInitializeThunk,	7_2_01B62FB0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62F90 NtProtectVirtualMemory,LdrInitializeThunk,	7_2_01B62F90
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62FE0 NtCreateFile,LdrInitializeThunk,	7_2_01B62FE0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62F30 NtCreateSection,LdrInitializeThunk,	7_2_01B62F30
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	7_2_01B62EA0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62E80 NtReadVirtualMemory,LdrInitializeThunk,	7_2_01B62E80
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B64340 NtSetContextThread,	7_2_01B64340
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B64650 NtSuspendThread,	7_2_01B64650
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62BA0 NtEnumerateValueKey,	7_2_01B62BA0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62B80 NtQueryInformationFile,	7_2_01B62B80
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62BE0 NtQueryValueKey,	7_2_01B62BE0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62AB0 NtWaitForSingleObject,	7_2_01B62AB0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62AF0 NtWriteFile,	7_2_01B62AF0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62DB0 NtEnumerateKey,	7_2_01B62DB0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62D00 NtSetInformationFile,	7_2_01B62D00
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62CF0 NtOpenProcess,	7_2_01B62CF0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62CC0 NtQueryVirtualMemory,	7_2_01B62CC0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62C00 NtQueryInformationProcess,	7_2_01B62C00
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62C60 NtCreateKey,	7_2_01B62C60
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62FA0 NtQuerySection,	7_2_01B62FA0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62F60 NtCreateProcessEx,	7_2_01B62F60
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62EE0 NtQueueApcThread,	7_2_01B62EE0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62E30 NtWriteVirtualMemory,	7_2_01B62E30
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B63090 NtSetValueKey,	7_2_01B63090
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B63010 NtOpenDirectoryObject,	7_2_01B63010
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B635C0 NtCreateMutant,	7_2_01B635C0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B639B0 NtGetContextThread,	7_2_01B639B0
Source: C:\Windows\explorer.exe	Code function: 8_2_0E1AFE12 NtProtectVirtualMemory,	8_2_0E1AFE12
Source: C:\Windows\explorer.exe	Code function: 8_2_0E1AE232 NtCreateFile,	8_2_0E1AE232
Source: C:\Windows\explorer.exe	Code function: 8_2_0E1AFE0A NtProtectVirtualMemory,	8_2_0E1AFE0A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2C60 NtCreateKey,LdrInitializeThunk,	11_2_044F2C60
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2C70 NtFreeVirtualMemory,LdrInitializeThunk,	11_2_044F2C70
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2CA0 NtQueryInformationToken,LdrInitializeThunk,	11_2_044F2CA0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2D10 NtMapViewOfSection,LdrInitializeThunk,	11_2_044F2D10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2DD0 NtDelayExecution,LdrInitializeThunk,	11_2_044F2DD0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2DF0 NtQuerySystemInformation,LdrInitializeThunk,	11_2_044F2DF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	11_2_044F2EA0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2F30 NtCreateSection,LdrInitializeThunk,	11_2_044F2F30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2FE0 NtCreateFile,LdrInitializeThunk,	11_2_044F2FE0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2AD0 NtReadFile,LdrInitializeThunk,	11_2_044F2AD0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2B60 NtClose,LdrInitializeThunk,	11_2_044F2B60
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2BE0 NtQueryValueKey,LdrInitializeThunk,	11_2_044F2BE0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	11_2_044F2BF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F35C0 NtCreateMutant,LdrInitializeThunk,	11_2_044F35C0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F4650 NtSuspendThread,	11_2_044F4650
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F4340 NtSetContextThread,	11_2_044F4340
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2C00 NtQueryInformationProcess,	11_2_044F2C00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2CC0 NtQueryVirtualMemory,	11_2_044F2CC0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2CF0 NtOpenProcess,	11_2_044F2CF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2D00 NtSetInformationFile,	11_2_044F2D00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2D30 NtUnmapViewOfSection,	11_2_044F2D30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2DB0 NtEnumerateKey,	11_2_044F2DB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2E30 NtWriteVirtualMemory,	11_2_044F2E30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2EE0 NtQueueApcThread,	11_2_044F2EE0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2E80 NtReadVirtualMemory,	11_2_044F2E80
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2F60 NtCreateProcessEx,	11_2_044F2F60
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2F90 NtProtectVirtualMemory,	11_2_044F2F90
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2FA0 NtQuerySection,	11_2_044F2FA0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2FB0 NtResumeThread,	11_2_044F2FB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2AF0 NtWriteFile,	11_2_044F2AF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2AB0 NtWaitForSingleObject,	11_2_044F2AB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2B80 NtQueryInformationFile,	11_2_044F2B80
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F2BA0 NtEnumerateValueKey,	11_2_044F2BA0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F3010 NtOpenDirectoryObject,	11_2_044F3010
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F3090 NtSetValueKey,	11_2_044F3090
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F3D70 NtOpenThread,	11_2_044F3D70
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F3D10 NtOpenProcessToken,	11_2_044F3D10
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F39B0 NtGetContextThread,	11_2_044F39B0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_024BA330 NtCreateFile,	11_2_024BA330
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_024BA3E0 NtReadFile,	11_2_024BA3E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_024BA460 NtClose,	11_2_024BA460
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_024BA510 NtAllocateVirtualMemory,	11_2_024BA510
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_024BA32A NtCreateFile,	11_2_024BA32A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_024BA3DD NtReadFile,	11_2_024BA3DD
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_024BA45C NtClose,	11_2_024BA45C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_024BA50A NtAllocateVirtualMemory,	11_2_024BA50A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_042AA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	11_2_042AA036
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_042A9B97 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	11_2_042A9B97
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_042AA042 NtQueryInformationProcess,	11_2_042AA042
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_042A9BAF NtCreateSection,NtMapViewOfSection,	11_2_042A9BAF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_042A9BB2 NtCreateSection,NtMapViewOfSection,	11_2_042A9BB2

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 0_2_02ACD6CC	0_2_02ACD6CC
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041D82E	7_2_0041D82E
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_00401030	7_2_00401030
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041D952	7_2_0041D952
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041D576	7_2_0041D576
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041E584	7_2_0041E584
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_00402D90	7_2_00402D90
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041DD90	7_2_0041DD90
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_00409E5B	7_2_00409E5B
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_00409E60	7_2_00409E60
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_00402FB0	7_2_00402FB0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BF21AE	7_2_01BF21AE
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BF01AA	7_2_01BF01AA
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BE81CC	7_2_01BE81CC
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCA118	7_2_01BCA118
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B20100	7_2_01B20100
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB8158	7_2_01BB8158
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC2000	7_2_01BC2000
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3E3F0	7_2_01B3E3F0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BF03E6	7_2_01BF03E6
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BEA352	7_2_01BEA352
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB02C0	7_2_01BB02C0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BF0591	7_2_01BF0591
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30535	7_2_01B30535
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BDE4F6	7_2_01BDE4F6
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BD4420	7_2_01BD4420
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BE2446	7_2_01BE2446
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2C7C0	7_2_01B2C7C0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30770	7_2_01B30770
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B54750	7_2_01B54750
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4C6E0	7_2_01B4C6E0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B329A0	7_2_01B329A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B46962	7_2_01B46962
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B168B8	7_2_01B168B8
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5E8F0	7_2_01B5E8F0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3A840	7_2_01B3A840
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BEEB89	7_2_01BEEB89
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BE6BD7	7_2_01BE6BD7
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2EA80	7_2_01B2EA80
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B48DBF	7_2_01B48DBF
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2ADE0	7_2_01B2ADE0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B38DC0	7_2_01B38DC0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCCD1F	7_2_01BCCD1F
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3AD00	7_2_01B3AD00
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B20CF2	7_2_01B20CF2
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30C00	7_2_01B30C00
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BAEFA0	7_2_01BAEFA0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B22FC8	7_2_01B22FC8
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B50F30	7_2_01B50F30
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BD2F30	7_2_01BD2F30
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B72F28	7_2_01B72F28
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA4F40	7_2_01BA4F40
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B42E90	7_2_01B42E90
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BECE93	7_2_01BECE93
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BEEEDB	7_2_01BEEEDB
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BEEE26	7_2_01BEEE26
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3B1B0	7_2_01B3B1B0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1F172	7_2_01B1F172
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BFB16B	7_2_01BFB16B
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B6516C	7_2_01B6516C
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BE70E9	7_2_01BE70E9
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BEF0E0	7_2_01BEF0E0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BDF0CC	7_2_01BDF0CC
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BE132D	7_2_01BE132D
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1D34C	7_2_01B1D34C
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B352A0	7_2_01B352A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4D2F0	7_2_01B4D2F0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BD12ED	7_2_01BD12ED
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4B2C0	7_2_01B4B2C0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCD5B0	7_2_01BCD5B0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BE7571	7_2_01BE7571
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BEF43F	7_2_01BEF43F
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B21460	7_2_01B21460
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BEF7B0	7_2_01BEF7B0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B217EC	7_2_01B217EC
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BE16CC	7_2_01BE16CC
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B35990	7_2_01B35990
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC5910	7_2_01BC5910
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B39950	7_2_01B39950
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4B950	7_2_01B4B950
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B338E0	7_2_01B338E0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9D800	7_2_01B9D800
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4FB80	7_2_01B4FB80
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA5BF0	7_2_01BA5BF0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B6DBF9	7_2_01B6DBF9
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BEFB76	7_2_01BEFB76
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCDAAC	7_2_01BCDAAC
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BD1AA3	7_2_01BD1AA3
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BDDAC6	7_2_01BDDAC6
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA3A6C	7_2_01BA3A6C
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BEFA49	7_2_01BEFA49
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BE7A46	7_2_01BE7A46
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4FDC0	7_2_01B4FDC0
Source: C:\Windows\explorer.exe	Code function: 8_2_0DF785CD	8_2_0DF785CD
Source: C:\Windows\explorer.exe	Code function: 8_2_0DF72912	8_2_0DF72912
Source: C:\Windows\explorer.exe	Code function: 8_2_0DF6CD02	8_2_0DF6CD02
Source: C:\Windows\explorer.exe	Code function: 8_2_0DF6B082	8_2_0DF6B082
Source: C:\Windows\explorer.exe	Code function: 8_2_0DF74036	8_2_0DF74036
Source: C:\Windows\explorer.exe	Code function: 8_2_0DF6FB32	8_2_0DF6FB32
Source: C:\Windows\explorer.exe	Code function: 8_2_0DF6FB30	8_2_0DF6FB30
Source: C:\Windows\explorer.exe	Code function: 8_2_0DF75232	8_2_0DF75232
Source: C:\Windows\explorer.exe	Code function: 8_2_0E1AE232	8_2_0E1AE232
Source: C:\Windows\explorer.exe	Code function: 8_2_0E1AD036	8_2_0E1AD036
Source: C:\Windows\explorer.exe	Code function: 8_2_0E1A4082	8_2_0E1A4082
Source: C:\Windows\explorer.exe	Code function: 8_2_0E1AB912	8_2_0E1AB912
Source: C:\Windows\explorer.exe	Code function: 8_2_0E1A5D02	8_2_0E1A5D02
Source: C:\Windows\explorer.exe	Code function: 8_2_0E1A8B32	8_2_0E1A8B32
Source: C:\Windows\explorer.exe	Code function: 8_2_0E1A8B30	8_2_0E1A8B30
Source: C:\Windows\explorer.exe	Code function: 8_2_0E1B15CD	8_2_0E1B15CD
Source: C:\Windows\explorer.exe	Code function: 8_2_104F1036	8_2_104F1036
Source: C:\Windows\explorer.exe	Code function: 8_2_104E8082	8_2_104E8082
Source: C:\Windows\explorer.exe	Code function: 8_2_104E9D02	8_2_104E9D02
Source: C:\Windows\explorer.exe	Code function: 8_2_104EF912	8_2_104EF912
Source: C:\Windows\explorer.exe	Code function: 8_2_104F55CD	8_2_104F55CD
Source: C:\Windows\explorer.exe	Code function: 8_2_104F2232	8_2_104F2232
Source: C:\Windows\explorer.exe	Code function: 8_2_104ECB32	8_2_104ECB32
Source: C:\Windows\explorer.exe	Code function: 8_2_104ECB30	8_2_104ECB30
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_03024AE1	9_2_03024AE1
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_0302D6CC	9_2_0302D6CC
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_0748C120	9_2_0748C120
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_0748AA48	9_2_0748AA48
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_0748E630	9_2_0748E630
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_0748F590	9_2_0748F590
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_0748F5A0	9_2_0748F5A0
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_0748F2A8	9_2_0748F2A8
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_0748F2B8	9_2_0748F2B8
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_0780D288	9_2_0780D288
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_07803BBC	9_2_07803BBC
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_078064C8	9_2_078064C8
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_07806090	9_2_07806090
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_07806056	9_2_07806056
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_07807D08	9_2_07807D08
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_07807CF8	9_2_07807CF8
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_078089D1	9_2_078089D1
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_078089E0	9_2_078089E0
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_07806900	9_2_07806900
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04572446	11_2_04572446
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04564420	11_2_04564420
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0456E4F6	11_2_0456E4F6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044C0535	11_2_044C0535
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04580591	11_2_04580591
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044DC6E0	11_2_044DC6E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044E4750	11_2_044E4750
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044C0770	11_2_044C0770
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044BC7C0	11_2_044BC7C0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04552000	11_2_04552000
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04548158	11_2_04548158
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044B0100	11_2_044B0100
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0455A118	11_2_0455A118
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_045781CC	11_2_045781CC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_045801AA	11_2_045801AA
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_045741A2	11_2_045741A2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_045821AE	11_2_045821AE
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_045402C0	11_2_045402C0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0457A352	11_2_0457A352
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044CE3F0	11_2_044CE3F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_045803E6	11_2_045803E6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044C0C00	11_2_044C0C00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044B0CF2	11_2_044B0CF2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0455CD1F	11_2_0455CD1F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044CAD00	11_2_044CAD00
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044C8DC0	11_2_044C8DC0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044BADE0	11_2_044BADE0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044D8DBF	11_2_044D8DBF
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0457EE26	11_2_0457EE26
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0457EEDB	11_2_0457EEDB
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0457CE93	11_2_0457CE93
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044D2E90	11_2_044D2E90
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04534F40	11_2_04534F40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04562F30	11_2_04562F30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04502F28	11_2_04502F28
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044E0F30	11_2_044E0F30
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044B2FC8	11_2_044B2FC8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0453EFA0	11_2_0453EFA0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044CA840	11_2_044CA840
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044EE8F0	11_2_044EE8F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044A68B8	11_2_044A68B8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044D6962	11_2_044D6962
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044C29A0	11_2_044C29A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044BEA80	11_2_044BEA80
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0457AB40	11_2_0457AB40
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04576BD7	11_2_04576BD7
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0457EB89	11_2_0457EB89
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044B1460	11_2_044B1460
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0457F43F	11_2_0457F43F
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04577571	11_2_04577571
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0455D5B0	11_2_0455D5B0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_045716CC	11_2_045716CC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044B17EC	11_2_044B17EC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0457F7B0	11_2_0457F7B0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0456F0CC	11_2_0456F0CC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0457F0E0	11_2_0457F0E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_045770E9	11_2_045770E9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044F516C	11_2_044F516C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0458B16B	11_2_0458B16B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044AF172	11_2_044AF172
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044CB1B0	11_2_044CB1B0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044DB2C0	11_2_044DB2C0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_045612ED	11_2_045612ED
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044DD2F0	11_2_044DD2F0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044C52A0	11_2_044C52A0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044AD34C	11_2_044AD34C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0457132D	11_2_0457132D
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04539C32	11_2_04539C32
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0457FCF2	11_2_0457FCF2
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04571D5A	11_2_04571D5A
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04577D73	11_2_04577D73
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044DFDC0	11_2_044DFDC0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044C9EB0	11_2_044C9EB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0457FF09	11_2_0457FF09
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044C1F92	11_2_044C1F92
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0457FFB1	11_2_0457FFB1
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0452D800	11_2_0452D800
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044C38E0	11_2_044C38E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044C9950	11_2_044C9950
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044DB950	11_2_044DB950
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04555910	11_2_04555910
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044C5990	11_2_044C5990
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04577A46	11_2_04577A46
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0457FA49	11_2_0457FA49
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04533A6C	11_2_04533A6C
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0456DAC6	11_2_0456DAC6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04561AA3	11_2_04561AA3
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0455DAAC	11_2_0455DAAC
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_0457FB76	11_2_0457FB76
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_04535BF0	11_2_04535BF0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044FDBF9	11_2_044FDBF9
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044DFB80	11_2_044DFB80
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_024BD576	11_2_024BD576
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_024BE584	11_2_024BE584
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_024BD82E	11_2_024BD82E
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_024BD952	11_2_024BD952
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_024A9E5B	11_2_024A9E5B
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_024A9E60	11_2_024A9E60
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_024A2FB0	11_2_024A2FB0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_024A2D90	11_2_024A2D90
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_042AA036	11_2_042AA036
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_042A2D02	11_2_042A2D02
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_042AE5CD	11_2_042AE5CD
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_042A8912	11_2_042A8912
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_042AB232	11_2_042AB232
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_042A5B32	11_2_042A5B32
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_042A5B30	11_2_042A5B30

Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: String function: 01B77E54 appears 84 times
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: String function: 01BAF290 appears 90 times
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: String function: 01B65130 appears 49 times
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: String function: 01B9EA12 appears 69 times
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: String function: 01B1B970 appears 174 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 04507E54 appears 93 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 044AB970 appears 210 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 044F5130 appears 53 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 0453F290 appears 98 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 0009554A appears 40 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 000965D7 appears 33 times
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: String function: 0452EA12 appears 76 times

Source: 0xHPSESJcg.exe, 00000000.00000002.903478477.0000000003C29000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs 0xHPSESJcg.exe
Source: 0xHPSESJcg.exe, 00000000.00000000.863749867.00000000009BE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamekCe.exeF vs 0xHPSESJcg.exe
Source: 0xHPSESJcg.exe, 00000000.00000002.903478477.0000000004482000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 0xHPSESJcg.exe
Source: 0xHPSESJcg.exe, 00000000.00000002.920059656.0000000007AF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekCe.exeF vs 0xHPSESJcg.exe
Source: 0xHPSESJcg.exe, 00000000.00000002.913323715.0000000005410000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs 0xHPSESJcg.exe
Source: 0xHPSESJcg.exe, 00000000.00000002.893440066.0000000000E4E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 0xHPSESJcg.exe
Source: 0xHPSESJcg.exe, 00000000.00000002.903478477.0000000003C6B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs 0xHPSESJcg.exe
Source: 0xHPSESJcg.exe, 00000000.00000002.920856610.000000000B340000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 0xHPSESJcg.exe
Source: 0xHPSESJcg.exe, 00000007.00000002.959266247.0000000001509000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCMMON32.exe` vs 0xHPSESJcg.exe
Source: 0xHPSESJcg.exe, 00000007.00000002.959505826.0000000001517000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCMMON32.exe` vs 0xHPSESJcg.exe
Source: 0xHPSESJcg.exe, 00000007.00000002.960252755.0000000001C1D000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 0xHPSESJcg.exe
Source: 0xHPSESJcg.exe, 00000007.00000002.959505826.0000000001535000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCMMON32.exe` vs 0xHPSESJcg.exe
Source: 0xHPSESJcg.exe	Binary or memory string: OriginalFilenamekCe.exeF vs 0xHPSESJcg.exe

Source: 0xHPSESJcg.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"			Jump to behavior

Source: 7.2.0xHPSESJcg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 7.2.0xHPSESJcg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.0xHPSESJcg.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.0xHPSESJcg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 7.2.0xHPSESJcg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.0xHPSESJcg.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.903478477.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.903478477.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.903478477.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.958611207.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.958611207.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.958611207.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.3341645917.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.3341645917.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.3341645917.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.3343061104.00000000041D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.3343061104.00000000041D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.3343061104.00000000041D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.978086480.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.978086480.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.978086480.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.903478477.0000000004482000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.903478477.0000000004482000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.903478477.0000000004482000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.3342627871.00000000040D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.3342627871.00000000040D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.3342627871.00000000040D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: 0xHPSESJcg.exe PID: 7124, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: 0xHPSESJcg.exe PID: 6652, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmmon32.exe PID: 7264, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmstp.exe PID: 7412, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: 0xHPSESJcg.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TlUVldLSnDvyT.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, ec4ftue8IIXandOGoQ.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, ec4ftue8IIXandOGoQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, ec4ftue8IIXandOGoQ.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, xjY5tsgJpEuvOWI0r5.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, xjY5tsgJpEuvOWI0r5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, ec4ftue8IIXandOGoQ.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, ec4ftue8IIXandOGoQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, ec4ftue8IIXandOGoQ.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, xjY5tsgJpEuvOWI0r5.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, xjY5tsgJpEuvOWI0r5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, xjY5tsgJpEuvOWI0r5.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, xjY5tsgJpEuvOWI0r5.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, ec4ftue8IIXandOGoQ.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, ec4ftue8IIXandOGoQ.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, ec4ftue8IIXandOGoQ.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@162/17@11/4

Source: C:\Users\user\Desktop\0xHPSESJcg.exe

File created: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1480:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6424:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1116:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7464:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03

Source: C:\Users\user\Desktop\0xHPSESJcg.exe

File created: C:\Users\user\AppData\Local\Temp\tmp806A.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\cmmon32.exe

Command line argument: @s

11_2_00097290

Source: 0xHPSESJcg.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0xHPSESJcg.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\0xHPSESJcg.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\0xHPSESJcg.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0xHPSESJcg.exe	Virustotal: Detection: 77%
Source: 0xHPSESJcg.exe	ReversingLabs: Detection: 71%

Source: C:\Users\user\Desktop\0xHPSESJcg.exe

File read: C:\Users\user\Desktop\0xHPSESJcg.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0xHPSESJcg.exe "C:\Users\user\Desktop\0xHPSESJcg.exe"
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0xHPSESJcg.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TlUVldLSnDvyT" /XML "C:\Users\user\AppData\Local\Temp\tmp806A.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process created: C:\Users\user\Desktop\0xHPSESJcg.exe "C:\Users\user\Desktop\0xHPSESJcg.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe "C:\Windows\SysWOW64\cmmon32.exe"
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TlUVldLSnDvyT" /XML "C:\Users\user\AppData\Local\Temp\tmp95B8.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process created: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe "C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe"
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process created: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe "C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autoconv.exe "C:\Windows\SysWOW64\autoconv.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\0xHPSESJcg.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0xHPSESJcg.exe"	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe"	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TlUVldLSnDvyT" /XML "C:\Users\user\AppData\Local\Temp\tmp806A.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process created: C:\Users\user\Desktop\0xHPSESJcg.exe "C:\Users\user\Desktop\0xHPSESJcg.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmmon32.exe "C:\Windows\SysWOW64\cmmon32.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autoconv.exe "C:\Windows\SysWOW64\autoconv.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TlUVldLSnDvyT" /XML "C:\Users\user\AppData\Local\Temp\tmp95B8.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process created: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe "C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process created: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe "C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\0xHPSESJcg.exe"

Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: cmutil.dll
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: cmutil.dll
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: version.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll

Source: C:\Users\user\Desktop\0xHPSESJcg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\0xHPSESJcg.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 0xHPSESJcg.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 0xHPSESJcg.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 0xHPSESJcg.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: cmstp.pdbGCTL source: TlUVldLSnDvyT.exe, 0000000F.00000002.975329163.0000000000C18000.00000004.00000020.00020000.00000000.sdmp, TlUVldLSnDvyT.exe, 0000000F.00000002.978137337.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000011.00000002.978393520.0000000000F70000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdb source: 0xHPSESJcg.exe, 00000007.00000002.959266247.0000000001500000.00000040.10000000.00040000.00000000.sdmp, 0xHPSESJcg.exe, 00000007.00000002.959505826.0000000001517000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 0000000B.00000002.3341220811.0000000000090000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmmon32.pdbGCTL source: 0xHPSESJcg.exe, 00000007.00000002.959266247.0000000001500000.00000040.10000000.00040000.00000000.sdmp, 0xHPSESJcg.exe, 00000007.00000002.959505826.0000000001517000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000002.3341220811.0000000000090000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: 0xHPSESJcg.exe, 00000007.00000002.960252755.0000000001AF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000003.958993972.000000000411A000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000002.3343505636.000000000461E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000003.961393269.00000000042CC000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000002.3343505636.0000000004480000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.978446913.0000000004C10000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000003.976943572.0000000004A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000011.00000003.974848862.00000000048B6000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.978446913.0000000004DAE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 0xHPSESJcg.exe, 0xHPSESJcg.exe, 00000007.00000002.960252755.0000000001AF0000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 0000000B.00000003.958993972.000000000411A000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000002.3343505636.000000000461E000.00000040.00001000.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000003.961393269.00000000042CC000.00000004.00000020.00020000.00000000.sdmp, cmmon32.exe, 0000000B.00000002.3343505636.0000000004480000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.978446913.0000000004C10000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000003.976943572.0000000004A66000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000011.00000003.974848862.00000000048B6000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.978446913.0000000004DAE000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: TlUVldLSnDvyT.exe, 0000000F.00000002.975329163.0000000000C18000.00000004.00000020.00020000.00000000.sdmp, TlUVldLSnDvyT.exe, 0000000F.00000002.978137337.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, cmstp.exe, 00000011.00000002.978393520.0000000000F70000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: kCe.pdb source: 0xHPSESJcg.exe, TlUVldLSnDvyT.exe.0.dr
Source:	Binary string: kCe.pdbSHA256 source: 0xHPSESJcg.exe, TlUVldLSnDvyT.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, ec4ftue8IIXandOGoQ.cs	.Net Code: Q5NwbtSacs System.Reflection.Assembly.Load(byte[])
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, ec4ftue8IIXandOGoQ.cs	.Net Code: Q5NwbtSacs System.Reflection.Assembly.Load(byte[])
Source: 0.2.0xHPSESJcg.exe.5410000.3.raw.unpack, RK.cs	.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, ec4ftue8IIXandOGoQ.cs	.Net Code: Q5NwbtSacs System.Reflection.Assembly.Load(byte[])
Source: 0.2.0xHPSESJcg.exe.3c6b390.0.raw.unpack, RK.cs	.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041F040 push esi; ret	7_2_0041F041
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041E9F7 push ebx; ret	7_2_0041EA35
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041EA51 push ebx; ret	7_2_0041EA35
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041AB96 pushfd ; retf	7_2_0041AB9A
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041D4D2 push eax; ret	7_2_0041D4D8
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041D4DB push eax; ret	7_2_0041D542
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041D485 push eax; ret	7_2_0041D4D8
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041C495 push 0000005Ah; iretd	7_2_0041C498
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041E551 push ss; ret	7_2_0041E553
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_0041D53C push eax; ret	7_2_0041D542
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_004165A6 push C82E53DBh; ret	7_2_004165AE
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B209AD push ecx; mov dword ptr [esp], ecx	7_2_01B209B6
Source: C:\Windows\explorer.exe	Code function: 8_2_0DF789B5 push esp; retn 0000h	8_2_0DF78AE7
Source: C:\Windows\explorer.exe	Code function: 8_2_0DF78B1E push esp; retn 0000h	8_2_0DF78B1F
Source: C:\Windows\explorer.exe	Code function: 8_2_0DF78B02 push esp; retn 0000h	8_2_0DF78B03
Source: C:\Windows\explorer.exe	Code function: 8_2_0E1B1B1E push esp; retn 0000h	8_2_0E1B1B1F
Source: C:\Windows\explorer.exe	Code function: 8_2_0E1B1B02 push esp; retn 0000h	8_2_0E1B1B03
Source: C:\Windows\explorer.exe	Code function: 8_2_0E1B19B5 push esp; retn 0000h	8_2_0E1B1AE7
Source: C:\Windows\explorer.exe	Code function: 8_2_104F59B5 push esp; retn 0000h	8_2_104F5AE7
Source: C:\Windows\explorer.exe	Code function: 8_2_104F5B02 push esp; retn 0000h	8_2_104F5B03
Source: C:\Windows\explorer.exe	Code function: 8_2_104F5B1E push esp; retn 0000h	8_2_104F5B1F
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_0748A7E8 pushfd ; retf	9_2_0748A7E9
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_0748F451 pushad ; iretd	9_2_0748F45D
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_07489E01 push esp; ret	9_2_07489E0D
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Code function: 9_2_07489A68 push eax; ret	9_2_07489A69
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_000974CD push ecx; ret	11_2_000974E0
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_044B09AD push ecx; mov dword ptr [esp], ecx	11_2_044B09B6
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_024BF040 push esi; ret	11_2_024BF041
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_024BE1A1 push 00000006h; ret	11_2_024BE1A8
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_024BD4DB push eax; ret	11_2_024BD542
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_024BD4D2 push eax; ret	11_2_024BD4D8

Source: 0xHPSESJcg.exe	Static PE information: section name: .text entropy: 7.692917465704789
Source: TlUVldLSnDvyT.exe.0.dr	Static PE information: section name: .text entropy: 7.692917465704789

Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, ePoNabhwxjeD04oPN1.cs	High entropy of concatenated method names: 'BV2tFvSWUk', 'L0ntajn9W0', 'WpGttyEayy', 'f13tNDTnTe', 'lO6tLsRY4m', 'j9wtK6ebkc', 'Dispose', 'foau3KAsyD', 'MRtuQEtgqt', 'A4FuEZohkZ'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, xjY5tsgJpEuvOWI0r5.cs	High entropy of concatenated method names: 'dZ0Qk2xhap', 'gflQv50ngI', 'qNwQXPLuQa', 'LeiQxLqWCZ', 'r70QjLa9hX', 'JvgQB2l1k3', 'd3cQh0AHqv', 'NvhQSUGT8b', 'iHSQH9jqA5', 'tJTQoLVksM'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, XnVLEcQsP6thHRA4x6.cs	High entropy of concatenated method names: 'Dispose', 'UeDUH04oPN', 'KonAO2XkZ1', 'n2WugkG3ww', 'jMjUod7hvy', 'IXyUz95V0M', 'ProcessDialogKey', 'b1fATiG3Q3', 'pp7AUEf7l9', 'fYwAAx306s'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, FU8iofBhWhVRHV2fTQ.cs	High entropy of concatenated method names: 'tTtaSnQLsB', 'TJbaoTZVFq', 'FiCuTdtIct', 'ssJuUNeFG8', 'WdmadKcvb1', 'tlEaRVKikW', 'rGrarKcYGh', 'nhTakRlFEP', 'T6HavgTCol', 'q2waX64MkL'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, T306sOo706YuwYlZNS.cs	High entropy of concatenated method names: 'qffcE0uJva', 'QW3cYVcKZl', 'W4oc1hcLLW', 'tMdci7gGTB', 'SAbct8lHiC', 'rt0ceqTbHL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, eBM81bUTq2fSYn0FGaa.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fXjcdcWHxQ', 's4kcRFBR5k', 'C3vcrKNYZ2', 'E8jck5Xiv5', 'vKZcv1a96f', 'p14cXv4fYw', 'hO1cxd48Ij'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, IiG3Q3H4p7Ef7l93Yw.cs	High entropy of concatenated method names: 'DentPvwyOc', 'woBtOU00q5', 'rZMtfbxL2P', 'M2ctZumqLy', 'M7Ut2LONK8', 'kpZt9kKOqR', 'tsntM08vAB', 'k4Gt6SOAEy', 'YdktITxRWO', 'SOitGLRgBv'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, R8kbtSOLIo7gFbiZLW.cs	High entropy of concatenated method names: 'Rx8ZPFLJjXFGnkuTsvK', 'VQvwi5LdX4ZF3hiqCvb', 'Pxj1uiHn2E', 'oRa1tBZg2s', 'QbM1c01SgY', 'NpIWpdL8wQ06ADRs5TU', 'Sn1t66LFW1aIP7PouDE'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, afKioAUUaSD6a8vOOSE.cs	High entropy of concatenated method names: 'noCcoFPpYL', 'e3VczGTH76', 'b26NTGXiDh', 'VMhNUMAhOp', 'FHSNAFfXbl', 'RgyN8T5wuJ', 'Ow7NwokUHh', 'k3rNsDZG4q', 'qJLN3bAPdF', 'DX9NQjL6oL'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, wnMUhHkPZRqZT0wTL2.cs	High entropy of concatenated method names: 'E2cFGgD786', 'Vf1FRwkTLn', 'U0IFkdnKlK', 'ABKFv9PjtL', 'NbIFOR6VH6', 'OYTFfNjRqG', 'vxJFZvff16', 'sP0F2F9pbs', 'ubOF9sXmvT', 'IKhFMsE7PW'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, vXepX4wIR4HKkjSCdI.cs	High entropy of concatenated method names: 'FNyUijY5ts', 'FpEUeuvOWI', 'WxIUmG5GOO', 'KbxUCtT06j', 'VaLUFe4GUJ', 'yJpU4Hxdg0', 'aTRHdjcHFvFGZ9AfDu', 'qSMBYCscsWTDvccKWW', 'eSqUUMlcjD', 'K1uU8bSF1i'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, NUJlJpPHxdg0bDWWxf.cs	High entropy of concatenated method names: 'wv31sVHR1S', 'siP1QdFrRY', 'Nb01YI2UMP', 'rA21ieoNtC', 'GA31ecdWfF', 'RRZYjUarq1', 'CXsYBJCJss', 'uPMYhCoCJW', 'Jl5YS1dksc', 'pRgYHjgvRK'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, PcwYn4XeY4dax4ND1Q.cs	High entropy of concatenated method names: 'ToString', 'mXc4dhTVSP', 'WQa4OBBK8t', 'MDV4f6mn5O', 'VVd4ZFFv2Z', 'g3N42bQqHN', 'odD49Kp3XO', 'OBJ4MFSwB6', 'n5X46sUPQl', 'N4L4I2Q7cf'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, j46fliEa27bEfBEXyg.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'PRfAH837Hh', 'GgOAo9mXiK', 'INTAz9iSYP', 'upn8T5tRhZ', 'ahR8UALoLM', 'pXT8A43yRQ', 'L0O88FEFfJ', 'bE1joKYD5Ma1IauJQu7'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, jthBtMrmnvsAWE1Vjq.cs	High entropy of concatenated method names: 'YZ2DgHek5H', 'PehDneGwFr', 'PnWDPZqpDb', 'cEBDOSEbxF', 'MOIDZvu58d', 'fwkD2NpO3s', 'nDpDMW9abb', 'UygD6YQZit', 'CSeDGVc60c', 'J4lDd1NgWe'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, dyJpb8z1Hvqk9Sc34F.cs	High entropy of concatenated method names: 'C2UcWEMlZ5', 'uPVcgYcVZS', 'lmmcnNRW3k', 'ts3cPLgfPr', 'uRCcOZVXCZ', 'LxacZvhp9p', 'oUxc2LKb8S', 'EbncKv9O2a', 'bRTcy5uV9V', 's5nclg31jC'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, tMhxqyMcGIwFctRCXQ.cs	High entropy of concatenated method names: 'p0Ni361d1e', 'yfViEoiLsm', 'jfOi1tUKhL', 'lUk1oTZASu', 'mCV1zMvWXw', 'RMIiTWr1xd', 'pCFiUKQyfs', 'SmUiAXHmRq', 'VQEi8u10aO', 'dk7iw4PUXw'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, a06jNoJSyTErBBaLe4.cs	High entropy of concatenated method names: 'HHiY7mvasd', 'jdcYpKCMon', 'BD9EfH3y61', 'q9xEZp4wtQ', 'GtTE2RsmNu', 'YJSE9Lh8PB', 'lxhEMM694S', 'DbTE6q0JjF', 'jbGEInAO0F', 'LmmEGhneqU'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, vKtyvSnxIG5GOO9bxt.cs	High entropy of concatenated method names: 'S4vEqcyfe6', 'MnCEWwbqec', 'vLWEgOauOX', 'zdcEn4yHNW', 'e2MEF9qIna', 'wmXE4lJ7FP', 'QP1EaeD8b9', 'zx0EunVMXC', 'a8BEtYcXOw', 'LUPEcVcAEK'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, MTV8feUwEMNhHG1eEeO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fwDVtl9TYl', 'SuQVc2VxxL', 'fZKVNkcYq6', 'eOwVVRW5pR', 'RsyVLhX7Nm', 'rJTV00uQLh', 'bFBVKCjDkI'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, ec4ftue8IIXandOGoQ.cs	High entropy of concatenated method names: 'x6f8sUH6LR', 'Cxa83aDYi2', 'mWs8QqYyPq', 'Bp58EeUdNO', 'RiS8YSOAt2', 'hge81lLpp3', 'BHb8i25dtf', 'v3r8erjXid', 'FAK85dfFtX', 'UKc8mfLrQK'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, C04T2CUAYJ37edhIFiZ.cs	High entropy of concatenated method names: 'ToString', 'PQKNgc5ML4', 'hgGNnVd56B', 'FVJNJduf9y', 'kYUNPkI9TY', 'FLINOnf02r', 'f9jNfRvi0b', 'G4jNZeXDNt', 'YA9ZSJDwFjLkPlsrwal', 'ic6bwIDXBgYOeopGKFn'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, VMTgsxAj81wacqbiYp.cs	High entropy of concatenated method names: 'XjHbl5cty', 'xXOq9wdeg', 'HBBWKSBbi', 'uVwpf36kp', 'j7DntZeUD', 'tfMJCYbwl', 'FijcX4Mg2RJbf8BhUv', 'timDWeGmJFVXMRH6bg', 'JaQuaA8iB', 'VDWcHjph5'
Source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, S76RXcIa9XsOaNXm6w.cs	High entropy of concatenated method names: 'siCiyuUVuk', 'pAuiltLIMI', 'w0CibxDEjq', 'veZiqNi9L8', 'JaPi7oUuvR', 'VsoiWvAGvp', 'asFipOfRMQ', 'eP5igjDXFI', 'IYtinVTbdy', 'Uw1iJXTmSZ'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, ePoNabhwxjeD04oPN1.cs	High entropy of concatenated method names: 'BV2tFvSWUk', 'L0ntajn9W0', 'WpGttyEayy', 'f13tNDTnTe', 'lO6tLsRY4m', 'j9wtK6ebkc', 'Dispose', 'foau3KAsyD', 'MRtuQEtgqt', 'A4FuEZohkZ'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, xjY5tsgJpEuvOWI0r5.cs	High entropy of concatenated method names: 'dZ0Qk2xhap', 'gflQv50ngI', 'qNwQXPLuQa', 'LeiQxLqWCZ', 'r70QjLa9hX', 'JvgQB2l1k3', 'd3cQh0AHqv', 'NvhQSUGT8b', 'iHSQH9jqA5', 'tJTQoLVksM'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, XnVLEcQsP6thHRA4x6.cs	High entropy of concatenated method names: 'Dispose', 'UeDUH04oPN', 'KonAO2XkZ1', 'n2WugkG3ww', 'jMjUod7hvy', 'IXyUz95V0M', 'ProcessDialogKey', 'b1fATiG3Q3', 'pp7AUEf7l9', 'fYwAAx306s'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, FU8iofBhWhVRHV2fTQ.cs	High entropy of concatenated method names: 'tTtaSnQLsB', 'TJbaoTZVFq', 'FiCuTdtIct', 'ssJuUNeFG8', 'WdmadKcvb1', 'tlEaRVKikW', 'rGrarKcYGh', 'nhTakRlFEP', 'T6HavgTCol', 'q2waX64MkL'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, T306sOo706YuwYlZNS.cs	High entropy of concatenated method names: 'qffcE0uJva', 'QW3cYVcKZl', 'W4oc1hcLLW', 'tMdci7gGTB', 'SAbct8lHiC', 'rt0ceqTbHL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, eBM81bUTq2fSYn0FGaa.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fXjcdcWHxQ', 's4kcRFBR5k', 'C3vcrKNYZ2', 'E8jck5Xiv5', 'vKZcv1a96f', 'p14cXv4fYw', 'hO1cxd48Ij'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, IiG3Q3H4p7Ef7l93Yw.cs	High entropy of concatenated method names: 'DentPvwyOc', 'woBtOU00q5', 'rZMtfbxL2P', 'M2ctZumqLy', 'M7Ut2LONK8', 'kpZt9kKOqR', 'tsntM08vAB', 'k4Gt6SOAEy', 'YdktITxRWO', 'SOitGLRgBv'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, R8kbtSOLIo7gFbiZLW.cs	High entropy of concatenated method names: 'Rx8ZPFLJjXFGnkuTsvK', 'VQvwi5LdX4ZF3hiqCvb', 'Pxj1uiHn2E', 'oRa1tBZg2s', 'QbM1c01SgY', 'NpIWpdL8wQ06ADRs5TU', 'Sn1t66LFW1aIP7PouDE'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, afKioAUUaSD6a8vOOSE.cs	High entropy of concatenated method names: 'noCcoFPpYL', 'e3VczGTH76', 'b26NTGXiDh', 'VMhNUMAhOp', 'FHSNAFfXbl', 'RgyN8T5wuJ', 'Ow7NwokUHh', 'k3rNsDZG4q', 'qJLN3bAPdF', 'DX9NQjL6oL'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, wnMUhHkPZRqZT0wTL2.cs	High entropy of concatenated method names: 'E2cFGgD786', 'Vf1FRwkTLn', 'U0IFkdnKlK', 'ABKFv9PjtL', 'NbIFOR6VH6', 'OYTFfNjRqG', 'vxJFZvff16', 'sP0F2F9pbs', 'ubOF9sXmvT', 'IKhFMsE7PW'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, vXepX4wIR4HKkjSCdI.cs	High entropy of concatenated method names: 'FNyUijY5ts', 'FpEUeuvOWI', 'WxIUmG5GOO', 'KbxUCtT06j', 'VaLUFe4GUJ', 'yJpU4Hxdg0', 'aTRHdjcHFvFGZ9AfDu', 'qSMBYCscsWTDvccKWW', 'eSqUUMlcjD', 'K1uU8bSF1i'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, NUJlJpPHxdg0bDWWxf.cs	High entropy of concatenated method names: 'wv31sVHR1S', 'siP1QdFrRY', 'Nb01YI2UMP', 'rA21ieoNtC', 'GA31ecdWfF', 'RRZYjUarq1', 'CXsYBJCJss', 'uPMYhCoCJW', 'Jl5YS1dksc', 'pRgYHjgvRK'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, PcwYn4XeY4dax4ND1Q.cs	High entropy of concatenated method names: 'ToString', 'mXc4dhTVSP', 'WQa4OBBK8t', 'MDV4f6mn5O', 'VVd4ZFFv2Z', 'g3N42bQqHN', 'odD49Kp3XO', 'OBJ4MFSwB6', 'n5X46sUPQl', 'N4L4I2Q7cf'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, j46fliEa27bEfBEXyg.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'PRfAH837Hh', 'GgOAo9mXiK', 'INTAz9iSYP', 'upn8T5tRhZ', 'ahR8UALoLM', 'pXT8A43yRQ', 'L0O88FEFfJ', 'bE1joKYD5Ma1IauJQu7'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, jthBtMrmnvsAWE1Vjq.cs	High entropy of concatenated method names: 'YZ2DgHek5H', 'PehDneGwFr', 'PnWDPZqpDb', 'cEBDOSEbxF', 'MOIDZvu58d', 'fwkD2NpO3s', 'nDpDMW9abb', 'UygD6YQZit', 'CSeDGVc60c', 'J4lDd1NgWe'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, dyJpb8z1Hvqk9Sc34F.cs	High entropy of concatenated method names: 'C2UcWEMlZ5', 'uPVcgYcVZS', 'lmmcnNRW3k', 'ts3cPLgfPr', 'uRCcOZVXCZ', 'LxacZvhp9p', 'oUxc2LKb8S', 'EbncKv9O2a', 'bRTcy5uV9V', 's5nclg31jC'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, tMhxqyMcGIwFctRCXQ.cs	High entropy of concatenated method names: 'p0Ni361d1e', 'yfViEoiLsm', 'jfOi1tUKhL', 'lUk1oTZASu', 'mCV1zMvWXw', 'RMIiTWr1xd', 'pCFiUKQyfs', 'SmUiAXHmRq', 'VQEi8u10aO', 'dk7iw4PUXw'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, a06jNoJSyTErBBaLe4.cs	High entropy of concatenated method names: 'HHiY7mvasd', 'jdcYpKCMon', 'BD9EfH3y61', 'q9xEZp4wtQ', 'GtTE2RsmNu', 'YJSE9Lh8PB', 'lxhEMM694S', 'DbTE6q0JjF', 'jbGEInAO0F', 'LmmEGhneqU'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, vKtyvSnxIG5GOO9bxt.cs	High entropy of concatenated method names: 'S4vEqcyfe6', 'MnCEWwbqec', 'vLWEgOauOX', 'zdcEn4yHNW', 'e2MEF9qIna', 'wmXE4lJ7FP', 'QP1EaeD8b9', 'zx0EunVMXC', 'a8BEtYcXOw', 'LUPEcVcAEK'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, MTV8feUwEMNhHG1eEeO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fwDVtl9TYl', 'SuQVc2VxxL', 'fZKVNkcYq6', 'eOwVVRW5pR', 'RsyVLhX7Nm', 'rJTV00uQLh', 'bFBVKCjDkI'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, ec4ftue8IIXandOGoQ.cs	High entropy of concatenated method names: 'x6f8sUH6LR', 'Cxa83aDYi2', 'mWs8QqYyPq', 'Bp58EeUdNO', 'RiS8YSOAt2', 'hge81lLpp3', 'BHb8i25dtf', 'v3r8erjXid', 'FAK85dfFtX', 'UKc8mfLrQK'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, C04T2CUAYJ37edhIFiZ.cs	High entropy of concatenated method names: 'ToString', 'PQKNgc5ML4', 'hgGNnVd56B', 'FVJNJduf9y', 'kYUNPkI9TY', 'FLINOnf02r', 'f9jNfRvi0b', 'G4jNZeXDNt', 'YA9ZSJDwFjLkPlsrwal', 'ic6bwIDXBgYOeopGKFn'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, VMTgsxAj81wacqbiYp.cs	High entropy of concatenated method names: 'XjHbl5cty', 'xXOq9wdeg', 'HBBWKSBbi', 'uVwpf36kp', 'j7DntZeUD', 'tfMJCYbwl', 'FijcX4Mg2RJbf8BhUv', 'timDWeGmJFVXMRH6bg', 'JaQuaA8iB', 'VDWcHjph5'
Source: 0.2.0xHPSESJcg.exe.b340000.4.raw.unpack, S76RXcIa9XsOaNXm6w.cs	High entropy of concatenated method names: 'siCiyuUVuk', 'pAuiltLIMI', 'w0CibxDEjq', 'veZiqNi9L8', 'JaPi7oUuvR', 'VsoiWvAGvp', 'asFipOfRMQ', 'eP5igjDXFI', 'IYtinVTbdy', 'Uw1iJXTmSZ'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, ePoNabhwxjeD04oPN1.cs	High entropy of concatenated method names: 'BV2tFvSWUk', 'L0ntajn9W0', 'WpGttyEayy', 'f13tNDTnTe', 'lO6tLsRY4m', 'j9wtK6ebkc', 'Dispose', 'foau3KAsyD', 'MRtuQEtgqt', 'A4FuEZohkZ'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, xjY5tsgJpEuvOWI0r5.cs	High entropy of concatenated method names: 'dZ0Qk2xhap', 'gflQv50ngI', 'qNwQXPLuQa', 'LeiQxLqWCZ', 'r70QjLa9hX', 'JvgQB2l1k3', 'd3cQh0AHqv', 'NvhQSUGT8b', 'iHSQH9jqA5', 'tJTQoLVksM'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, XnVLEcQsP6thHRA4x6.cs	High entropy of concatenated method names: 'Dispose', 'UeDUH04oPN', 'KonAO2XkZ1', 'n2WugkG3ww', 'jMjUod7hvy', 'IXyUz95V0M', 'ProcessDialogKey', 'b1fATiG3Q3', 'pp7AUEf7l9', 'fYwAAx306s'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, FU8iofBhWhVRHV2fTQ.cs	High entropy of concatenated method names: 'tTtaSnQLsB', 'TJbaoTZVFq', 'FiCuTdtIct', 'ssJuUNeFG8', 'WdmadKcvb1', 'tlEaRVKikW', 'rGrarKcYGh', 'nhTakRlFEP', 'T6HavgTCol', 'q2waX64MkL'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, T306sOo706YuwYlZNS.cs	High entropy of concatenated method names: 'qffcE0uJva', 'QW3cYVcKZl', 'W4oc1hcLLW', 'tMdci7gGTB', 'SAbct8lHiC', 'rt0ceqTbHL', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, eBM81bUTq2fSYn0FGaa.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fXjcdcWHxQ', 's4kcRFBR5k', 'C3vcrKNYZ2', 'E8jck5Xiv5', 'vKZcv1a96f', 'p14cXv4fYw', 'hO1cxd48Ij'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, IiG3Q3H4p7Ef7l93Yw.cs	High entropy of concatenated method names: 'DentPvwyOc', 'woBtOU00q5', 'rZMtfbxL2P', 'M2ctZumqLy', 'M7Ut2LONK8', 'kpZt9kKOqR', 'tsntM08vAB', 'k4Gt6SOAEy', 'YdktITxRWO', 'SOitGLRgBv'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, R8kbtSOLIo7gFbiZLW.cs	High entropy of concatenated method names: 'Rx8ZPFLJjXFGnkuTsvK', 'VQvwi5LdX4ZF3hiqCvb', 'Pxj1uiHn2E', 'oRa1tBZg2s', 'QbM1c01SgY', 'NpIWpdL8wQ06ADRs5TU', 'Sn1t66LFW1aIP7PouDE'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, afKioAUUaSD6a8vOOSE.cs	High entropy of concatenated method names: 'noCcoFPpYL', 'e3VczGTH76', 'b26NTGXiDh', 'VMhNUMAhOp', 'FHSNAFfXbl', 'RgyN8T5wuJ', 'Ow7NwokUHh', 'k3rNsDZG4q', 'qJLN3bAPdF', 'DX9NQjL6oL'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, wnMUhHkPZRqZT0wTL2.cs	High entropy of concatenated method names: 'E2cFGgD786', 'Vf1FRwkTLn', 'U0IFkdnKlK', 'ABKFv9PjtL', 'NbIFOR6VH6', 'OYTFfNjRqG', 'vxJFZvff16', 'sP0F2F9pbs', 'ubOF9sXmvT', 'IKhFMsE7PW'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, vXepX4wIR4HKkjSCdI.cs	High entropy of concatenated method names: 'FNyUijY5ts', 'FpEUeuvOWI', 'WxIUmG5GOO', 'KbxUCtT06j', 'VaLUFe4GUJ', 'yJpU4Hxdg0', 'aTRHdjcHFvFGZ9AfDu', 'qSMBYCscsWTDvccKWW', 'eSqUUMlcjD', 'K1uU8bSF1i'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, NUJlJpPHxdg0bDWWxf.cs	High entropy of concatenated method names: 'wv31sVHR1S', 'siP1QdFrRY', 'Nb01YI2UMP', 'rA21ieoNtC', 'GA31ecdWfF', 'RRZYjUarq1', 'CXsYBJCJss', 'uPMYhCoCJW', 'Jl5YS1dksc', 'pRgYHjgvRK'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, PcwYn4XeY4dax4ND1Q.cs	High entropy of concatenated method names: 'ToString', 'mXc4dhTVSP', 'WQa4OBBK8t', 'MDV4f6mn5O', 'VVd4ZFFv2Z', 'g3N42bQqHN', 'odD49Kp3XO', 'OBJ4MFSwB6', 'n5X46sUPQl', 'N4L4I2Q7cf'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, j46fliEa27bEfBEXyg.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'PRfAH837Hh', 'GgOAo9mXiK', 'INTAz9iSYP', 'upn8T5tRhZ', 'ahR8UALoLM', 'pXT8A43yRQ', 'L0O88FEFfJ', 'bE1joKYD5Ma1IauJQu7'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, jthBtMrmnvsAWE1Vjq.cs	High entropy of concatenated method names: 'YZ2DgHek5H', 'PehDneGwFr', 'PnWDPZqpDb', 'cEBDOSEbxF', 'MOIDZvu58d', 'fwkD2NpO3s', 'nDpDMW9abb', 'UygD6YQZit', 'CSeDGVc60c', 'J4lDd1NgWe'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, dyJpb8z1Hvqk9Sc34F.cs	High entropy of concatenated method names: 'C2UcWEMlZ5', 'uPVcgYcVZS', 'lmmcnNRW3k', 'ts3cPLgfPr', 'uRCcOZVXCZ', 'LxacZvhp9p', 'oUxc2LKb8S', 'EbncKv9O2a', 'bRTcy5uV9V', 's5nclg31jC'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, tMhxqyMcGIwFctRCXQ.cs	High entropy of concatenated method names: 'p0Ni361d1e', 'yfViEoiLsm', 'jfOi1tUKhL', 'lUk1oTZASu', 'mCV1zMvWXw', 'RMIiTWr1xd', 'pCFiUKQyfs', 'SmUiAXHmRq', 'VQEi8u10aO', 'dk7iw4PUXw'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, a06jNoJSyTErBBaLe4.cs	High entropy of concatenated method names: 'HHiY7mvasd', 'jdcYpKCMon', 'BD9EfH3y61', 'q9xEZp4wtQ', 'GtTE2RsmNu', 'YJSE9Lh8PB', 'lxhEMM694S', 'DbTE6q0JjF', 'jbGEInAO0F', 'LmmEGhneqU'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, vKtyvSnxIG5GOO9bxt.cs	High entropy of concatenated method names: 'S4vEqcyfe6', 'MnCEWwbqec', 'vLWEgOauOX', 'zdcEn4yHNW', 'e2MEF9qIna', 'wmXE4lJ7FP', 'QP1EaeD8b9', 'zx0EunVMXC', 'a8BEtYcXOw', 'LUPEcVcAEK'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, MTV8feUwEMNhHG1eEeO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fwDVtl9TYl', 'SuQVc2VxxL', 'fZKVNkcYq6', 'eOwVVRW5pR', 'RsyVLhX7Nm', 'rJTV00uQLh', 'bFBVKCjDkI'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, ec4ftue8IIXandOGoQ.cs	High entropy of concatenated method names: 'x6f8sUH6LR', 'Cxa83aDYi2', 'mWs8QqYyPq', 'Bp58EeUdNO', 'RiS8YSOAt2', 'hge81lLpp3', 'BHb8i25dtf', 'v3r8erjXid', 'FAK85dfFtX', 'UKc8mfLrQK'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, C04T2CUAYJ37edhIFiZ.cs	High entropy of concatenated method names: 'ToString', 'PQKNgc5ML4', 'hgGNnVd56B', 'FVJNJduf9y', 'kYUNPkI9TY', 'FLINOnf02r', 'f9jNfRvi0b', 'G4jNZeXDNt', 'YA9ZSJDwFjLkPlsrwal', 'ic6bwIDXBgYOeopGKFn'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, VMTgsxAj81wacqbiYp.cs	High entropy of concatenated method names: 'XjHbl5cty', 'xXOq9wdeg', 'HBBWKSBbi', 'uVwpf36kp', 'j7DntZeUD', 'tfMJCYbwl', 'FijcX4Mg2RJbf8BhUv', 'timDWeGmJFVXMRH6bg', 'JaQuaA8iB', 'VDWcHjph5'
Source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, S76RXcIa9XsOaNXm6w.cs	High entropy of concatenated method names: 'siCiyuUVuk', 'pAuiltLIMI', 'w0CibxDEjq', 'veZiqNi9L8', 'JaPi7oUuvR', 'VsoiWvAGvp', 'asFipOfRMQ', 'eP5igjDXFI', 'IYtinVTbdy', 'Uw1iJXTmSZ'

Source: C:\Users\user\Desktop\0xHPSESJcg.exe

File created: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\0xHPSESJcg.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TlUVldLSnDvyT" /XML "C:\Users\user\AppData\Local\Temp\tmp806A.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: 0xHPSESJcg.exe PID: 7124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TlUVldLSnDvyT.exe PID: 1324, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\0xHPSESJcg.exe	API/Special instruction interceptor: Address: 7FFA424ED324
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	API/Special instruction interceptor: Address: 7FFA424F0774
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	API/Special instruction interceptor: Address: 7FFA424F0154
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	API/Special instruction interceptor: Address: 7FFA424ED8A4
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	API/Special instruction interceptor: Address: 7FFA424EDA44
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	API/Special instruction interceptor: Address: 7FFA424ED1E4
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	API/Special instruction interceptor: Address: 7FFA424ED324
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	API/Special instruction interceptor: Address: 7FFA424F0774
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	API/Special instruction interceptor: Address: 7FFA424F0154
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	API/Special instruction interceptor: Address: 7FFA424ED8A4
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	API/Special instruction interceptor: Address: 7FFA424EDA44
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	API/Special instruction interceptor: Address: 7FFA424ED1E4
Source: C:\Windows\SysWOW64\cmmon32.exe	API/Special instruction interceptor: Address: 7FFA424ED324
Source: C:\Windows\SysWOW64\cmmon32.exe	API/Special instruction interceptor: Address: 7FFA424F0774
Source: C:\Windows\SysWOW64\cmmon32.exe	API/Special instruction interceptor: Address: 7FFA424ED944
Source: C:\Windows\SysWOW64\cmmon32.exe	API/Special instruction interceptor: Address: 7FFA424ED504
Source: C:\Windows\SysWOW64\cmmon32.exe	API/Special instruction interceptor: Address: 7FFA424ED544
Source: C:\Windows\SysWOW64\cmmon32.exe	API/Special instruction interceptor: Address: 7FFA424ED1E4
Source: C:\Windows\SysWOW64\cmmon32.exe	API/Special instruction interceptor: Address: 7FFA424F0154
Source: C:\Windows\SysWOW64\cmmon32.exe	API/Special instruction interceptor: Address: 7FFA424ED8A4
Source: C:\Windows\SysWOW64\cmmon32.exe	API/Special instruction interceptor: Address: 7FFA424EDA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\0xHPSESJcg.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 24A9904 second address: 24A990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe	RDTSC instruction interceptor: First address: 24A9B7E second address: 24A9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: AB9904 second address: AB990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: AB9B7E second address: AB9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Memory allocated: 2A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Memory allocated: 2C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Memory allocated: 4C20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Memory allocated: 8E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Memory allocated: 7050000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Memory allocated: 9E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Memory allocated: AE40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Memory allocated: B3C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Memory allocated: C3C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Memory allocated: D3C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Memory allocated: 2FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Memory allocated: 3040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Memory allocated: 5040000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Memory allocated: 8F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Memory allocated: 9F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Memory allocated: A100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Memory allocated: B100000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Memory allocated: B6E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Memory allocated: C6E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Memory allocated: D6E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\0xHPSESJcg.exe

Code function: 7_2_00409AB0 rdtsc

7_2_00409AB0

Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5222	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7711	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 9800	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 896	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 855	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Window / User API: threadDelayed 1174
Source: C:\Windows\SysWOW64\cmmon32.exe	Window / User API: threadDelayed 8796

Source: C:\Users\user\Desktop\0xHPSESJcg.exe	API coverage: 2.1 %
Source: C:\Windows\SysWOW64\cmmon32.exe	API coverage: 2.0 %

Source: C:\Users\user\Desktop\0xHPSESJcg.exe TID: 6260	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6400	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6200	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2820	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6812	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7624	Thread sleep count: 140 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7624	Thread sleep time: -280000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7624	Thread sleep count: 9800 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7624	Thread sleep time: -19600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe TID: 6884	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 7516	Thread sleep count: 1174 > 30
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 7516	Thread sleep time: -2348000s >= -30000s
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 7516	Thread sleep count: 8796 > 30
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 7516	Thread sleep time: -17592000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7784	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 7844	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmmon32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmmon32.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 00000008.00000003.3077940951.00000000095A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000008.00000002.3356205344.00000000092E4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.904230904.00000000092E4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\input.inf_loc
Source: explorer.exe, 00000008.00000003.2663460243.0000000006EEF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTWiVMWare
Source: explorer.exe, 00000008.00000000.899659666.0000000002F3A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: explorer.exe, 00000008.00000000.904230904.00000000092A0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3356205344.00000000092A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: AV Generation Countersc%;Microsoft Hyper-V Generation Counter
Source: explorer.exe, 00000008.00000002.3356205344.0000000009433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.3356205344.00000000093E1000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.904230904.0000000009433000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.904230904.00000000093E1000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000015.00000002.2873141283.000001411DC57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000008.00000003.2658791867.0000000009650000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}AppData
Source: explorer.exe, 00000008.00000000.899659666.0000000002F3A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: explorer.exe, 00000008.00000000.899659666.0000000002F3A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: explorer.exe, 00000008.00000003.2666099302.0000000009552000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000008.00000003.3077940951.00000000095A8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00}g
Source: explorer.exe, 00000008.00000000.899659666.0000000002F3A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: svchost.exe, 00000015.00000002.2872311570.000001411862B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: explorer.exe, 00000008.00000002.3342496944.0000000000875000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000008.00000002.3356875130.000000000958D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000008.00000003.2660517561.0000000009650000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000003.3078442033.0000000002F12000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\0xHPSESJcg.exe

Code function: 7_2_00409AB0 rdtsc

7_2_00409AB0

Source: C:\Users\user\Desktop\0xHPSESJcg.exe

Code function: 7_2_0040ACF0 LdrLoadDll,

7_2_0040ACF0

Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BF21AE mov eax, dword ptr fs:[00000030h]	7_2_01BF21AE
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA019F mov eax, dword ptr fs:[00000030h]	7_2_01BA019F
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA019F mov eax, dword ptr fs:[00000030h]	7_2_01BA019F
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA019F mov eax, dword ptr fs:[00000030h]	7_2_01BA019F
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA019F mov eax, dword ptr fs:[00000030h]	7_2_01BA019F
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1A197 mov eax, dword ptr fs:[00000030h]	7_2_01B1A197
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1A197 mov eax, dword ptr fs:[00000030h]	7_2_01B1A197
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1A197 mov eax, dword ptr fs:[00000030h]	7_2_01B1A197
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B60185 mov eax, dword ptr fs:[00000030h]	7_2_01B60185
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BDC188 mov eax, dword ptr fs:[00000030h]	7_2_01BDC188
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BDC188 mov eax, dword ptr fs:[00000030h]	7_2_01BDC188
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC4180 mov eax, dword ptr fs:[00000030h]	7_2_01BC4180
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC4180 mov eax, dword ptr fs:[00000030h]	7_2_01BC4180
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B501F8 mov eax, dword ptr fs:[00000030h]	7_2_01B501F8
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BF61E5 mov eax, dword ptr fs:[00000030h]	7_2_01BF61E5
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9E1D0 mov eax, dword ptr fs:[00000030h]	7_2_01B9E1D0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9E1D0 mov eax, dword ptr fs:[00000030h]	7_2_01B9E1D0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9E1D0 mov ecx, dword ptr fs:[00000030h]	7_2_01B9E1D0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9E1D0 mov eax, dword ptr fs:[00000030h]	7_2_01B9E1D0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9E1D0 mov eax, dword ptr fs:[00000030h]	7_2_01B9E1D0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BE61C3 mov eax, dword ptr fs:[00000030h]	7_2_01BE61C3
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BE61C3 mov eax, dword ptr fs:[00000030h]	7_2_01BE61C3
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B50124 mov eax, dword ptr fs:[00000030h]	7_2_01B50124
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCA118 mov ecx, dword ptr fs:[00000030h]	7_2_01BCA118
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCA118 mov eax, dword ptr fs:[00000030h]	7_2_01BCA118
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCA118 mov eax, dword ptr fs:[00000030h]	7_2_01BCA118
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCA118 mov eax, dword ptr fs:[00000030h]	7_2_01BCA118
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BE0115 mov eax, dword ptr fs:[00000030h]	7_2_01BE0115
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCE10E mov eax, dword ptr fs:[00000030h]	7_2_01BCE10E
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCE10E mov ecx, dword ptr fs:[00000030h]	7_2_01BCE10E
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCE10E mov eax, dword ptr fs:[00000030h]	7_2_01BCE10E
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCE10E mov eax, dword ptr fs:[00000030h]	7_2_01BCE10E
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCE10E mov ecx, dword ptr fs:[00000030h]	7_2_01BCE10E
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCE10E mov eax, dword ptr fs:[00000030h]	7_2_01BCE10E
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCE10E mov eax, dword ptr fs:[00000030h]	7_2_01BCE10E
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCE10E mov ecx, dword ptr fs:[00000030h]	7_2_01BCE10E
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCE10E mov eax, dword ptr fs:[00000030h]	7_2_01BCE10E
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCE10E mov ecx, dword ptr fs:[00000030h]	7_2_01BCE10E
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB8158 mov eax, dword ptr fs:[00000030h]	7_2_01BB8158
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B26154 mov eax, dword ptr fs:[00000030h]	7_2_01B26154
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B26154 mov eax, dword ptr fs:[00000030h]	7_2_01B26154
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1C156 mov eax, dword ptr fs:[00000030h]	7_2_01B1C156
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB4144 mov eax, dword ptr fs:[00000030h]	7_2_01BB4144
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB4144 mov eax, dword ptr fs:[00000030h]	7_2_01BB4144
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB4144 mov ecx, dword ptr fs:[00000030h]	7_2_01BB4144
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB4144 mov eax, dword ptr fs:[00000030h]	7_2_01BB4144
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB4144 mov eax, dword ptr fs:[00000030h]	7_2_01BB4144
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BE60B8 mov eax, dword ptr fs:[00000030h]	7_2_01BE60B8
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BE60B8 mov ecx, dword ptr fs:[00000030h]	7_2_01BE60B8
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB80A8 mov eax, dword ptr fs:[00000030h]	7_2_01BB80A8
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2208A mov eax, dword ptr fs:[00000030h]	7_2_01B2208A
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1C0F0 mov eax, dword ptr fs:[00000030h]	7_2_01B1C0F0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B620F0 mov ecx, dword ptr fs:[00000030h]	7_2_01B620F0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1A0E3 mov ecx, dword ptr fs:[00000030h]	7_2_01B1A0E3
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA60E0 mov eax, dword ptr fs:[00000030h]	7_2_01BA60E0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B280E9 mov eax, dword ptr fs:[00000030h]	7_2_01B280E9
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA20DE mov eax, dword ptr fs:[00000030h]	7_2_01BA20DE
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB6030 mov eax, dword ptr fs:[00000030h]	7_2_01BB6030
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1A020 mov eax, dword ptr fs:[00000030h]	7_2_01B1A020
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1C020 mov eax, dword ptr fs:[00000030h]	7_2_01B1C020
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3E016 mov eax, dword ptr fs:[00000030h]	7_2_01B3E016
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3E016 mov eax, dword ptr fs:[00000030h]	7_2_01B3E016
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3E016 mov eax, dword ptr fs:[00000030h]	7_2_01B3E016
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3E016 mov eax, dword ptr fs:[00000030h]	7_2_01B3E016
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA4000 mov ecx, dword ptr fs:[00000030h]	7_2_01BA4000
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC2000 mov eax, dword ptr fs:[00000030h]	7_2_01BC2000
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC2000 mov eax, dword ptr fs:[00000030h]	7_2_01BC2000
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC2000 mov eax, dword ptr fs:[00000030h]	7_2_01BC2000
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC2000 mov eax, dword ptr fs:[00000030h]	7_2_01BC2000
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC2000 mov eax, dword ptr fs:[00000030h]	7_2_01BC2000
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC2000 mov eax, dword ptr fs:[00000030h]	7_2_01BC2000
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC2000 mov eax, dword ptr fs:[00000030h]	7_2_01BC2000
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC2000 mov eax, dword ptr fs:[00000030h]	7_2_01BC2000
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4C073 mov eax, dword ptr fs:[00000030h]	7_2_01B4C073
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B22050 mov eax, dword ptr fs:[00000030h]	7_2_01B22050
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA6050 mov eax, dword ptr fs:[00000030h]	7_2_01BA6050
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B18397 mov eax, dword ptr fs:[00000030h]	7_2_01B18397
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B18397 mov eax, dword ptr fs:[00000030h]	7_2_01B18397
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B18397 mov eax, dword ptr fs:[00000030h]	7_2_01B18397
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1E388 mov eax, dword ptr fs:[00000030h]	7_2_01B1E388
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1E388 mov eax, dword ptr fs:[00000030h]	7_2_01B1E388
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1E388 mov eax, dword ptr fs:[00000030h]	7_2_01B1E388
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4438F mov eax, dword ptr fs:[00000030h]	7_2_01B4438F
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4438F mov eax, dword ptr fs:[00000030h]	7_2_01B4438F
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3E3F0 mov eax, dword ptr fs:[00000030h]	7_2_01B3E3F0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3E3F0 mov eax, dword ptr fs:[00000030h]	7_2_01B3E3F0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3E3F0 mov eax, dword ptr fs:[00000030h]	7_2_01B3E3F0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B563FF mov eax, dword ptr fs:[00000030h]	7_2_01B563FF
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B303E9 mov eax, dword ptr fs:[00000030h]	7_2_01B303E9
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B303E9 mov eax, dword ptr fs:[00000030h]	7_2_01B303E9
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B303E9 mov eax, dword ptr fs:[00000030h]	7_2_01B303E9
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B303E9 mov eax, dword ptr fs:[00000030h]	7_2_01B303E9
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B303E9 mov eax, dword ptr fs:[00000030h]	7_2_01B303E9
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B303E9 mov eax, dword ptr fs:[00000030h]	7_2_01B303E9
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B303E9 mov eax, dword ptr fs:[00000030h]	7_2_01B303E9
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B303E9 mov eax, dword ptr fs:[00000030h]	7_2_01B303E9
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCE3DB mov eax, dword ptr fs:[00000030h]	7_2_01BCE3DB
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCE3DB mov eax, dword ptr fs:[00000030h]	7_2_01BCE3DB
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCE3DB mov ecx, dword ptr fs:[00000030h]	7_2_01BCE3DB
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCE3DB mov eax, dword ptr fs:[00000030h]	7_2_01BCE3DB
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC43D4 mov eax, dword ptr fs:[00000030h]	7_2_01BC43D4
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC43D4 mov eax, dword ptr fs:[00000030h]	7_2_01BC43D4
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BDC3CD mov eax, dword ptr fs:[00000030h]	7_2_01BDC3CD
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2A3C0 mov eax, dword ptr fs:[00000030h]	7_2_01B2A3C0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2A3C0 mov eax, dword ptr fs:[00000030h]	7_2_01B2A3C0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2A3C0 mov eax, dword ptr fs:[00000030h]	7_2_01B2A3C0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2A3C0 mov eax, dword ptr fs:[00000030h]	7_2_01B2A3C0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2A3C0 mov eax, dword ptr fs:[00000030h]	7_2_01B2A3C0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2A3C0 mov eax, dword ptr fs:[00000030h]	7_2_01B2A3C0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B283C0 mov eax, dword ptr fs:[00000030h]	7_2_01B283C0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B283C0 mov eax, dword ptr fs:[00000030h]	7_2_01B283C0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B283C0 mov eax, dword ptr fs:[00000030h]	7_2_01B283C0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B283C0 mov eax, dword ptr fs:[00000030h]	7_2_01B283C0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA63C0 mov eax, dword ptr fs:[00000030h]	7_2_01BA63C0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1C310 mov ecx, dword ptr fs:[00000030h]	7_2_01B1C310
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B40310 mov ecx, dword ptr fs:[00000030h]	7_2_01B40310
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5A30B mov eax, dword ptr fs:[00000030h]	7_2_01B5A30B
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5A30B mov eax, dword ptr fs:[00000030h]	7_2_01B5A30B
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5A30B mov eax, dword ptr fs:[00000030h]	7_2_01B5A30B
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC437C mov eax, dword ptr fs:[00000030h]	7_2_01BC437C
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA035C mov eax, dword ptr fs:[00000030h]	7_2_01BA035C
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA035C mov eax, dword ptr fs:[00000030h]	7_2_01BA035C
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA035C mov eax, dword ptr fs:[00000030h]	7_2_01BA035C
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA035C mov ecx, dword ptr fs:[00000030h]	7_2_01BA035C
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA035C mov eax, dword ptr fs:[00000030h]	7_2_01BA035C
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA035C mov eax, dword ptr fs:[00000030h]	7_2_01BA035C
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BEA352 mov eax, dword ptr fs:[00000030h]	7_2_01BEA352
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC8350 mov ecx, dword ptr fs:[00000030h]	7_2_01BC8350
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B302A0 mov eax, dword ptr fs:[00000030h]	7_2_01B302A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B302A0 mov eax, dword ptr fs:[00000030h]	7_2_01B302A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB62A0 mov eax, dword ptr fs:[00000030h]	7_2_01BB62A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB62A0 mov ecx, dword ptr fs:[00000030h]	7_2_01BB62A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB62A0 mov eax, dword ptr fs:[00000030h]	7_2_01BB62A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB62A0 mov eax, dword ptr fs:[00000030h]	7_2_01BB62A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB62A0 mov eax, dword ptr fs:[00000030h]	7_2_01BB62A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB62A0 mov eax, dword ptr fs:[00000030h]	7_2_01BB62A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5E284 mov eax, dword ptr fs:[00000030h]	7_2_01B5E284
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5E284 mov eax, dword ptr fs:[00000030h]	7_2_01B5E284
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA0283 mov eax, dword ptr fs:[00000030h]	7_2_01BA0283
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA0283 mov eax, dword ptr fs:[00000030h]	7_2_01BA0283
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA0283 mov eax, dword ptr fs:[00000030h]	7_2_01BA0283
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B302E1 mov eax, dword ptr fs:[00000030h]	7_2_01B302E1
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B302E1 mov eax, dword ptr fs:[00000030h]	7_2_01B302E1
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B302E1 mov eax, dword ptr fs:[00000030h]	7_2_01B302E1
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2A2C3 mov eax, dword ptr fs:[00000030h]	7_2_01B2A2C3
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2A2C3 mov eax, dword ptr fs:[00000030h]	7_2_01B2A2C3
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2A2C3 mov eax, dword ptr fs:[00000030h]	7_2_01B2A2C3
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2A2C3 mov eax, dword ptr fs:[00000030h]	7_2_01B2A2C3
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2A2C3 mov eax, dword ptr fs:[00000030h]	7_2_01B2A2C3
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1823B mov eax, dword ptr fs:[00000030h]	7_2_01B1823B
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B24260 mov eax, dword ptr fs:[00000030h]	7_2_01B24260
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B24260 mov eax, dword ptr fs:[00000030h]	7_2_01B24260
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B24260 mov eax, dword ptr fs:[00000030h]	7_2_01B24260
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1826B mov eax, dword ptr fs:[00000030h]	7_2_01B1826B
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1A250 mov eax, dword ptr fs:[00000030h]	7_2_01B1A250
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B26259 mov eax, dword ptr fs:[00000030h]	7_2_01B26259
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BDA250 mov eax, dword ptr fs:[00000030h]	7_2_01BDA250
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BDA250 mov eax, dword ptr fs:[00000030h]	7_2_01BDA250
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA8243 mov eax, dword ptr fs:[00000030h]	7_2_01BA8243
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA8243 mov ecx, dword ptr fs:[00000030h]	7_2_01BA8243
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B445B1 mov eax, dword ptr fs:[00000030h]	7_2_01B445B1
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B445B1 mov eax, dword ptr fs:[00000030h]	7_2_01B445B1
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA05A7 mov eax, dword ptr fs:[00000030h]	7_2_01BA05A7
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA05A7 mov eax, dword ptr fs:[00000030h]	7_2_01BA05A7
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA05A7 mov eax, dword ptr fs:[00000030h]	7_2_01BA05A7
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5E59C mov eax, dword ptr fs:[00000030h]	7_2_01B5E59C
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B22582 mov eax, dword ptr fs:[00000030h]	7_2_01B22582
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B22582 mov ecx, dword ptr fs:[00000030h]	7_2_01B22582
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B54588 mov eax, dword ptr fs:[00000030h]	7_2_01B54588
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B225E0 mov eax, dword ptr fs:[00000030h]	7_2_01B225E0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4E5E7 mov eax, dword ptr fs:[00000030h]	7_2_01B4E5E7
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4E5E7 mov eax, dword ptr fs:[00000030h]	7_2_01B4E5E7
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4E5E7 mov eax, dword ptr fs:[00000030h]	7_2_01B4E5E7
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4E5E7 mov eax, dword ptr fs:[00000030h]	7_2_01B4E5E7
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4E5E7 mov eax, dword ptr fs:[00000030h]	7_2_01B4E5E7
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4E5E7 mov eax, dword ptr fs:[00000030h]	7_2_01B4E5E7
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4E5E7 mov eax, dword ptr fs:[00000030h]	7_2_01B4E5E7
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4E5E7 mov eax, dword ptr fs:[00000030h]	7_2_01B4E5E7
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5C5ED mov eax, dword ptr fs:[00000030h]	7_2_01B5C5ED
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5C5ED mov eax, dword ptr fs:[00000030h]	7_2_01B5C5ED
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B265D0 mov eax, dword ptr fs:[00000030h]	7_2_01B265D0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5A5D0 mov eax, dword ptr fs:[00000030h]	7_2_01B5A5D0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5A5D0 mov eax, dword ptr fs:[00000030h]	7_2_01B5A5D0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5E5CF mov eax, dword ptr fs:[00000030h]	7_2_01B5E5CF
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5E5CF mov eax, dword ptr fs:[00000030h]	7_2_01B5E5CF
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30535 mov eax, dword ptr fs:[00000030h]	7_2_01B30535
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30535 mov eax, dword ptr fs:[00000030h]	7_2_01B30535
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30535 mov eax, dword ptr fs:[00000030h]	7_2_01B30535
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30535 mov eax, dword ptr fs:[00000030h]	7_2_01B30535
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30535 mov eax, dword ptr fs:[00000030h]	7_2_01B30535
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30535 mov eax, dword ptr fs:[00000030h]	7_2_01B30535
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4E53E mov eax, dword ptr fs:[00000030h]	7_2_01B4E53E
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4E53E mov eax, dword ptr fs:[00000030h]	7_2_01B4E53E
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4E53E mov eax, dword ptr fs:[00000030h]	7_2_01B4E53E
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4E53E mov eax, dword ptr fs:[00000030h]	7_2_01B4E53E
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4E53E mov eax, dword ptr fs:[00000030h]	7_2_01B4E53E
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB6500 mov eax, dword ptr fs:[00000030h]	7_2_01BB6500
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BF4500 mov eax, dword ptr fs:[00000030h]	7_2_01BF4500
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BF4500 mov eax, dword ptr fs:[00000030h]	7_2_01BF4500
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BF4500 mov eax, dword ptr fs:[00000030h]	7_2_01BF4500
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BF4500 mov eax, dword ptr fs:[00000030h]	7_2_01BF4500
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BF4500 mov eax, dword ptr fs:[00000030h]	7_2_01BF4500
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BF4500 mov eax, dword ptr fs:[00000030h]	7_2_01BF4500
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BF4500 mov eax, dword ptr fs:[00000030h]	7_2_01BF4500
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5656A mov eax, dword ptr fs:[00000030h]	7_2_01B5656A
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5656A mov eax, dword ptr fs:[00000030h]	7_2_01B5656A
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5656A mov eax, dword ptr fs:[00000030h]	7_2_01B5656A
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B28550 mov eax, dword ptr fs:[00000030h]	7_2_01B28550
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B28550 mov eax, dword ptr fs:[00000030h]	7_2_01B28550
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B544B0 mov ecx, dword ptr fs:[00000030h]	7_2_01B544B0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BAA4B0 mov eax, dword ptr fs:[00000030h]	7_2_01BAA4B0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B264AB mov eax, dword ptr fs:[00000030h]	7_2_01B264AB
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BDA49A mov eax, dword ptr fs:[00000030h]	7_2_01BDA49A
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B204E5 mov ecx, dword ptr fs:[00000030h]	7_2_01B204E5
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1E420 mov eax, dword ptr fs:[00000030h]	7_2_01B1E420
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1E420 mov eax, dword ptr fs:[00000030h]	7_2_01B1E420
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1E420 mov eax, dword ptr fs:[00000030h]	7_2_01B1E420
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1C427 mov eax, dword ptr fs:[00000030h]	7_2_01B1C427
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA6420 mov eax, dword ptr fs:[00000030h]	7_2_01BA6420
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA6420 mov eax, dword ptr fs:[00000030h]	7_2_01BA6420
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA6420 mov eax, dword ptr fs:[00000030h]	7_2_01BA6420
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA6420 mov eax, dword ptr fs:[00000030h]	7_2_01BA6420
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA6420 mov eax, dword ptr fs:[00000030h]	7_2_01BA6420
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA6420 mov eax, dword ptr fs:[00000030h]	7_2_01BA6420
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA6420 mov eax, dword ptr fs:[00000030h]	7_2_01BA6420
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B58402 mov eax, dword ptr fs:[00000030h]	7_2_01B58402
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B58402 mov eax, dword ptr fs:[00000030h]	7_2_01B58402
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B58402 mov eax, dword ptr fs:[00000030h]	7_2_01B58402
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4A470 mov eax, dword ptr fs:[00000030h]	7_2_01B4A470
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4A470 mov eax, dword ptr fs:[00000030h]	7_2_01B4A470
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4A470 mov eax, dword ptr fs:[00000030h]	7_2_01B4A470
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BAC460 mov ecx, dword ptr fs:[00000030h]	7_2_01BAC460
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BDA456 mov eax, dword ptr fs:[00000030h]	7_2_01BDA456
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1645D mov eax, dword ptr fs:[00000030h]	7_2_01B1645D
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4245A mov eax, dword ptr fs:[00000030h]	7_2_01B4245A
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5E443 mov eax, dword ptr fs:[00000030h]	7_2_01B5E443
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5E443 mov eax, dword ptr fs:[00000030h]	7_2_01B5E443
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5E443 mov eax, dword ptr fs:[00000030h]	7_2_01B5E443
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5E443 mov eax, dword ptr fs:[00000030h]	7_2_01B5E443
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5E443 mov eax, dword ptr fs:[00000030h]	7_2_01B5E443
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5E443 mov eax, dword ptr fs:[00000030h]	7_2_01B5E443
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5E443 mov eax, dword ptr fs:[00000030h]	7_2_01B5E443
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5E443 mov eax, dword ptr fs:[00000030h]	7_2_01B5E443
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B207AF mov eax, dword ptr fs:[00000030h]	7_2_01B207AF
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BD47A0 mov eax, dword ptr fs:[00000030h]	7_2_01BD47A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC678E mov eax, dword ptr fs:[00000030h]	7_2_01BC678E
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B247FB mov eax, dword ptr fs:[00000030h]	7_2_01B247FB
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B247FB mov eax, dword ptr fs:[00000030h]	7_2_01B247FB
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B427ED mov eax, dword ptr fs:[00000030h]	7_2_01B427ED
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B427ED mov eax, dword ptr fs:[00000030h]	7_2_01B427ED
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B427ED mov eax, dword ptr fs:[00000030h]	7_2_01B427ED
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BAE7E1 mov eax, dword ptr fs:[00000030h]	7_2_01BAE7E1
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2C7C0 mov eax, dword ptr fs:[00000030h]	7_2_01B2C7C0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA07C3 mov eax, dword ptr fs:[00000030h]	7_2_01BA07C3
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5273C mov eax, dword ptr fs:[00000030h]	7_2_01B5273C
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5273C mov ecx, dword ptr fs:[00000030h]	7_2_01B5273C
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5273C mov eax, dword ptr fs:[00000030h]	7_2_01B5273C
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9C730 mov eax, dword ptr fs:[00000030h]	7_2_01B9C730
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5C720 mov eax, dword ptr fs:[00000030h]	7_2_01B5C720
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5C720 mov eax, dword ptr fs:[00000030h]	7_2_01B5C720
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B20710 mov eax, dword ptr fs:[00000030h]	7_2_01B20710
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B50710 mov eax, dword ptr fs:[00000030h]	7_2_01B50710
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5C700 mov eax, dword ptr fs:[00000030h]	7_2_01B5C700
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B28770 mov eax, dword ptr fs:[00000030h]	7_2_01B28770
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30770 mov eax, dword ptr fs:[00000030h]	7_2_01B30770
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30770 mov eax, dword ptr fs:[00000030h]	7_2_01B30770
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30770 mov eax, dword ptr fs:[00000030h]	7_2_01B30770
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30770 mov eax, dword ptr fs:[00000030h]	7_2_01B30770
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30770 mov eax, dword ptr fs:[00000030h]	7_2_01B30770
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30770 mov eax, dword ptr fs:[00000030h]	7_2_01B30770
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30770 mov eax, dword ptr fs:[00000030h]	7_2_01B30770
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30770 mov eax, dword ptr fs:[00000030h]	7_2_01B30770
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30770 mov eax, dword ptr fs:[00000030h]	7_2_01B30770
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30770 mov eax, dword ptr fs:[00000030h]	7_2_01B30770
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30770 mov eax, dword ptr fs:[00000030h]	7_2_01B30770
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30770 mov eax, dword ptr fs:[00000030h]	7_2_01B30770
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B20750 mov eax, dword ptr fs:[00000030h]	7_2_01B20750
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62750 mov eax, dword ptr fs:[00000030h]	7_2_01B62750
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62750 mov eax, dword ptr fs:[00000030h]	7_2_01B62750
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BAE75D mov eax, dword ptr fs:[00000030h]	7_2_01BAE75D
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5674D mov esi, dword ptr fs:[00000030h]	7_2_01B5674D
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5674D mov eax, dword ptr fs:[00000030h]	7_2_01B5674D
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5674D mov eax, dword ptr fs:[00000030h]	7_2_01B5674D
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B566B0 mov eax, dword ptr fs:[00000030h]	7_2_01B566B0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5C6A6 mov eax, dword ptr fs:[00000030h]	7_2_01B5C6A6
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B24690 mov eax, dword ptr fs:[00000030h]	7_2_01B24690
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B24690 mov eax, dword ptr fs:[00000030h]	7_2_01B24690
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9E6F2 mov eax, dword ptr fs:[00000030h]	7_2_01B9E6F2
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9E6F2 mov eax, dword ptr fs:[00000030h]	7_2_01B9E6F2
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9E6F2 mov eax, dword ptr fs:[00000030h]	7_2_01B9E6F2
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9E6F2 mov eax, dword ptr fs:[00000030h]	7_2_01B9E6F2
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA06F1 mov eax, dword ptr fs:[00000030h]	7_2_01BA06F1
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA06F1 mov eax, dword ptr fs:[00000030h]	7_2_01BA06F1
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5A6C7 mov ebx, dword ptr fs:[00000030h]	7_2_01B5A6C7
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5A6C7 mov eax, dword ptr fs:[00000030h]	7_2_01B5A6C7
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3E627 mov eax, dword ptr fs:[00000030h]	7_2_01B3E627
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B56620 mov eax, dword ptr fs:[00000030h]	7_2_01B56620
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B58620 mov eax, dword ptr fs:[00000030h]	7_2_01B58620
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2262C mov eax, dword ptr fs:[00000030h]	7_2_01B2262C
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B62619 mov eax, dword ptr fs:[00000030h]	7_2_01B62619
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9E609 mov eax, dword ptr fs:[00000030h]	7_2_01B9E609
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3260B mov eax, dword ptr fs:[00000030h]	7_2_01B3260B
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3260B mov eax, dword ptr fs:[00000030h]	7_2_01B3260B
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3260B mov eax, dword ptr fs:[00000030h]	7_2_01B3260B
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3260B mov eax, dword ptr fs:[00000030h]	7_2_01B3260B
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3260B mov eax, dword ptr fs:[00000030h]	7_2_01B3260B
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3260B mov eax, dword ptr fs:[00000030h]	7_2_01B3260B
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3260B mov eax, dword ptr fs:[00000030h]	7_2_01B3260B
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B52674 mov eax, dword ptr fs:[00000030h]	7_2_01B52674
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BE866E mov eax, dword ptr fs:[00000030h]	7_2_01BE866E
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BE866E mov eax, dword ptr fs:[00000030h]	7_2_01BE866E
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5A660 mov eax, dword ptr fs:[00000030h]	7_2_01B5A660
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5A660 mov eax, dword ptr fs:[00000030h]	7_2_01B5A660
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3C640 mov eax, dword ptr fs:[00000030h]	7_2_01B3C640
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA89B3 mov esi, dword ptr fs:[00000030h]	7_2_01BA89B3
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA89B3 mov eax, dword ptr fs:[00000030h]	7_2_01BA89B3
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA89B3 mov eax, dword ptr fs:[00000030h]	7_2_01BA89B3
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B329A0 mov eax, dword ptr fs:[00000030h]	7_2_01B329A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B329A0 mov eax, dword ptr fs:[00000030h]	7_2_01B329A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B329A0 mov eax, dword ptr fs:[00000030h]	7_2_01B329A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B329A0 mov eax, dword ptr fs:[00000030h]	7_2_01B329A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B329A0 mov eax, dword ptr fs:[00000030h]	7_2_01B329A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B329A0 mov eax, dword ptr fs:[00000030h]	7_2_01B329A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B329A0 mov eax, dword ptr fs:[00000030h]	7_2_01B329A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B329A0 mov eax, dword ptr fs:[00000030h]	7_2_01B329A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B329A0 mov eax, dword ptr fs:[00000030h]	7_2_01B329A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B329A0 mov eax, dword ptr fs:[00000030h]	7_2_01B329A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B329A0 mov eax, dword ptr fs:[00000030h]	7_2_01B329A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B329A0 mov eax, dword ptr fs:[00000030h]	7_2_01B329A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B329A0 mov eax, dword ptr fs:[00000030h]	7_2_01B329A0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B209AD mov eax, dword ptr fs:[00000030h]	7_2_01B209AD
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B209AD mov eax, dword ptr fs:[00000030h]	7_2_01B209AD
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B529F9 mov eax, dword ptr fs:[00000030h]	7_2_01B529F9
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B529F9 mov eax, dword ptr fs:[00000030h]	7_2_01B529F9
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BAE9E0 mov eax, dword ptr fs:[00000030h]	7_2_01BAE9E0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2A9D0 mov eax, dword ptr fs:[00000030h]	7_2_01B2A9D0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2A9D0 mov eax, dword ptr fs:[00000030h]	7_2_01B2A9D0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2A9D0 mov eax, dword ptr fs:[00000030h]	7_2_01B2A9D0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2A9D0 mov eax, dword ptr fs:[00000030h]	7_2_01B2A9D0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2A9D0 mov eax, dword ptr fs:[00000030h]	7_2_01B2A9D0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2A9D0 mov eax, dword ptr fs:[00000030h]	7_2_01B2A9D0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B549D0 mov eax, dword ptr fs:[00000030h]	7_2_01B549D0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BEA9D3 mov eax, dword ptr fs:[00000030h]	7_2_01BEA9D3
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB69C0 mov eax, dword ptr fs:[00000030h]	7_2_01BB69C0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA892A mov eax, dword ptr fs:[00000030h]	7_2_01BA892A
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB892B mov eax, dword ptr fs:[00000030h]	7_2_01BB892B
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BAC912 mov eax, dword ptr fs:[00000030h]	7_2_01BAC912
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B18918 mov eax, dword ptr fs:[00000030h]	7_2_01B18918
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B18918 mov eax, dword ptr fs:[00000030h]	7_2_01B18918
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9E908 mov eax, dword ptr fs:[00000030h]	7_2_01B9E908
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9E908 mov eax, dword ptr fs:[00000030h]	7_2_01B9E908
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC4978 mov eax, dword ptr fs:[00000030h]	7_2_01BC4978
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC4978 mov eax, dword ptr fs:[00000030h]	7_2_01BC4978
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BAC97C mov eax, dword ptr fs:[00000030h]	7_2_01BAC97C
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B46962 mov eax, dword ptr fs:[00000030h]	7_2_01B46962
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B46962 mov eax, dword ptr fs:[00000030h]	7_2_01B46962
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B46962 mov eax, dword ptr fs:[00000030h]	7_2_01B46962
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA0946 mov eax, dword ptr fs:[00000030h]	7_2_01BA0946
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BAC89D mov eax, dword ptr fs:[00000030h]	7_2_01BAC89D
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B20887 mov eax, dword ptr fs:[00000030h]	7_2_01B20887
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5C8F9 mov eax, dword ptr fs:[00000030h]	7_2_01B5C8F9
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5C8F9 mov eax, dword ptr fs:[00000030h]	7_2_01B5C8F9
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BEA8E4 mov eax, dword ptr fs:[00000030h]	7_2_01BEA8E4
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B42835 mov eax, dword ptr fs:[00000030h]	7_2_01B42835
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B42835 mov eax, dword ptr fs:[00000030h]	7_2_01B42835
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B42835 mov eax, dword ptr fs:[00000030h]	7_2_01B42835
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B42835 mov ecx, dword ptr fs:[00000030h]	7_2_01B42835
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B42835 mov eax, dword ptr fs:[00000030h]	7_2_01B42835
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B42835 mov eax, dword ptr fs:[00000030h]	7_2_01B42835
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5A830 mov eax, dword ptr fs:[00000030h]	7_2_01B5A830
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC483A mov eax, dword ptr fs:[00000030h]	7_2_01BC483A
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC483A mov eax, dword ptr fs:[00000030h]	7_2_01BC483A
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BAC810 mov eax, dword ptr fs:[00000030h]	7_2_01BAC810
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BAE872 mov eax, dword ptr fs:[00000030h]	7_2_01BAE872
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BAE872 mov eax, dword ptr fs:[00000030h]	7_2_01BAE872
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB6870 mov eax, dword ptr fs:[00000030h]	7_2_01BB6870
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB6870 mov eax, dword ptr fs:[00000030h]	7_2_01BB6870
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B50854 mov eax, dword ptr fs:[00000030h]	7_2_01B50854
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B24859 mov eax, dword ptr fs:[00000030h]	7_2_01B24859
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B24859 mov eax, dword ptr fs:[00000030h]	7_2_01B24859
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30BBE mov eax, dword ptr fs:[00000030h]	7_2_01B30BBE
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30BBE mov eax, dword ptr fs:[00000030h]	7_2_01B30BBE
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BD4BB0 mov eax, dword ptr fs:[00000030h]	7_2_01BD4BB0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BD4BB0 mov eax, dword ptr fs:[00000030h]	7_2_01BD4BB0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B28BF0 mov eax, dword ptr fs:[00000030h]	7_2_01B28BF0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B28BF0 mov eax, dword ptr fs:[00000030h]	7_2_01B28BF0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B28BF0 mov eax, dword ptr fs:[00000030h]	7_2_01B28BF0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BACBF0 mov eax, dword ptr fs:[00000030h]	7_2_01BACBF0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCEBD0 mov eax, dword ptr fs:[00000030h]	7_2_01BCEBD0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B20BCD mov eax, dword ptr fs:[00000030h]	7_2_01B20BCD
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B20BCD mov eax, dword ptr fs:[00000030h]	7_2_01B20BCD
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B20BCD mov eax, dword ptr fs:[00000030h]	7_2_01B20BCD
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4EB20 mov eax, dword ptr fs:[00000030h]	7_2_01B4EB20
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4EB20 mov eax, dword ptr fs:[00000030h]	7_2_01B4EB20
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BE8B28 mov eax, dword ptr fs:[00000030h]	7_2_01BE8B28
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BE8B28 mov eax, dword ptr fs:[00000030h]	7_2_01BE8B28
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9EB1D mov eax, dword ptr fs:[00000030h]	7_2_01B9EB1D
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9EB1D mov eax, dword ptr fs:[00000030h]	7_2_01B9EB1D
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9EB1D mov eax, dword ptr fs:[00000030h]	7_2_01B9EB1D
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9EB1D mov eax, dword ptr fs:[00000030h]	7_2_01B9EB1D
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9EB1D mov eax, dword ptr fs:[00000030h]	7_2_01B9EB1D
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9EB1D mov eax, dword ptr fs:[00000030h]	7_2_01B9EB1D
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9EB1D mov eax, dword ptr fs:[00000030h]	7_2_01B9EB1D
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9EB1D mov eax, dword ptr fs:[00000030h]	7_2_01B9EB1D
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9EB1D mov eax, dword ptr fs:[00000030h]	7_2_01B9EB1D
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1CB7E mov eax, dword ptr fs:[00000030h]	7_2_01B1CB7E
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCEB50 mov eax, dword ptr fs:[00000030h]	7_2_01BCEB50
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BD4B4B mov eax, dword ptr fs:[00000030h]	7_2_01BD4B4B
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BD4B4B mov eax, dword ptr fs:[00000030h]	7_2_01BD4B4B
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB6B40 mov eax, dword ptr fs:[00000030h]	7_2_01BB6B40
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB6B40 mov eax, dword ptr fs:[00000030h]	7_2_01BB6B40
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC8B42 mov eax, dword ptr fs:[00000030h]	7_2_01BC8B42
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B28AA0 mov eax, dword ptr fs:[00000030h]	7_2_01B28AA0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B28AA0 mov eax, dword ptr fs:[00000030h]	7_2_01B28AA0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B58A90 mov edx, dword ptr fs:[00000030h]	7_2_01B58A90
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2EA80 mov eax, dword ptr fs:[00000030h]	7_2_01B2EA80
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2EA80 mov eax, dword ptr fs:[00000030h]	7_2_01B2EA80
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2EA80 mov eax, dword ptr fs:[00000030h]	7_2_01B2EA80
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2EA80 mov eax, dword ptr fs:[00000030h]	7_2_01B2EA80
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2EA80 mov eax, dword ptr fs:[00000030h]	7_2_01B2EA80
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2EA80 mov eax, dword ptr fs:[00000030h]	7_2_01B2EA80
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2EA80 mov eax, dword ptr fs:[00000030h]	7_2_01B2EA80
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2EA80 mov eax, dword ptr fs:[00000030h]	7_2_01B2EA80
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2EA80 mov eax, dword ptr fs:[00000030h]	7_2_01B2EA80
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BF4A80 mov eax, dword ptr fs:[00000030h]	7_2_01BF4A80
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5AAEE mov eax, dword ptr fs:[00000030h]	7_2_01B5AAEE
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5AAEE mov eax, dword ptr fs:[00000030h]	7_2_01B5AAEE
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B20AD0 mov eax, dword ptr fs:[00000030h]	7_2_01B20AD0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B54AD0 mov eax, dword ptr fs:[00000030h]	7_2_01B54AD0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B54AD0 mov eax, dword ptr fs:[00000030h]	7_2_01B54AD0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B76ACC mov eax, dword ptr fs:[00000030h]	7_2_01B76ACC
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B76ACC mov eax, dword ptr fs:[00000030h]	7_2_01B76ACC
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B76ACC mov eax, dword ptr fs:[00000030h]	7_2_01B76ACC
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B44A35 mov eax, dword ptr fs:[00000030h]	7_2_01B44A35
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B44A35 mov eax, dword ptr fs:[00000030h]	7_2_01B44A35
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5CA38 mov eax, dword ptr fs:[00000030h]	7_2_01B5CA38
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5CA24 mov eax, dword ptr fs:[00000030h]	7_2_01B5CA24
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4EA2E mov eax, dword ptr fs:[00000030h]	7_2_01B4EA2E
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BACA11 mov eax, dword ptr fs:[00000030h]	7_2_01BACA11
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9CA72 mov eax, dword ptr fs:[00000030h]	7_2_01B9CA72
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B9CA72 mov eax, dword ptr fs:[00000030h]	7_2_01B9CA72
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5CA6F mov eax, dword ptr fs:[00000030h]	7_2_01B5CA6F
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5CA6F mov eax, dword ptr fs:[00000030h]	7_2_01B5CA6F
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5CA6F mov eax, dword ptr fs:[00000030h]	7_2_01B5CA6F
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BCEA60 mov eax, dword ptr fs:[00000030h]	7_2_01BCEA60
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B26A50 mov eax, dword ptr fs:[00000030h]	7_2_01B26A50
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B26A50 mov eax, dword ptr fs:[00000030h]	7_2_01B26A50
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B26A50 mov eax, dword ptr fs:[00000030h]	7_2_01B26A50
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B26A50 mov eax, dword ptr fs:[00000030h]	7_2_01B26A50
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B26A50 mov eax, dword ptr fs:[00000030h]	7_2_01B26A50
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B26A50 mov eax, dword ptr fs:[00000030h]	7_2_01B26A50
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B26A50 mov eax, dword ptr fs:[00000030h]	7_2_01B26A50
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30A5B mov eax, dword ptr fs:[00000030h]	7_2_01B30A5B
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B30A5B mov eax, dword ptr fs:[00000030h]	7_2_01B30A5B
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5CDB1 mov ecx, dword ptr fs:[00000030h]	7_2_01B5CDB1
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5CDB1 mov eax, dword ptr fs:[00000030h]	7_2_01B5CDB1
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B5CDB1 mov eax, dword ptr fs:[00000030h]	7_2_01B5CDB1
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B48DBF mov eax, dword ptr fs:[00000030h]	7_2_01B48DBF
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B48DBF mov eax, dword ptr fs:[00000030h]	7_2_01B48DBF
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BE8DAE mov eax, dword ptr fs:[00000030h]	7_2_01BE8DAE
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BE8DAE mov eax, dword ptr fs:[00000030h]	7_2_01BE8DAE
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BF4DAD mov eax, dword ptr fs:[00000030h]	7_2_01BF4DAD
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B56DA0 mov eax, dword ptr fs:[00000030h]	7_2_01B56DA0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4CDF0 mov eax, dword ptr fs:[00000030h]	7_2_01B4CDF0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4CDF0 mov ecx, dword ptr fs:[00000030h]	7_2_01B4CDF0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B16DF6 mov eax, dword ptr fs:[00000030h]	7_2_01B16DF6
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC0DF0 mov eax, dword ptr fs:[00000030h]	7_2_01BC0DF0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BC0DF0 mov eax, dword ptr fs:[00000030h]	7_2_01BC0DF0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2ADE0 mov eax, dword ptr fs:[00000030h]	7_2_01B2ADE0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2ADE0 mov eax, dword ptr fs:[00000030h]	7_2_01B2ADE0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2ADE0 mov eax, dword ptr fs:[00000030h]	7_2_01B2ADE0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2ADE0 mov eax, dword ptr fs:[00000030h]	7_2_01B2ADE0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2ADE0 mov eax, dword ptr fs:[00000030h]	7_2_01B2ADE0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B2ADE0 mov eax, dword ptr fs:[00000030h]	7_2_01B2ADE0
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1CDEA mov eax, dword ptr fs:[00000030h]	7_2_01B1CDEA
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B1CDEA mov eax, dword ptr fs:[00000030h]	7_2_01B1CDEA
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4EDD3 mov eax, dword ptr fs:[00000030h]	7_2_01B4EDD3
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4EDD3 mov eax, dword ptr fs:[00000030h]	7_2_01B4EDD3
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA4DD7 mov eax, dword ptr fs:[00000030h]	7_2_01BA4DD7
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA4DD7 mov eax, dword ptr fs:[00000030h]	7_2_01BA4DD7
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4ED25 mov eax, dword ptr fs:[00000030h]	7_2_01B4ED25
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4ED25 mov eax, dword ptr fs:[00000030h]	7_2_01B4ED25
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B4ED25 mov eax, dword ptr fs:[00000030h]	7_2_01B4ED25
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BA8D20 mov eax, dword ptr fs:[00000030h]	7_2_01BA8D20
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B16D10 mov eax, dword ptr fs:[00000030h]	7_2_01B16D10
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B16D10 mov eax, dword ptr fs:[00000030h]	7_2_01B16D10
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B16D10 mov eax, dword ptr fs:[00000030h]	7_2_01B16D10
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B54D1D mov eax, dword ptr fs:[00000030h]	7_2_01B54D1D
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BD8D10 mov eax, dword ptr fs:[00000030h]	7_2_01BD8D10
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BD8D10 mov eax, dword ptr fs:[00000030h]	7_2_01BD8D10
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3AD00 mov eax, dword ptr fs:[00000030h]	7_2_01B3AD00
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3AD00 mov eax, dword ptr fs:[00000030h]	7_2_01B3AD00
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B3AD00 mov eax, dword ptr fs:[00000030h]	7_2_01B3AD00
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01BB8D6B mov eax, dword ptr fs:[00000030h]	7_2_01BB8D6B
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B20D59 mov eax, dword ptr fs:[00000030h]	7_2_01B20D59
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B20D59 mov eax, dword ptr fs:[00000030h]	7_2_01B20D59
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B20D59 mov eax, dword ptr fs:[00000030h]	7_2_01B20D59
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B28D59 mov eax, dword ptr fs:[00000030h]	7_2_01B28D59
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B28D59 mov eax, dword ptr fs:[00000030h]	7_2_01B28D59
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Code function: 7_2_01B28D59 mov eax, dword ptr fs:[00000030h]	7_2_01B28D59

Source: C:\Windows\SysWOW64\cmmon32.exe

Code function: 11_2_00095649 GetCurrentProcessId,OpenProcess,LoadLibraryExA,GetProcAddress,GetProcessHeap,GetLastError,FreeLibrary,GetLastError,OpenEventW,SetEvent,CloseHandle,GetLastError,GetLastError,

11_2_00095649

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_00097020 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		11_2_00097020
Source: C:\Windows\SysWOW64\cmmon32.exe	Code function: 11_2_000971B0 SetUnhandledExceptionFilter,		11_2_000971B0

Source: C:\Users\user\Desktop\0xHPSESJcg.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0xHPSESJcg.exe"
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe"
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0xHPSESJcg.exe"	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe"	Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	NtClose: Indirect: 0x105A56C
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	NtQueueApcThread: Indirect: 0x105A4F2
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	NtQueueApcThread: Indirect: 0x168A4F2	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	NtClose: Indirect: 0x168A56C

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe

Memory written: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\cmmon32.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Thread register set: target process: 4040	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Thread register set: target process: 4040
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Thread register set: target process: 4040

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\0xHPSESJcg.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 90000			Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: F70000

Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\0xHPSESJcg.exe"	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe"	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TlUVldLSnDvyT" /XML "C:\Users\user\AppData\Local\Temp\tmp806A.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Process created: C:\Users\user\Desktop\0xHPSESJcg.exe "C:\Users\user\Desktop\0xHPSESJcg.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TlUVldLSnDvyT" /XML "C:\Users\user\AppData\Local\Temp\tmp95B8.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process created: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe "C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Process created: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe "C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\0xHPSESJcg.exe"

Source: explorer.exe, 00000008.00000000.897117544.0000000000EB0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.3343329419.0000000000EB0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000008.00000002.3350718063.00000000043B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000003.3078260449.0000000009552000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.897117544.0000000000EB0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.896888872.0000000000875000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.897117544.0000000000EB0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.3343329419.0000000000EB0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000008.00000000.897117544.0000000000EB0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.3343329419.0000000000EB0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\SysWOW64\cmmon32.exe

Code function: GetLocaleInfoW,CmAtolW,GetNumberFormatW,lstrlenW,CmIsDigitW,

11_2_000961CA

Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Queries volume information: C:\Users\user\Desktop\0xHPSESJcg.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\0xHPSESJcg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Queries volume information: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TlUVldLSnDvyT.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: unknown VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: unknown VolumeInformation

Source: C:\Windows\SysWOW64\cmmon32.exe

Code function: 11_2_000973D5 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

11_2_000973D5

Source: C:\Users\user\Desktop\0xHPSESJcg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 7.2.0xHPSESJcg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.0xHPSESJcg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.903478477.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.958611207.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3341645917.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3343061104.00000000041D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.978086480.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.903478477.0000000004482000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3342627871.00000000040D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 7.2.0xHPSESJcg.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.0xHPSESJcg.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0xHPSESJcg.exe.46d00b0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.0xHPSESJcg.exe.465d890.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.903478477.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.958611207.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3341645917.00000000024A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3343061104.00000000041D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.978086480.0000000000AB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.903478477.0000000004482000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3342627871.00000000040D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	512 Process Injection	11 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	341 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	51 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	512 Process Injection	NTDS	51 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Abuse Elevation Control Mechanism	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	233 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0xHPSESJcg.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
0xHPSESJcg.exe