Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4lHZn6Ri2B.exe

Overview

General Information

Sample name:4lHZn6Ri2B.exe
renamed because original name is a hash value
Original sample name:ddd294075c549d450ca2980348b9aa282fbc1cdc1f032b62f12f991365412fa5.exe
Analysis ID:1634881
MD5:a5fa3174d7fc5565473f1b8e899030be
SHA1:625957f7de2742b5bd9157a278dd74973425ecb9
SHA256:ddd294075c549d450ca2980348b9aa282fbc1cdc1f032b62f12f991365412fa5
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Tries to resolve many domain names, but no domain seems valid
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 4lHZn6Ri2B.exe (PID: 7136 cmdline: "C:\Users\user\Desktop\4lHZn6Ri2B.exe" MD5: A5FA3174D7FC5565473F1B8E899030BE)
    • powershell.exe (PID: 5396 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4lHZn6Ri2B.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6628 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • 4lHZn6Ri2B.exe (PID: 5152 cmdline: "C:\Users\user\Desktop\4lHZn6Ri2B.exe" MD5: A5FA3174D7FC5565473F1B8E899030BE)
      • explorer.exe (PID: 2528 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • NETSTAT.EXE (PID: 6024 cmdline: "C:\Windows\SysWOW64\NETSTAT.EXE" MD5: 9DB170ED520A6DD57B5AC92EC537368A)
          • cmd.exe (PID: 6216 cmdline: /c del "C:\Users\user\Desktop\4lHZn6Ri2B.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 312 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.uittttttttt17.sbs/sm05/"], "decoy": ["oduodesign.net", "rofitfunnelgo.net", "grexvc.online", "royecto10k.online", "asminivorytancherry.top", "isard.online", "fbzhvub.xyz", "artners-smart.fun", "dventistbridgingcare.info", "jhwzcqf.xyz", "uoysbuddy.online", "ome-care-jobs-362514.today", "tp7-ditogel.xyz", "ssentialshub.shop", "etwinner-casinos-spins.buzz", "eikuang.lol", "howupii.online", "univon.homes", "irewood-2025-at.cfd", "ropelatacadao.online", "cctlink.net", "dealofferforyou.website", "hilduzzw.click", "30a.xyz", "lowingweddingsgrace.beauty", "indow-replacement-67522.bond", "mericanadtrader.online", "ovostniknearby.click", "nklere-norge.online", "atestmoviereview.xyz", "ewelscrwn.net", "awwaanntogell.net", "leaningtasks-met-sas.click", "ental-health-test-95794.bond", "ppseeks.net", "kzemuot.xyz", "etflix711.fun", "hefrenchzone.online", "anding.ninja", "atzhall.wine", "adiantweddingscharm.beauty", "ouqiu8.net", "tp-toto88.info", "abynameshub.shop", "inup-casino-rkw3.top", "indgoodfranchises.info", "hsg.xyz", "eetastrion.shop", "gx0301.online", "arrefitnessassociation.xyz", "nsightyogaboston.online", "bandoned-houses-83535.bond", "onghuan.lol", "judecomcarinho.fun", "w2ir.shop", "oshigaya-clinic-266665868.today", "sicroi.shop", "leaning-jobs-94377.bond", "hunpeng.lol", "sedolu.info", "ontent-mint.xyz", "stekklima.net", "uoding.lol", "emax.ltd"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3520154106.00000000004B0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.3520154106.00000000004B0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.3520154106.00000000004B0000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000007.00000002.3520154106.00000000004B0000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000007.00000002.3520154106.00000000004B0000.00000040.80000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18819:$sqlite3step: 68 34 1C 7B E1
      • 0x1892c:$sqlite3step: 68 34 1C 7B E1
      • 0x18848:$sqlite3text: 68 38 2A 90 C5
      • 0x1896d:$sqlite3text: 68 38 2A 90 C5
      • 0x1885b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18983:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 29 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.4lHZn6Ri2B.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.4lHZn6Ri2B.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          4.2.4lHZn6Ri2B.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          4.2.4lHZn6Ri2B.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          4.2.4lHZn6Ri2B.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a19:$sqlite3step: 68 34 1C 7B E1
          • 0x17b2c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a48:$sqlite3text: 68 38 2A 90 C5
          • 0x17b6d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 15 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4lHZn6Ri2B.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4lHZn6Ri2B.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4lHZn6Ri2B.exe", ParentImage: C:\Users\user\Desktop\4lHZn6Ri2B.exe, ParentProcessId: 7136, ParentProcessName: 4lHZn6Ri2B.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4lHZn6Ri2B.exe", ProcessId: 5396, ProcessName: powershell.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4lHZn6Ri2B.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4lHZn6Ri2B.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4lHZn6Ri2B.exe", ParentImage: C:\Users\user\Desktop\4lHZn6Ri2B.exe, ParentProcessId: 7136, ParentProcessName: 4lHZn6Ri2B.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4lHZn6Ri2B.exe", ProcessId: 5396, ProcessName: powershell.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4lHZn6Ri2B.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4lHZn6Ri2B.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4lHZn6Ri2B.exe", ParentImage: C:\Users\user\Desktop\4lHZn6Ri2B.exe, ParentProcessId: 7136, ParentProcessName: 4lHZn6Ri2B.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4lHZn6Ri2B.exe", ProcessId: 5396, ProcessName: powershell.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 312, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: 4lHZn6Ri2B.exeAvira: detected
          Antivirus detection for URL or domain
          Source: http://www.irewood-2025-at.cfdAvira URL Cloud: Label: malware
          Source: http://www.leaning-jobs-94377.bond/sm05/Avira URL Cloud: Label: malware
          Source: http://www.uoding.lol/sm05/www.grexvc.onlineAvira URL Cloud: Label: malware
          Source: http://www.arrefitnessassociation.xyz/sm05/Avira URL Cloud: Label: malware
          Source: www.uittttttttt17.sbs/sm05/Avira URL Cloud: Label: malware
          Source: http://www.grexvc.online/sm05/Avira URL Cloud: Label: malware
          Source: http://www.etflix711.funAvira URL Cloud: Label: malware
          Source: http://www.oduodesign.net/sm05/www.etflix711.funAvira URL Cloud: Label: malware
          Source: http://www.mericanadtrader.online/sm05/www.ental-health-test-95794.bondAvira URL Cloud: Label: malware
          Source: http://www.mericanadtrader.online/sm05/Avira URL Cloud: Label: malware
          Source: http://www.uoysbuddy.online/sm05/Avira URL Cloud: Label: malware
          Source: http://www.uoding.lol/sm05/Avira URL Cloud: Label: malware
          Source: http://www.ental-health-test-95794.bondAvira URL Cloud: Label: malware
          Source: http://www.grexvc.online/sm05/www.leaning-jobs-94377.bondAvira URL Cloud: Label: malware
          Source: http://www.onghuan.lol/sm05/Avira URL Cloud: Label: malware
          Source: http://www.onghuan.lol/sm05/www.ropelatacadao.onlineAvira URL Cloud: Label: malware
          Source: http://www.ental-health-test-95794.bond/sm05/Avira URL Cloud: Label: malware
          Source: http://www.etflix711.fun/sm05/www.uittttttttt17.sbsAvira URL Cloud: Label: malware
          Source: http://www.uittttttttt17.sbs/sm05/Avira URL Cloud: Label: malware
          Source: http://www.oduodesign.netAvira URL Cloud: Label: malware
          Source: http://www.etflix711.fun/sm05/Avira URL Cloud: Label: malware
          Source: http://www.irewood-2025-at.cfd/sm05/Avira URL Cloud: Label: malware
          Source: http://www.oduodesign.net/sm05/Avira URL Cloud: Label: malware
          Source: http://www.uittttttttt17.sbs/sm05/www.hsg.xyzAvira URL Cloud: Label: malware
          Source: http://www.onghuan.lolAvira URL Cloud: Label: malware
          Source: http://www.ropelatacadao.online/sm05/Avira URL Cloud: Label: malware
          Source: http://www.abynameshub.shop/sm05/Avira URL Cloud: Label: malware
          Source: http://www.abynameshub.shop/sm05/www.onghuan.lolAvira URL Cloud: Label: malware
          Source: http://www.hsg.xyz/sm05/Avira URL Cloud: Label: malware
          Source: http://www.arrefitnessassociation.xyz/sm05/www.hefrenchzone.onlineAvira URL Cloud: Label: malware
          Source: http://www.leaning-jobs-94377.bondAvira URL Cloud: Label: malware
          Source: http://www.uoysbuddy.online/sm05/www.irewood-2025-at.cfdAvira URL Cloud: Label: malware
          Source: http://www.hsg.xyz/sm05/www.mericanadtrader.onlineAvira URL Cloud: Label: malware
          Source: http://www.grexvc.onlineAvira URL Cloud: Label: malware
          Source: http://www.abynameshub.shopAvira URL Cloud: Label: malware
          Source: http://www.hefrenchzone.online/sm05/Avira URL Cloud: Label: malware
          Source: http://www.irewood-2025-at.cfd/sm05/www.oduodesign.netAvira URL Cloud: Label: malware
          Source: http://www.hsg.xyzAvira URL Cloud: Label: malware
          Source: http://www.mericanadtrader.onlineAvira URL Cloud: Label: malware
          Source: http://www.leaning-jobs-94377.bond/sm05/www.uoysbuddy.onlineAvira URL Cloud: Label: malware
          Source: http://www.ropelatacadao.online/sm05/www.arrefitnessassociation.xyzAvira URL Cloud: Label: malware
          Source: http://www.ropelatacadao.onlineAvira URL Cloud: Label: malware
          Source: http://www.ental-health-test-95794.bond/sm05/www.abynameshub.shopAvira URL Cloud: Label: malware
          Source: http://www.hefrenchzone.onlineAvira URL Cloud: Label: malware
          Found malware configuration
          Source: 00000007.00000002.3520154106.00000000004B0000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.uittttttttt17.sbs/sm05/"], "decoy": ["oduodesign.net", "rofitfunnelgo.net", "grexvc.online", "royecto10k.online", "asminivorytancherry.top", "isard.online", "fbzhvub.xyz", "artners-smart.fun", "dventistbridgingcare.info", "jhwzcqf.xyz", "uoysbuddy.online", "ome-care-jobs-362514.today", "tp7-ditogel.xyz", "ssentialshub.shop", "etwinner-casinos-spins.buzz", "eikuang.lol", "howupii.online", "univon.homes", "irewood-2025-at.cfd", "ropelatacadao.online", "cctlink.net", "dealofferforyou.website", "hilduzzw.click", "30a.xyz", "lowingweddingsgrace.beauty", "indow-replacement-67522.bond", "mericanadtrader.online", "ovostniknearby.click", "nklere-norge.online", "atestmoviereview.xyz", "ewelscrwn.net", "awwaanntogell.net", "leaningtasks-met-sas.click", "ental-health-test-95794.bond", "ppseeks.net", "kzemuot.xyz", "etflix711.fun", "hefrenchzone.online", "anding.ninja", "atzhall.wine", "adiantweddingscharm.beauty", "ouqiu8.net", "tp-toto88.info", "abynameshub.shop", "inup-casino-rkw3.top", "indgoodfranchises.info", "hsg.xyz", "eetastrion.shop", "gx0301.online", "arrefitnessassociation.xyz", "nsightyogaboston.online", "bandoned-houses-83535.bond", "onghuan.lol", "judecomcarinho.fun", "w2ir.shop", "oshigaya-clinic-266665868.today", "sicroi.shop", "leaning-jobs-94377.bond", "hunpeng.lol", "sedolu.info", "ontent-mint.xyz", "stekklima.net", "uoding.lol", "emax.ltd"]}
          Multi AV Scanner detection for submitted file
          Source: 4lHZn6Ri2B.exeVirustotal: Detection: 79%Perma Link
          Source: 4lHZn6Ri2B.exeReversingLabs: Detection: 73%
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.4lHZn6Ri2B.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.4lHZn6Ri2B.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.3520154106.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.3521233716.0000000002B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1066684814.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1121066600.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.3521121426.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1066684814.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Joe Sandbox ML detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Source: 4lHZn6Ri2B.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 4lHZn6Ri2B.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: netstat.pdbGCTL source: 4lHZn6Ri2B.exe, 00000004.00000002.1123230922.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp, 4lHZn6Ri2B.exe, 00000004.00000002.1122612867.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.3520289281.00000000004F0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: OiHH.pdbSHA256 source: 4lHZn6Ri2B.exe
          Source: Binary string: netstat.pdb source: 4lHZn6Ri2B.exe, 00000004.00000002.1123230922.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp, 4lHZn6Ri2B.exe, 00000004.00000002.1122612867.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000007.00000002.3520289281.00000000004F0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: OiHH.pdb source: 4lHZn6Ri2B.exe
          Source: Binary string: wntdll.pdbUGP source: 4lHZn6Ri2B.exe, 00000004.00000002.1124190785.00000000014F0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.3522109574.000000000309E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.3522109574.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000003.1122203307.0000000002B90000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000003.1124624064.0000000002D4F000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: 4lHZn6Ri2B.exe, 4lHZn6Ri2B.exe, 00000004.00000002.1124190785.00000000014F0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000007.00000002.3522109574.000000000309E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.3522109574.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000003.1122203307.0000000002B90000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000003.1124624064.0000000002D4F000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4x nop then jmp 0F6C12C2h0_2_0F6C08D0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4x nop then jmp 0F6C12C2h0_2_0F6C0D83
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4x nop then jmp 0F6C12C2h0_2_0F6C089F
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4x nop then pop edi4_2_0040E482
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi7_2_004BE482

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.uittttttttt17.sbs/sm05/
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.hsg.xyz
          Uses netstat to query active network connections and open ports
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
          Source: Joe Sandbox ViewIP Address: 204.79.197.203 204.79.197.203
          Source: Joe Sandbox ViewIP Address: 204.79.197.203 204.79.197.203
          Source: global trafficTCP traffic: 192.168.2.10:49672 -> 204.79.197.203:443
          Source: unknownDNS traffic detected: query: www.leaning-jobs-94377.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.oduodesign.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.hsg.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.uittttttttt17.sbs replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.uoysbuddy.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.uoding.lol replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.irewood-2025-at.cfd replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.mericanadtrader.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.etflix711.fun replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.abynameshub.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ental-health-test-95794.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.leaning-jobs-94377.bond replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.oduodesign.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.hsg.xyz replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.uittttttttt17.sbs replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.uoysbuddy.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.uoding.lol replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.irewood-2025-at.cfd replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.mericanadtrader.online replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.etflix711.fun replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.abynameshub.shop replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ental-health-test-95794.bond replaycode: Name error (3)
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficDNS traffic detected: DNS query: www.uoding.lol
          Source: global trafficDNS traffic detected: DNS query: www.leaning-jobs-94377.bond
          Source: global trafficDNS traffic detected: DNS query: www.uoysbuddy.online
          Source: global trafficDNS traffic detected: DNS query: www.irewood-2025-at.cfd
          Source: global trafficDNS traffic detected: DNS query: www.oduodesign.net
          Source: global trafficDNS traffic detected: DNS query: www.etflix711.fun
          Source: global trafficDNS traffic detected: DNS query: www.uittttttttt17.sbs
          Source: global trafficDNS traffic detected: DNS query: www.hsg.xyz
          Source: global trafficDNS traffic detected: DNS query: www.mericanadtrader.online
          Source: global trafficDNS traffic detected: DNS query: www.ental-health-test-95794.bond
          Source: global trafficDNS traffic detected: DNS query: www.abynameshub.shop
          Source: explorer.exe, 00000005.00000000.1065055721.0000000007293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2839542567.0000000008B61000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3529032837.0000000008B61000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3526128767.0000000007293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.0000000007293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1070233476.0000000008B61000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
          Source: svchost.exe, 0000000A.00000002.2851570391.000001F5E0800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
          Source: explorer.exe, 00000005.00000000.1065055721.0000000007293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2839542567.0000000008B61000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3529032837.0000000008B61000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3526128767.0000000007293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.0000000007293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1070233476.0000000008B61000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
          Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
          Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
          Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
          Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
          Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
          Source: qmgr.db.10.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
          Source: qmgr.db.10.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
          Source: explorer.exe, 00000005.00000000.1065055721.0000000007293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2839542567.0000000008B61000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3529032837.0000000008B61000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3526128767.0000000007293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.0000000007293000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1070233476.0000000008B61000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000005.00000003.2836119885.00000000072D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3526128767.00000000072D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000072D2000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crl
          Source: explorer.exe, 00000005.00000002.3526974196.0000000007810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1066966517.0000000007950000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1066985444.0000000007970000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: 4lHZn6Ri2B.exe, 00000000.00000002.1065484810.00000000032C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: 4lHZn6Ri2B.exeString found in binary or memory: http://tempuri.org/DataTableUsers.xsd
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.abynameshub.shop
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.abynameshub.shop/sm05/
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.abynameshub.shop/sm05/www.onghuan.lol
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.abynameshub.shopReferer:
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arrefitnessassociation.xyz
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arrefitnessassociation.xyz/sm05/
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arrefitnessassociation.xyz/sm05/www.hefrenchzone.online
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.arrefitnessassociation.xyzReferer:
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ental-health-test-95794.bond
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ental-health-test-95794.bond/sm05/
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ental-health-test-95794.bond/sm05/www.abynameshub.shop
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ental-health-test-95794.bondReferer:
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.etflix711.fun
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.etflix711.fun/sm05/
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.etflix711.fun/sm05/www.uittttttttt17.sbs
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.etflix711.funReferer:
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.grexvc.online
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.grexvc.online/sm05/
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.grexvc.online/sm05/www.leaning-jobs-94377.bond
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.grexvc.onlineReferer:
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hefrenchzone.online
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hefrenchzone.online/sm05/
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hefrenchzone.onlineReferer:
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hsg.xyz
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hsg.xyz/sm05/
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hsg.xyz/sm05/www.mericanadtrader.online
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.hsg.xyzReferer:
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.irewood-2025-at.cfd
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.irewood-2025-at.cfd/sm05/
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.irewood-2025-at.cfd/sm05/www.oduodesign.net
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.irewood-2025-at.cfdReferer:
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leaning-jobs-94377.bond
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leaning-jobs-94377.bond/sm05/
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leaning-jobs-94377.bond/sm05/www.uoysbuddy.online
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.leaning-jobs-94377.bondReferer:
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mericanadtrader.online
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mericanadtrader.online/sm05/
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mericanadtrader.online/sm05/www.ental-health-test-95794.bond
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.mericanadtrader.onlineReferer:
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oduodesign.net
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oduodesign.net/sm05/
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oduodesign.net/sm05/www.etflix711.fun
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oduodesign.netReferer:
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.onghuan.lol
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.onghuan.lol/sm05/
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.onghuan.lol/sm05/www.ropelatacadao.online
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.onghuan.lolReferer:
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ropelatacadao.online
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ropelatacadao.online/sm05/
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ropelatacadao.online/sm05/www.arrefitnessassociation.xyz
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ropelatacadao.onlineReferer:
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uittttttttt17.sbs
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uittttttttt17.sbs/sm05/
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uittttttttt17.sbs/sm05/www.hsg.xyz
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uittttttttt17.sbsReferer:
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uoding.lol
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uoding.lol/sm05/
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uoding.lol/sm05/www.grexvc.online
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uoding.lolReferer:
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uoysbuddy.online
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uoysbuddy.online/sm05/
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uoysbuddy.online/sm05/www.irewood-2025-at.cfd
          Source: explorer.exe, 00000005.00000002.3533055672.000000000C572000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.uoysbuddy.onlineReferer:
          Source: explorer.exe, 00000005.00000003.2837050529.000000000C3A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3532687833.000000000C3A9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1074664532.000000000C33E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppe$BtUG
          Source: explorer.exe, 00000005.00000003.2837050529.000000000C3A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3532687833.000000000C3A9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1074664532.000000000C33E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000005.00000003.2837050529.000000000C3A6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3532687833.000000000C3A9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1074664532.000000000C33E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSS
          Source: explorer.exe, 00000005.00000002.3522948842.0000000003020000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1059868006.0000000003020000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=C2BB6DDCE8D847D6B779FE8AEC27D161&timeOut=5000&oc
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000005.00000000.1065055721.0000000007255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.0000000007255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3526128767.0000000007255000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
          Source: explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
          Source: explorer.exe, 00000005.00000000.1069029871.0000000008AF4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
          Source: explorer.exe, 00000005.00000002.3532625132.000000000C36B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2838294856.000000000C36A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2837949345.000000000C33E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1074664532.000000000C33E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: svchost.exe, 0000000A.00000003.1203725709.000001F5E0A7A000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.10.drString found in binary or memory: https://g.live.com/odclientsettings/Prod-C:
          Source: svchost.exe, 0000000A.00000003.1203725709.000001F5E0A00000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.10.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2-C:
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15G9PH.img
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hJkDs.img
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
          Source: explorer.exe, 00000005.00000002.3532625132.000000000C36B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2838294856.000000000C36A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2837949345.000000000C33E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1074664532.000000000C33E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.comndo
          Source: explorer.exe, 00000005.00000002.3532562798.000000000C33E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2837949345.000000000C33E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1074664532.000000000C33E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2839345188.000000000C33E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comeere
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000005.00000000.1070233476.0000000008B61000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/FB
          Source: explorer.exe, 00000005.00000002.3532625132.000000000C36B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2838294856.000000000C36A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2837949345.000000000C33E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1074664532.000000000C33E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com#
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/health/wellness/7-secrets-to-a-happy-old-age-backed-by-science/ss-AA1hwpvW
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/companies/legacy-park-auction-canceled-liquidation-proposed-here-s-w
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/realestate/my-husband-and-i-paid-off-our-mortgage-more-than-15-years
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/crime/one-dead-several-wounded-after-drive-by-shootings-in-south-la/a
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/opinion/decline-of-decorum-21-essential-manners-today-s-parents-fail-
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/california-workers-will-get-five-sick-days-instead-of-three-
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/pastor-of-atlanta-based-megachurch-faces-backlash-after-controv
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-does-worry-house-drama-will-impact-
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
          Source: explorer.exe, 00000005.00000002.3526128767.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2836119885.00000000071DD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1065055721.00000000071DD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.4lHZn6Ri2B.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.4lHZn6Ri2B.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.3520154106.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.3521233716.0000000002B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1066684814.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1121066600.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.3521121426.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1066684814.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 4.2.4lHZn6Ri2B.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 4.2.4lHZn6Ri2B.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.4lHZn6Ri2B.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.4lHZn6Ri2B.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 4.2.4lHZn6Ri2B.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.4lHZn6Ri2B.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.3520154106.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.3520154106.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.3520154106.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.3521233716.0000000002B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.3521233716.0000000002B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.3521233716.0000000002B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1066684814.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1066684814.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1066684814.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.1121066600.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.1121066600.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.1121066600.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.3521121426.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000007.00000002.3521121426.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.3521121426.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1066684814.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1066684814.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1066684814.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: 4lHZn6Ri2B.exe PID: 7136, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: 4lHZn6Ri2B.exe PID: 5152, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: NETSTAT.EXE PID: 6024, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          .NET source code contains very large strings
          Source: 4lHZn6Ri2B.exe, Form4.csLong String: Length: 169248
          Source: 5.2.explorer.exe.10b1f840.0.raw.unpack, Form4.csLong String: Length: 169248
          Source: 7.2.NETSTAT.EXE.344f840.3.raw.unpack, Form4.csLong String: Length: 169248
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0041A330 NtCreateFile,4_2_0041A330
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0041A3E0 NtReadFile,4_2_0041A3E0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0041A460 NtClose,4_2_0041A460
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0041A510 NtAllocateVirtualMemory,4_2_0041A510
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0041A32A NtCreateFile,4_2_0041A32A
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0041A45A NtReadFile,4_2_0041A45A
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0041A45E NtReadFile,4_2_0041A45E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0041A50A NtAllocateVirtualMemory,4_2_0041A50A
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562B60 NtClose,LdrInitializeThunk,4_2_01562B60
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_01562BF0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562AD0 NtReadFile,LdrInitializeThunk,4_2_01562AD0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562D10 NtMapViewOfSection,LdrInitializeThunk,4_2_01562D10
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_01562D30
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562DD0 NtDelayExecution,LdrInitializeThunk,4_2_01562DD0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_01562DF0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_01562C70
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_01562CA0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562F30 NtCreateSection,LdrInitializeThunk,4_2_01562F30
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562FE0 NtCreateFile,LdrInitializeThunk,4_2_01562FE0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562F90 NtProtectVirtualMemory,LdrInitializeThunk,4_2_01562F90
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562FB0 NtResumeThread,LdrInitializeThunk,4_2_01562FB0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_01562E80
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_01562EA0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01564340 NtSetContextThread,4_2_01564340
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01564650 NtSuspendThread,4_2_01564650
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562BE0 NtQueryValueKey,4_2_01562BE0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562B80 NtQueryInformationFile,4_2_01562B80
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562BA0 NtEnumerateValueKey,4_2_01562BA0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562AF0 NtWriteFile,4_2_01562AF0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562AB0 NtWaitForSingleObject,4_2_01562AB0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562D00 NtSetInformationFile,4_2_01562D00
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562DB0 NtEnumerateKey,4_2_01562DB0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562C60 NtCreateKey,4_2_01562C60
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562C00 NtQueryInformationProcess,4_2_01562C00
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562CC0 NtQueryVirtualMemory,4_2_01562CC0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562CF0 NtOpenProcess,4_2_01562CF0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562F60 NtCreateProcessEx,4_2_01562F60
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562FA0 NtQuerySection,4_2_01562FA0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562E30 NtWriteVirtualMemory,4_2_01562E30
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562EE0 NtQueueApcThread,4_2_01562EE0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01563010 NtOpenDirectoryObject,4_2_01563010
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01563090 NtSetValueKey,4_2_01563090
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015635C0 NtCreateMutant,4_2_015635C0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015639B0 NtGetContextThread,4_2_015639B0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01563D70 NtOpenThread,4_2_01563D70
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01563D10 NtOpenProcessToken,4_2_01563D10
          Source: C:\Windows\explorer.exeCode function: 5_2_0E47AE12 NtProtectVirtualMemory,5_2_0E47AE12
          Source: C:\Windows\explorer.exeCode function: 5_2_0E479232 NtCreateFile,5_2_0E479232
          Source: C:\Windows\explorer.exeCode function: 5_2_0E47AE0A NtProtectVirtualMemory,5_2_0E47AE0A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72AD0 NtReadFile,LdrInitializeThunk,7_2_02F72AD0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72BF0 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_02F72BF0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72BE0 NtQueryValueKey,LdrInitializeThunk,7_2_02F72BE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72B60 NtClose,LdrInitializeThunk,7_2_02F72B60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_02F72EA0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72FE0 NtCreateFile,LdrInitializeThunk,7_2_02F72FE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72F30 NtCreateSection,LdrInitializeThunk,7_2_02F72F30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72CA0 NtQueryInformationToken,LdrInitializeThunk,7_2_02F72CA0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_02F72C70
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72C60 NtCreateKey,LdrInitializeThunk,7_2_02F72C60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_02F72DF0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72DD0 NtDelayExecution,LdrInitializeThunk,7_2_02F72DD0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72D10 NtMapViewOfSection,LdrInitializeThunk,7_2_02F72D10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F735C0 NtCreateMutant,LdrInitializeThunk,7_2_02F735C0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F74340 NtSetContextThread,7_2_02F74340
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F74650 NtSuspendThread,7_2_02F74650
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72AF0 NtWriteFile,7_2_02F72AF0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72AB0 NtWaitForSingleObject,7_2_02F72AB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72BA0 NtEnumerateValueKey,7_2_02F72BA0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72B80 NtQueryInformationFile,7_2_02F72B80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72EE0 NtQueueApcThread,7_2_02F72EE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72E80 NtReadVirtualMemory,7_2_02F72E80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72E30 NtWriteVirtualMemory,7_2_02F72E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72FB0 NtResumeThread,7_2_02F72FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72FA0 NtQuerySection,7_2_02F72FA0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72F90 NtProtectVirtualMemory,7_2_02F72F90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72F60 NtCreateProcessEx,7_2_02F72F60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72CF0 NtOpenProcess,7_2_02F72CF0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72CC0 NtQueryVirtualMemory,7_2_02F72CC0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72C00 NtQueryInformationProcess,7_2_02F72C00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72DB0 NtEnumerateKey,7_2_02F72DB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72D30 NtUnmapViewOfSection,7_2_02F72D30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F72D00 NtSetInformationFile,7_2_02F72D00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F73090 NtSetValueKey,7_2_02F73090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F73010 NtOpenDirectoryObject,7_2_02F73010
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F739B0 NtGetContextThread,7_2_02F739B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F73D70 NtOpenThread,7_2_02F73D70
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F73D10 NtOpenProcessToken,7_2_02F73D10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004CA330 NtCreateFile,7_2_004CA330
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004CA3E0 NtReadFile,7_2_004CA3E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004CA460 NtClose,7_2_004CA460
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004CA510 NtAllocateVirtualMemory,7_2_004CA510
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004CA32A NtCreateFile,7_2_004CA32A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004CA45E NtReadFile,7_2_004CA45E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004CA45A NtReadFile,7_2_004CA45A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004CA50A NtAllocateVirtualMemory,7_2_004CA50A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02D39BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,7_2_02D39BAF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02D3A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,7_2_02D3A036
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02D39BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,7_2_02D39BB2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02D3A042 NtQueryInformationProcess,7_2_02D3A042
          Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 0_2_0311E0440_2_0311E044
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 0_2_07B951700_2_07B95170
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 0_2_07B90A200_2_07B90A20
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 0_2_07B9E6280_2_07B9E628
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 0_2_07B954600_2_07B95460
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 0_2_07B954510_2_07B95451
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 0_2_07B9C3D80_2_07B9C3D8
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 0_2_07B941F00_2_07B941F0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 0_2_07B941E30_2_07B941E3
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 0_2_07B9E1180_2_07B9E118
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 0_2_07B9E1080_2_07B9E108
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 0_2_07B951600_2_07B95160
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 0_2_07B9BFA00_2_07B9BFA0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 0_2_07B92BF80_2_07B92BF8
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 0_2_07B90A100_2_07B90A10
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 0_2_07B9D8400_2_07B9D840
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 0_2_096D0A800_2_096D0A80
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 0_2_096DF0A90_2_096DF0A9
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 0_2_096D0A700_2_096D0A70
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_00402D874_2_00402D87
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_00402D8F4_2_00402D8F
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_00409E5D4_2_00409E5D
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_00409E604_2_00409E60
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0041E6394_2_0041E639
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B81584_2_015B8158
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CA1184_2_015CA118
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015201004_2_01520100
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015E81CC4_2_015E81CC
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015F01AA4_2_015F01AA
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015C20004_2_015C2000
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015EA3524_2_015EA352
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0153E3F04_2_0153E3F0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015F03E64_2_015F03E6
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D02744_2_015D0274
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B02C04_2_015B02C0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015305354_2_01530535
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015F05914_2_015F0591
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015E24464_2_015E2446
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D44204_2_015D4420
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015DE4F64_2_015DE4F6
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015547504_2_01554750
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015307704_2_01530770
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152C7C04_2_0152C7C0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154C6E04_2_0154C6E0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015469624_2_01546962
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015329A04_2_015329A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015FA9A64_2_015FA9A6
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0153A8404_2_0153A840
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015328404_2_01532840
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155E8F04_2_0155E8F0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015168B84_2_015168B8
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015EAB404_2_015EAB40
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015E6BD74_2_015E6BD7
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152EA804_2_0152EA80
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CCD1F4_2_015CCD1F
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0153AD004_2_0153AD00
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152ADE04_2_0152ADE0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01548DBF4_2_01548DBF
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530C004_2_01530C00
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01520CF24_2_01520CF2
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D0CB54_2_015D0CB5
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A4F404_2_015A4F40
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01550F304_2_01550F30
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D2F304_2_015D2F30
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01572F284_2_01572F28
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01522FC84_2_01522FC8
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0153CFE04_2_0153CFE0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015AEFA04_2_015AEFA0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530E594_2_01530E59
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015EEE264_2_015EEE26
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015EEEDB4_2_015EEEDB
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01542E904_2_01542E90
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015ECE934_2_015ECE93
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151F1724_2_0151F172
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015FB16B4_2_015FB16B
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0156516C4_2_0156516C
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0153B1B04_2_0153B1B0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015DF0CC4_2_015DF0CC
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015370C04_2_015370C0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015E70E94_2_015E70E9
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015EF0E04_2_015EF0E0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151D34C4_2_0151D34C
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015E132D4_2_015E132D
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0157739A4_2_0157739A
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154B2C04_2_0154B2C0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D12ED4_2_015D12ED
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015352A04_2_015352A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015E75714_2_015E7571
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CD5B04_2_015CD5B0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015214604_2_01521460
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015EF43F4_2_015EF43F
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015EF7B04_2_015EF7B0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015E16CC4_2_015E16CC
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015399504_2_01539950
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154B9504_2_0154B950
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015C59104_2_015C5910
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159D8004_2_0159D800
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015338E04_2_015338E0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015EFB764_2_015EFB76
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A5BF04_2_015A5BF0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0156DBF94_2_0156DBF9
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154FB804_2_0154FB80
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015EFA494_2_015EFA49
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015E7A464_2_015E7A46
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A3A6C4_2_015A3A6C
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015DDAC64_2_015DDAC6
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CDAAC4_2_015CDAAC
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01575AA04_2_01575AA0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D1AA34_2_015D1AA3
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015E1D5A4_2_015E1D5A
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01533D404_2_01533D40
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015E7D734_2_015E7D73
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154FDC04_2_0154FDC0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A9C324_2_015A9C32
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015EFCF24_2_015EFCF2
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015EFF094_2_015EFF09
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_014F3FD54_2_014F3FD5
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_014F3FD24_2_014F3FD2
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01531F924_2_01531F92
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015EFFB14_2_015EFFB1
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01539EB04_2_01539EB0
          Source: C:\Windows\explorer.exeCode function: 5_2_0E36E2325_2_0E36E232
          Source: C:\Windows\explorer.exeCode function: 5_2_0E368B325_2_0E368B32
          Source: C:\Windows\explorer.exeCode function: 5_2_0E368B305_2_0E368B30
          Source: C:\Windows\explorer.exeCode function: 5_2_0E36D0365_2_0E36D036
          Source: C:\Windows\explorer.exeCode function: 5_2_0E3640825_2_0E364082
          Source: C:\Windows\explorer.exeCode function: 5_2_0E36B9125_2_0E36B912
          Source: C:\Windows\explorer.exeCode function: 5_2_0E365D025_2_0E365D02
          Source: C:\Windows\explorer.exeCode function: 5_2_0E3715CD5_2_0E3715CD
          Source: C:\Windows\explorer.exeCode function: 5_2_0E4792325_2_0E479232
          Source: C:\Windows\explorer.exeCode function: 5_2_0E4780365_2_0E478036
          Source: C:\Windows\explorer.exeCode function: 5_2_0E46F0825_2_0E46F082
          Source: C:\Windows\explorer.exeCode function: 5_2_0E470D025_2_0E470D02
          Source: C:\Windows\explorer.exeCode function: 5_2_0E4769125_2_0E476912
          Source: C:\Windows\explorer.exeCode function: 5_2_0E473B325_2_0E473B32
          Source: C:\Windows\explorer.exeCode function: 5_2_0E473B305_2_0E473B30
          Source: C:\Windows\explorer.exeCode function: 5_2_0E47C5CD5_2_0E47C5CD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004F21677_2_004F2167
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004F17157_2_004F1715
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FC02C07_2_02FC02C0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FE02747_2_02FE0274
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030003E67_2_030003E6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F4E3F07_2_02F4E3F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FFA3527_2_02FFA352
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030001AA7_2_030001AA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FD20007_2_02FD2000
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FF81CC7_2_02FF81CC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FF41A27_2_02FF41A2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FC81587_2_02FC8158
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FDA1187_2_02FDA118
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F301007_2_02F30100
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F5C6E07_2_02F5C6E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F3C7C07_2_02F3C7C0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F407707_2_02F40770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F647507_2_02F64750
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FEE4F67_2_02FEE4F6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030005917_2_03000591
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FF24467_2_02FF2446
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FE44207_2_02FE4420
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F405357_2_02F40535
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F3EA807_2_02F3EA80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FF6BD77_2_02FF6BD7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FFAB407_2_02FFAB40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F6E8F07_2_02F6E8F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F268B87_2_02F268B8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0300A9A67_2_0300A9A6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F4A8407_2_02F4A840
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F428407_2_02F42840
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F429A07_2_02F429A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F569627_2_02F56962
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FFEEDB7_2_02FFEEDB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F52E907_2_02F52E90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FFCE937_2_02FFCE93
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F40E597_2_02F40E59
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FFEE267_2_02FFEE26
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F4CFE07_2_02F4CFE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F32FC87_2_02F32FC8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FBEFA07_2_02FBEFA0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FB4F407_2_02FB4F40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F60F307_2_02F60F30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FE2F307_2_02FE2F30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F82F287_2_02F82F28
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F30CF27_2_02F30CF2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FE0CB57_2_02FE0CB5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F40C007_2_02F40C00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F3ADE07_2_02F3ADE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F58DBF7_2_02F58DBF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FDCD1F7_2_02FDCD1F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F4AD007_2_02F4AD00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FE12ED7_2_02FE12ED
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F5B2C07_2_02F5B2C0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F452A07_2_02F452A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F8739A7_2_02F8739A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F2D34C7_2_02F2D34C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FF132D7_2_02FF132D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FF70E97_2_02FF70E9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FFF0E07_2_02FFF0E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FEF0CC7_2_02FEF0CC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F470C07_2_02F470C0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_0300B16B7_2_0300B16B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F4B1B07_2_02F4B1B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F2F1727_2_02F2F172
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F7516C7_2_02F7516C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FF16CC7_2_02FF16CC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F856307_2_02F85630
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FFF7B07_2_02FFF7B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F314607_2_02F31460
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FFF43F7_2_02FFF43F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_030095C37_2_030095C3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FDD5B07_2_02FDD5B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FF75717_2_02FF7571
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FEDAC67_2_02FEDAC6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FDDAAC7_2_02FDDAAC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F85AA07_2_02F85AA0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FE1AA37_2_02FE1AA3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FB3A6C7_2_02FB3A6C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FFFA497_2_02FFFA49
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FF7A467_2_02FF7A46
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FB5BF07_2_02FB5BF0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F7DBF97_2_02F7DBF9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F5FB807_2_02F5FB80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FFFB767_2_02FFFB76
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F438E07_2_02F438E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FAD8007_2_02FAD800
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F499507_2_02F49950
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F5B9507_2_02F5B950
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FD59107_2_02FD5910
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F49EB07_2_02F49EB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FFFFB17_2_02FFFFB1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F41F927_2_02F41F92
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FFFF097_2_02FFFF09
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FFFCF27_2_02FFFCF2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FB9C327_2_02FB9C32
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F5FDC07_2_02F5FDC0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FF7D737_2_02FF7D73
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02FF1D5A7_2_02FF1D5A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F43D407_2_02F43D40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004CE6397_2_004CE639
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004B2D8F7_2_004B2D8F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004B2D877_2_004B2D87
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004B2D907_2_004B2D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004B9E5D7_2_004B9E5D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004B9E607_2_004B9E60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004B2FB07_2_004B2FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02D3A0367_2_02D3A036
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02D3B2327_2_02D3B232
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02D35B327_2_02D35B32
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02D35B307_2_02D35B30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02D310827_2_02D31082
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02D389127_2_02D38912
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02D3E5CD7_2_02D3E5CD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02D32D027_2_02D32D02
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: String function: 01577E54 appears 102 times
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: String function: 0159EA12 appears 86 times
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: String function: 01565130 appears 58 times
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: String function: 0151B970 appears 280 times
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: String function: 015AF290 appears 105 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 02FAEA12 appears 86 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 02FBF290 appears 105 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 02F75130 appears 58 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 02F87E54 appears 111 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 02F2B970 appears 280 times
          Source: 4lHZn6Ri2B.exe, 00000000.00000002.1074938747.000000000BF90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 4lHZn6Ri2B.exe
          Source: 4lHZn6Ri2B.exe, 00000000.00000002.1055223625.00000000015AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 4lHZn6Ri2B.exe
          Source: 4lHZn6Ri2B.exe, 00000000.00000002.1066684814.00000000042C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs 4lHZn6Ri2B.exe
          Source: 4lHZn6Ri2B.exe, 00000000.00000000.1041801299.0000000000EE2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameOiHH.exeF vs 4lHZn6Ri2B.exe
          Source: 4lHZn6Ri2B.exe, 00000000.00000002.1072823352.0000000007E00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs 4lHZn6Ri2B.exe
          Source: 4lHZn6Ri2B.exe, 00000000.00000002.1066684814.0000000004B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs 4lHZn6Ri2B.exe
          Source: 4lHZn6Ri2B.exe, 00000004.00000002.1124190785.000000000161D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 4lHZn6Ri2B.exe
          Source: 4lHZn6Ri2B.exe, 00000004.00000002.1123230922.0000000000FC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs 4lHZn6Ri2B.exe
          Source: 4lHZn6Ri2B.exe, 00000004.00000002.1122612867.0000000000BF0000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs 4lHZn6Ri2B.exe
          Source: 4lHZn6Ri2B.exeBinary or memory string: OriginalFilenameOiHH.exeF vs 4lHZn6Ri2B.exe
          Source: 4lHZn6Ri2B.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 4.2.4lHZn6Ri2B.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 4.2.4lHZn6Ri2B.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.4lHZn6Ri2B.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.4lHZn6Ri2B.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 4.2.4lHZn6Ri2B.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.4lHZn6Ri2B.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.3520154106.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.3520154106.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.3520154106.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.3521233716.0000000002B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.3521233716.0000000002B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.3521233716.0000000002B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1066684814.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1066684814.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1066684814.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.1121066600.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.1121066600.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.1121066600.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.3521121426.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000007.00000002.3521121426.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.3521121426.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1066684814.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1066684814.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1066684814.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: 4lHZn6Ri2B.exe PID: 7136, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: 4lHZn6Ri2B.exe PID: 5152, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: NETSTAT.EXE PID: 6024, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, W4QaUEOOtkcYUbSKsl.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, W4QaUEOOtkcYUbSKsl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, W4QaUEOOtkcYUbSKsl.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, fJS805xvOwLTE1auMB.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, fJS805xvOwLTE1auMB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, fJS805xvOwLTE1auMB.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, fJS805xvOwLTE1auMB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, W4QaUEOOtkcYUbSKsl.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, W4QaUEOOtkcYUbSKsl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, W4QaUEOOtkcYUbSKsl.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, W4QaUEOOtkcYUbSKsl.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, W4QaUEOOtkcYUbSKsl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, W4QaUEOOtkcYUbSKsl.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, fJS805xvOwLTE1auMB.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, fJS805xvOwLTE1auMB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: classification engineClassification label: mal100.troj.evad.winEXE@13/7@11/2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004F1CFC GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,7_2_004F1CFC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004F1C89 GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,7_2_004F1C89
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:348:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_03
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xqug4rmr.w1f.ps1Jump to behavior
          Source: 4lHZn6Ri2B.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 4lHZn6Ri2B.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: 4lHZn6Ri2B.exeVirustotal: Detection: 79%
          Source: 4lHZn6Ri2B.exeReversingLabs: Detection: 73%
          Source: unknownProcess created: C:\Users\user\Desktop\4lHZn6Ri2B.exe "C:\Users\user\Desktop\4lHZn6Ri2B.exe"
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4lHZn6Ri2B.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess created: C:\Users\user\Desktop\4lHZn6Ri2B.exe "C:\Users\user\Desktop\4lHZn6Ri2B.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\4lHZn6Ri2B.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4lHZn6Ri2B.exe"Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess created: C:\Users\user\Desktop\4lHZn6Ri2B.exe "C:\Users\user\Desktop\4lHZn6Ri2B.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE "C:\Windows\SysWOW64\NETSTAT.EXE"Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\4lHZn6Ri2B.exe"Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wscinterop.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wscapi.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: werconcpl.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: framedynos.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: wer.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: hcproviders.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: snmpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: wininet.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: 4lHZn6Ri2B.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 4lHZn6Ri2B.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: 4lHZn6Ri2B.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: netstat.pdbGCTL source: 4lHZn6Ri2B.exe, 00000004.00000002.1123230922.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp, 4lHZn6Ri2B.exe, 00000004.00000002.1122612867.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.3520289281.00000000004F0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: OiHH.pdbSHA256 source: 4lHZn6Ri2B.exe
          Source: Binary string: netstat.pdb source: 4lHZn6Ri2B.exe, 00000004.00000002.1123230922.0000000000FC8000.00000004.00000020.00020000.00000000.sdmp, 4lHZn6Ri2B.exe, 00000004.00000002.1122612867.0000000000BF0000.00000040.10000000.00040000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000007.00000002.3520289281.00000000004F0000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: OiHH.pdb source: 4lHZn6Ri2B.exe
          Source: Binary string: wntdll.pdbUGP source: 4lHZn6Ri2B.exe, 00000004.00000002.1124190785.00000000014F0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.3522109574.000000000309E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.3522109574.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000003.1122203307.0000000002B90000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000003.1124624064.0000000002D4F000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: 4lHZn6Ri2B.exe, 4lHZn6Ri2B.exe, 00000004.00000002.1124190785.00000000014F0000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, NETSTAT.EXE, 00000007.00000002.3522109574.000000000309E000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000002.3522109574.0000000002F00000.00000040.00001000.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000003.1122203307.0000000002B90000.00000004.00000020.00020000.00000000.sdmp, NETSTAT.EXE, 00000007.00000003.1124624064.0000000002D4F000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: 4lHZn6Ri2B.exe, Form4.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
          Source: 0.2.4lHZn6Ri2B.exe.7e00000.2.raw.unpack, RK.cs.Net Code: _206F_200B_206F_206E_200F_206F_200F_202A_200D_200F_200F_202B_206F_200B_200B_200C_200B_200B_200E_206C_200F_206E_200E_206A_200F_200B_206B_206F_200F_206E_200F_200F_206D_206C_202C_202D_206F_202D_200B_202C_202E System.Reflection.Assembly.Load(byte[])
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, W4QaUEOOtkcYUbSKsl.cs.Net Code: H38ZjaTlWv System.Reflection.Assembly.Load(byte[])
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, W4QaUEOOtkcYUbSKsl.cs.Net Code: H38ZjaTlWv System.Reflection.Assembly.Load(byte[])
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, W4QaUEOOtkcYUbSKsl.cs.Net Code: H38ZjaTlWv System.Reflection.Assembly.Load(byte[])
          Source: 5.2.explorer.exe.10b1f840.0.raw.unpack, Form4.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
          Source: 7.2.NETSTAT.EXE.344f840.3.raw.unpack, Form4.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
          Source: 4lHZn6Ri2B.exeStatic PE information: 0xEB28D466 [Sat Jan 8 10:39:34 2095 UTC]
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 0_2_07B9758F push cs; retf 0007h0_2_07B9759A
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 0_2_07B9757F push cs; retf 0007h0_2_07B9758A
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 0_2_07B9756F push cs; retf 0007h0_2_07B9757A
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_00417AC3 push ecx; iretd 4_2_00417AB9
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_00417A82 push ecx; iretd 4_2_00417AB9
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_00417C16 pushad ; retf 4_2_00417C18
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0041D4D2 push eax; ret 4_2_0041D4D8
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0041D4DB push eax; ret 4_2_0041D542
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0041D485 push eax; ret 4_2_0041D4D8
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_00417CA8 push esp; iretd 4_2_00417CB5
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0041D53C push eax; ret 4_2_0041D542
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_014F225F pushad ; ret 4_2_014F27F9
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_014F27FA pushad ; ret 4_2_014F27F9
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015209AD push ecx; mov dword ptr [esp], ecx4_2_015209B6
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_014F283D push eax; iretd 4_2_014F2858
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_014F135E push eax; iretd 4_2_014F1369
          Source: C:\Windows\explorer.exeCode function: 5_2_0E371B1E push esp; retn 0000h5_2_0E371B1F
          Source: C:\Windows\explorer.exeCode function: 5_2_0E371B02 push esp; retn 0000h5_2_0E371B03
          Source: C:\Windows\explorer.exeCode function: 5_2_0E3719B5 push esp; retn 0000h5_2_0E371AE7
          Source: C:\Windows\explorer.exeCode function: 5_2_0E47CB02 push esp; retn 0000h5_2_0E47CB03
          Source: C:\Windows\explorer.exeCode function: 5_2_0E47CB1E push esp; retn 0000h5_2_0E47CB1F
          Source: C:\Windows\explorer.exeCode function: 5_2_0E47C9B5 push esp; retn 0000h5_2_0E47CAE7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004F60DD push ecx; ret 7_2_004F60F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_02F309AD push ecx; mov dword ptr [esp], ecx7_2_02F309B6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004CE2E8 push ebx; retf 7_2_004CE2EB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004CE330 push cs; retf 7_2_004CE331
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004CD4DB push eax; ret 7_2_004CD542
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004CD4D2 push eax; ret 7_2_004CD4D8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004CD485 push eax; ret 7_2_004CD4D8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004CD53C push eax; ret 7_2_004CD542
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004C7AC3 push ecx; iretd 7_2_004C7AB9
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, zLPlQjBdCtXQOe92Ru.csHigh entropy of concatenated method names: 'r0j4232whM', 'dV045Tipkr', 'FPN1D3vLB6', 'D5g1FNaMYt', 'mxp4NooZ1O', 'Lge4kxaJxE', 'XMP4mf5eKX', 'nn94YLYmxx', 'GyF47rod3q', 'w2V4lPMuyt'
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, H2OcOyLimVyutdumq4.csHigh entropy of concatenated method names: 'CG1vu0F3qj', 'h9uvA9XRLY', 'lT3vyNWgHx', 'Foby5mawNn', 'JMoyzwYSrl', 'TqQvDhIL4d', 'wb5vF6qwLx', 'GrOvR0twMT', 'kdovn3Trt7', 'lMIvZjeEbs'
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, OLhwLeFZgTuJrNMP5Rg.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zUl9EUZn9y', 'yIc9cgJrik', 'JQZ9t6xsqh', 'eO699P0RBq', 'e5n96tMRZA', 'pxj9Juyupm', 'feh9GxOaFu'
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, ufcWCFdppTO514tLGJ.csHigh entropy of concatenated method names: 'mt1yf434Gv', 'KY0yCgFwhe', 'xmAyemot3y', 'uAxyvyUtyg', 'cXIyOanfZf', 'lXieauWjFW', 'E5EeBGWgpl', 'jv2e3qv05e', 'VBZe2lg7re', 'LydeHG7H5D'
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, oyRsPWFRSE11XEAXNH8.csHigh entropy of concatenated method names: 'ToString', 'lUStxe38qk', 'dmrtMSElU7', 'GFVtPub2ma', 'DQ6tdO68Vg', 'HjrthFNBPd', 'N6BtqIi7YU', 'KaItWNWZwg', 'n3iRvQezncNNXu30dbs', 'wBLfNbGiU4TdNB05bYa'
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, W4QaUEOOtkcYUbSKsl.csHigh entropy of concatenated method names: 'X1GnfZU2P2', 'cRfnufIDEr', 'RVgnC0eEoN', 'gJenAdKnmN', 'YqKneJ0TgW', 'XaenyJ1mYN', 'E6VnvvV4jL', 'ogEnOCnSk7', 'uuGnQIiEUM', 'qpdnpSJCtx'
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, pEE0YC8n4TvRCT96dk.csHigh entropy of concatenated method names: 'gu0vgdLbIT', 'zGwvUNQpBR', 'G27vj1fegi', 'eZDvXkZuot', 'mxhvsHU6or', 'QucvVE3s4Z', 'D7ivwRIVvj', 'CBNvxBHRI1', 'JnavMQV3mV', 'gAevPG07V8'
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, ec6jVB5WnaVUcce7eP.csHigh entropy of concatenated method names: 'goFcAUUSM4', 'MRXceYKUnT', 'aYCcy2UfYE', 'rrvcvkUhDM', 'bWNcEDaImP', 'KvycOiS4D0', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, Fh2nSCSUyJqZhnkNBm.csHigh entropy of concatenated method names: 'p6WylAxLsK', 'vWPy0Dk3D2', 'nGLyaebAvS', 'ToString', 'KmGyBNk6fe', 'Bf4y3HL0Qx', 'oAj4lQwVssc4djGGoiv', 'LnPUVAwlZ5tad21S08q', 'H7FV1Ew8w7vFGPuIYQh'
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, NkTJkZC81RntmPAd7m.csHigh entropy of concatenated method names: 'Dispose', 'dFpFHMTvjY', 'AOlRh9Gcrb', 'zIMKpOCAoU', 'CKZF56KSpR', 'FNuFzoFDvM', 'ProcessDialogKey', 'QxARDRaHVW', 'RHgRFI270h', 'zsmRRfc6jV'
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, ab0rvHRF35uE3Vpnqe.csHigh entropy of concatenated method names: 'b5xjJ1ZnL', 'ks7Xb2CZK', 'tMyVgBS2q', 'G4LwEvWGO', 'zqrMSQtyW', 'I8qPh0GU3', 'GN4PQZp2TQd0f84vgF', 'K5fpUkhdCC0jfoH7DK', 'KKj1L3ZnT', 'KrvcJhHxZ'
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, deaQKNzVFnecVP8bup.csHigh entropy of concatenated method names: 'ITHcVQNX04', 'iKRcxiF7Ic', 'teKcMEDYdE', 'GeDcdCEDNZ', 'tH7chAUFYj', 'aZlcWvh4QT', 'aQDcIbfle8', 'VLTcGgRAtR', 'eeTcgr3cDY', 'O9ScUJtQwL'
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, uvKEC7FFaxD0ftYN5aT.csHigh entropy of concatenated method names: 'Xybc5AOh0r', 'ptsczCprqq', 'JIltDkj1qj', 'voQtFgOFxB', 'idptRX9nbv', 'UkBtniFcWC', 'QkStZjBOYB', 'yNVtfMkcex', 'kuxtuglVti', 'IhStCyUtnT'
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, QNvMKpYpEaxUxmCc4i.csHigh entropy of concatenated method names: 'u6qKo5xJnw', 'rSNKkyJLdu', 'UY0KYLwOdi', 'otnK7sdN2j', 'loFKhvM4JQ', 'TyFKq3Y769', 'vv5KW7u6Bs', 'Vt1KIIvMQB', 'WpRKSIQ5IW', 'E8kKLxu8mP'
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, fJS805xvOwLTE1auMB.csHigh entropy of concatenated method names: 'jPQCY9Di9a', 'jSwC7DLNJV', 'GD3ClEu8Zo', 'ctuC0aOood', 'DNxCaqR83r', 'dAYCBR94uU', 'UxKC3M8Bhy', 'w9MC2owTxC', 'lYTCHjXoEU', 'Hr0C5cT3Jm'
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, dx3fJGFDbvSJHZgEfIB.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QmBcNTuxX1', 'r7Ock0oXPD', 'GNWcmeLM7J', 'lA9cYCidCn', 'zZdc714q7t', 'TYFcl3IbuW', 'uj2c0BU3V6'
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, hRaHVWH7HgI270hjsm.csHigh entropy of concatenated method names: 'CMDEdESXqX', 'l0aEhSm46t', 'MyOEq3M45y', 'AUBEWRusDc', 'HLiEIWrKcp', 'IKBESyJ0Fx', 'EOHELFdlK1', 'SNCEbwfIGd', 'CvbE8s1pId', 'Yc0Eo1QqSR'
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, hwWHSx3IjZFpMTvjYw.csHigh entropy of concatenated method names: 'sl1EKpXB6X', 'oHRE4fSS1R', 'Cv7EElfFfE', 'sR7EtYhuYA', 'TyuE6NGvPt', 'X4qEGjwtGb', 'Dispose', 'TGt1udwAvL', 'Kcl1CvBD7i', 'PkH1Aq5ZLr'
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, fgoCirPAkYrUx34L6W.csHigh entropy of concatenated method names: 'WmVes8s6d0', 'v68ewkmIV3', 'LBDAqwgknb', 'aQsAWH2Qgq', 'ONqAInHnsw', 'ehAASVQOjP', 'z07ALPSqmy', 'qpBAbAfY2m', 'emCA8rqgkE', 'sbWAotPcTO'
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, xuPy34ZrVwlQWCS8Hq.csHigh entropy of concatenated method names: 'JsuFvJS805', 'jOwFOLTE1a', 'v2sFparJKl', 'DqBFipugoC', 'W4LFK6W9fc', 'ICFFTppTO5', 'R3h7IZUOr86Fjb3Eyc', 'cwcKj9bxLsY411JIgb', 'P96FF58pI8', 'PNTFncE4F3'
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, auQNSjlsC2wc6UUNIw.csHigh entropy of concatenated method names: 'ToString', 'JbYTNPPpt8', 'vylThqKGFT', 'xNRTqSUJWr', 'tlETWTZF2r', 'zupTIkiXjC', 'qD6TSmDrmB', 'BxwTLVa7CG', 'tPmTb48XVB', 'wdeT8tmleW'
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, AnXZ9imeCSfGdKyMyN.csHigh entropy of concatenated method names: 'qNqrx6c3pR', 'NHgrMTOtnD', 'I2srdB9NNk', 'EmDrhCuK6g', 'QCUrWc4P1C', 'lK7rIfotaX', 'liArL1I8pP', 'w1krbLlH7s', 'a9WroBbluW', 'FVirNkj7Pc'
          Source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, bvY7S6M2sarJKlwqBp.csHigh entropy of concatenated method names: 'LniAXhwQkk', 'JpkAV2OMHu', 'RmHAxeWLrv', 'fJeAMCUPfV', 'cgAAKSELKT', 'LqJATV4tlQ', 'Et6A4IA49P', 'a5WA1FkfPN', 'jvtAEQq3QW', 'sVkAcrp9Or'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, zLPlQjBdCtXQOe92Ru.csHigh entropy of concatenated method names: 'r0j4232whM', 'dV045Tipkr', 'FPN1D3vLB6', 'D5g1FNaMYt', 'mxp4NooZ1O', 'Lge4kxaJxE', 'XMP4mf5eKX', 'nn94YLYmxx', 'GyF47rod3q', 'w2V4lPMuyt'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, H2OcOyLimVyutdumq4.csHigh entropy of concatenated method names: 'CG1vu0F3qj', 'h9uvA9XRLY', 'lT3vyNWgHx', 'Foby5mawNn', 'JMoyzwYSrl', 'TqQvDhIL4d', 'wb5vF6qwLx', 'GrOvR0twMT', 'kdovn3Trt7', 'lMIvZjeEbs'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, OLhwLeFZgTuJrNMP5Rg.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zUl9EUZn9y', 'yIc9cgJrik', 'JQZ9t6xsqh', 'eO699P0RBq', 'e5n96tMRZA', 'pxj9Juyupm', 'feh9GxOaFu'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, ufcWCFdppTO514tLGJ.csHigh entropy of concatenated method names: 'mt1yf434Gv', 'KY0yCgFwhe', 'xmAyemot3y', 'uAxyvyUtyg', 'cXIyOanfZf', 'lXieauWjFW', 'E5EeBGWgpl', 'jv2e3qv05e', 'VBZe2lg7re', 'LydeHG7H5D'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, oyRsPWFRSE11XEAXNH8.csHigh entropy of concatenated method names: 'ToString', 'lUStxe38qk', 'dmrtMSElU7', 'GFVtPub2ma', 'DQ6tdO68Vg', 'HjrthFNBPd', 'N6BtqIi7YU', 'KaItWNWZwg', 'n3iRvQezncNNXu30dbs', 'wBLfNbGiU4TdNB05bYa'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, W4QaUEOOtkcYUbSKsl.csHigh entropy of concatenated method names: 'X1GnfZU2P2', 'cRfnufIDEr', 'RVgnC0eEoN', 'gJenAdKnmN', 'YqKneJ0TgW', 'XaenyJ1mYN', 'E6VnvvV4jL', 'ogEnOCnSk7', 'uuGnQIiEUM', 'qpdnpSJCtx'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, pEE0YC8n4TvRCT96dk.csHigh entropy of concatenated method names: 'gu0vgdLbIT', 'zGwvUNQpBR', 'G27vj1fegi', 'eZDvXkZuot', 'mxhvsHU6or', 'QucvVE3s4Z', 'D7ivwRIVvj', 'CBNvxBHRI1', 'JnavMQV3mV', 'gAevPG07V8'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, ec6jVB5WnaVUcce7eP.csHigh entropy of concatenated method names: 'goFcAUUSM4', 'MRXceYKUnT', 'aYCcy2UfYE', 'rrvcvkUhDM', 'bWNcEDaImP', 'KvycOiS4D0', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, Fh2nSCSUyJqZhnkNBm.csHigh entropy of concatenated method names: 'p6WylAxLsK', 'vWPy0Dk3D2', 'nGLyaebAvS', 'ToString', 'KmGyBNk6fe', 'Bf4y3HL0Qx', 'oAj4lQwVssc4djGGoiv', 'LnPUVAwlZ5tad21S08q', 'H7FV1Ew8w7vFGPuIYQh'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, NkTJkZC81RntmPAd7m.csHigh entropy of concatenated method names: 'Dispose', 'dFpFHMTvjY', 'AOlRh9Gcrb', 'zIMKpOCAoU', 'CKZF56KSpR', 'FNuFzoFDvM', 'ProcessDialogKey', 'QxARDRaHVW', 'RHgRFI270h', 'zsmRRfc6jV'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, ab0rvHRF35uE3Vpnqe.csHigh entropy of concatenated method names: 'b5xjJ1ZnL', 'ks7Xb2CZK', 'tMyVgBS2q', 'G4LwEvWGO', 'zqrMSQtyW', 'I8qPh0GU3', 'GN4PQZp2TQd0f84vgF', 'K5fpUkhdCC0jfoH7DK', 'KKj1L3ZnT', 'KrvcJhHxZ'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, deaQKNzVFnecVP8bup.csHigh entropy of concatenated method names: 'ITHcVQNX04', 'iKRcxiF7Ic', 'teKcMEDYdE', 'GeDcdCEDNZ', 'tH7chAUFYj', 'aZlcWvh4QT', 'aQDcIbfle8', 'VLTcGgRAtR', 'eeTcgr3cDY', 'O9ScUJtQwL'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, uvKEC7FFaxD0ftYN5aT.csHigh entropy of concatenated method names: 'Xybc5AOh0r', 'ptsczCprqq', 'JIltDkj1qj', 'voQtFgOFxB', 'idptRX9nbv', 'UkBtniFcWC', 'QkStZjBOYB', 'yNVtfMkcex', 'kuxtuglVti', 'IhStCyUtnT'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, QNvMKpYpEaxUxmCc4i.csHigh entropy of concatenated method names: 'u6qKo5xJnw', 'rSNKkyJLdu', 'UY0KYLwOdi', 'otnK7sdN2j', 'loFKhvM4JQ', 'TyFKq3Y769', 'vv5KW7u6Bs', 'Vt1KIIvMQB', 'WpRKSIQ5IW', 'E8kKLxu8mP'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, fJS805xvOwLTE1auMB.csHigh entropy of concatenated method names: 'jPQCY9Di9a', 'jSwC7DLNJV', 'GD3ClEu8Zo', 'ctuC0aOood', 'DNxCaqR83r', 'dAYCBR94uU', 'UxKC3M8Bhy', 'w9MC2owTxC', 'lYTCHjXoEU', 'Hr0C5cT3Jm'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, dx3fJGFDbvSJHZgEfIB.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QmBcNTuxX1', 'r7Ock0oXPD', 'GNWcmeLM7J', 'lA9cYCidCn', 'zZdc714q7t', 'TYFcl3IbuW', 'uj2c0BU3V6'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, hRaHVWH7HgI270hjsm.csHigh entropy of concatenated method names: 'CMDEdESXqX', 'l0aEhSm46t', 'MyOEq3M45y', 'AUBEWRusDc', 'HLiEIWrKcp', 'IKBESyJ0Fx', 'EOHELFdlK1', 'SNCEbwfIGd', 'CvbE8s1pId', 'Yc0Eo1QqSR'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, hwWHSx3IjZFpMTvjYw.csHigh entropy of concatenated method names: 'sl1EKpXB6X', 'oHRE4fSS1R', 'Cv7EElfFfE', 'sR7EtYhuYA', 'TyuE6NGvPt', 'X4qEGjwtGb', 'Dispose', 'TGt1udwAvL', 'Kcl1CvBD7i', 'PkH1Aq5ZLr'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, fgoCirPAkYrUx34L6W.csHigh entropy of concatenated method names: 'WmVes8s6d0', 'v68ewkmIV3', 'LBDAqwgknb', 'aQsAWH2Qgq', 'ONqAInHnsw', 'ehAASVQOjP', 'z07ALPSqmy', 'qpBAbAfY2m', 'emCA8rqgkE', 'sbWAotPcTO'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, xuPy34ZrVwlQWCS8Hq.csHigh entropy of concatenated method names: 'JsuFvJS805', 'jOwFOLTE1a', 'v2sFparJKl', 'DqBFipugoC', 'W4LFK6W9fc', 'ICFFTppTO5', 'R3h7IZUOr86Fjb3Eyc', 'cwcKj9bxLsY411JIgb', 'P96FF58pI8', 'PNTFncE4F3'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, auQNSjlsC2wc6UUNIw.csHigh entropy of concatenated method names: 'ToString', 'JbYTNPPpt8', 'vylThqKGFT', 'xNRTqSUJWr', 'tlETWTZF2r', 'zupTIkiXjC', 'qD6TSmDrmB', 'BxwTLVa7CG', 'tPmTb48XVB', 'wdeT8tmleW'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, AnXZ9imeCSfGdKyMyN.csHigh entropy of concatenated method names: 'qNqrx6c3pR', 'NHgrMTOtnD', 'I2srdB9NNk', 'EmDrhCuK6g', 'QCUrWc4P1C', 'lK7rIfotaX', 'liArL1I8pP', 'w1krbLlH7s', 'a9WroBbluW', 'FVirNkj7Pc'
          Source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, bvY7S6M2sarJKlwqBp.csHigh entropy of concatenated method names: 'LniAXhwQkk', 'JpkAV2OMHu', 'RmHAxeWLrv', 'fJeAMCUPfV', 'cgAAKSELKT', 'LqJATV4tlQ', 'Et6A4IA49P', 'a5WA1FkfPN', 'jvtAEQq3QW', 'sVkAcrp9Or'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, zLPlQjBdCtXQOe92Ru.csHigh entropy of concatenated method names: 'r0j4232whM', 'dV045Tipkr', 'FPN1D3vLB6', 'D5g1FNaMYt', 'mxp4NooZ1O', 'Lge4kxaJxE', 'XMP4mf5eKX', 'nn94YLYmxx', 'GyF47rod3q', 'w2V4lPMuyt'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, H2OcOyLimVyutdumq4.csHigh entropy of concatenated method names: 'CG1vu0F3qj', 'h9uvA9XRLY', 'lT3vyNWgHx', 'Foby5mawNn', 'JMoyzwYSrl', 'TqQvDhIL4d', 'wb5vF6qwLx', 'GrOvR0twMT', 'kdovn3Trt7', 'lMIvZjeEbs'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, OLhwLeFZgTuJrNMP5Rg.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zUl9EUZn9y', 'yIc9cgJrik', 'JQZ9t6xsqh', 'eO699P0RBq', 'e5n96tMRZA', 'pxj9Juyupm', 'feh9GxOaFu'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, ufcWCFdppTO514tLGJ.csHigh entropy of concatenated method names: 'mt1yf434Gv', 'KY0yCgFwhe', 'xmAyemot3y', 'uAxyvyUtyg', 'cXIyOanfZf', 'lXieauWjFW', 'E5EeBGWgpl', 'jv2e3qv05e', 'VBZe2lg7re', 'LydeHG7H5D'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, oyRsPWFRSE11XEAXNH8.csHigh entropy of concatenated method names: 'ToString', 'lUStxe38qk', 'dmrtMSElU7', 'GFVtPub2ma', 'DQ6tdO68Vg', 'HjrthFNBPd', 'N6BtqIi7YU', 'KaItWNWZwg', 'n3iRvQezncNNXu30dbs', 'wBLfNbGiU4TdNB05bYa'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, W4QaUEOOtkcYUbSKsl.csHigh entropy of concatenated method names: 'X1GnfZU2P2', 'cRfnufIDEr', 'RVgnC0eEoN', 'gJenAdKnmN', 'YqKneJ0TgW', 'XaenyJ1mYN', 'E6VnvvV4jL', 'ogEnOCnSk7', 'uuGnQIiEUM', 'qpdnpSJCtx'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, pEE0YC8n4TvRCT96dk.csHigh entropy of concatenated method names: 'gu0vgdLbIT', 'zGwvUNQpBR', 'G27vj1fegi', 'eZDvXkZuot', 'mxhvsHU6or', 'QucvVE3s4Z', 'D7ivwRIVvj', 'CBNvxBHRI1', 'JnavMQV3mV', 'gAevPG07V8'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, ec6jVB5WnaVUcce7eP.csHigh entropy of concatenated method names: 'goFcAUUSM4', 'MRXceYKUnT', 'aYCcy2UfYE', 'rrvcvkUhDM', 'bWNcEDaImP', 'KvycOiS4D0', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, Fh2nSCSUyJqZhnkNBm.csHigh entropy of concatenated method names: 'p6WylAxLsK', 'vWPy0Dk3D2', 'nGLyaebAvS', 'ToString', 'KmGyBNk6fe', 'Bf4y3HL0Qx', 'oAj4lQwVssc4djGGoiv', 'LnPUVAwlZ5tad21S08q', 'H7FV1Ew8w7vFGPuIYQh'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, NkTJkZC81RntmPAd7m.csHigh entropy of concatenated method names: 'Dispose', 'dFpFHMTvjY', 'AOlRh9Gcrb', 'zIMKpOCAoU', 'CKZF56KSpR', 'FNuFzoFDvM', 'ProcessDialogKey', 'QxARDRaHVW', 'RHgRFI270h', 'zsmRRfc6jV'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, ab0rvHRF35uE3Vpnqe.csHigh entropy of concatenated method names: 'b5xjJ1ZnL', 'ks7Xb2CZK', 'tMyVgBS2q', 'G4LwEvWGO', 'zqrMSQtyW', 'I8qPh0GU3', 'GN4PQZp2TQd0f84vgF', 'K5fpUkhdCC0jfoH7DK', 'KKj1L3ZnT', 'KrvcJhHxZ'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, deaQKNzVFnecVP8bup.csHigh entropy of concatenated method names: 'ITHcVQNX04', 'iKRcxiF7Ic', 'teKcMEDYdE', 'GeDcdCEDNZ', 'tH7chAUFYj', 'aZlcWvh4QT', 'aQDcIbfle8', 'VLTcGgRAtR', 'eeTcgr3cDY', 'O9ScUJtQwL'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, uvKEC7FFaxD0ftYN5aT.csHigh entropy of concatenated method names: 'Xybc5AOh0r', 'ptsczCprqq', 'JIltDkj1qj', 'voQtFgOFxB', 'idptRX9nbv', 'UkBtniFcWC', 'QkStZjBOYB', 'yNVtfMkcex', 'kuxtuglVti', 'IhStCyUtnT'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, QNvMKpYpEaxUxmCc4i.csHigh entropy of concatenated method names: 'u6qKo5xJnw', 'rSNKkyJLdu', 'UY0KYLwOdi', 'otnK7sdN2j', 'loFKhvM4JQ', 'TyFKq3Y769', 'vv5KW7u6Bs', 'Vt1KIIvMQB', 'WpRKSIQ5IW', 'E8kKLxu8mP'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, fJS805xvOwLTE1auMB.csHigh entropy of concatenated method names: 'jPQCY9Di9a', 'jSwC7DLNJV', 'GD3ClEu8Zo', 'ctuC0aOood', 'DNxCaqR83r', 'dAYCBR94uU', 'UxKC3M8Bhy', 'w9MC2owTxC', 'lYTCHjXoEU', 'Hr0C5cT3Jm'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, dx3fJGFDbvSJHZgEfIB.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'QmBcNTuxX1', 'r7Ock0oXPD', 'GNWcmeLM7J', 'lA9cYCidCn', 'zZdc714q7t', 'TYFcl3IbuW', 'uj2c0BU3V6'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, hRaHVWH7HgI270hjsm.csHigh entropy of concatenated method names: 'CMDEdESXqX', 'l0aEhSm46t', 'MyOEq3M45y', 'AUBEWRusDc', 'HLiEIWrKcp', 'IKBESyJ0Fx', 'EOHELFdlK1', 'SNCEbwfIGd', 'CvbE8s1pId', 'Yc0Eo1QqSR'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, hwWHSx3IjZFpMTvjYw.csHigh entropy of concatenated method names: 'sl1EKpXB6X', 'oHRE4fSS1R', 'Cv7EElfFfE', 'sR7EtYhuYA', 'TyuE6NGvPt', 'X4qEGjwtGb', 'Dispose', 'TGt1udwAvL', 'Kcl1CvBD7i', 'PkH1Aq5ZLr'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, fgoCirPAkYrUx34L6W.csHigh entropy of concatenated method names: 'WmVes8s6d0', 'v68ewkmIV3', 'LBDAqwgknb', 'aQsAWH2Qgq', 'ONqAInHnsw', 'ehAASVQOjP', 'z07ALPSqmy', 'qpBAbAfY2m', 'emCA8rqgkE', 'sbWAotPcTO'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, xuPy34ZrVwlQWCS8Hq.csHigh entropy of concatenated method names: 'JsuFvJS805', 'jOwFOLTE1a', 'v2sFparJKl', 'DqBFipugoC', 'W4LFK6W9fc', 'ICFFTppTO5', 'R3h7IZUOr86Fjb3Eyc', 'cwcKj9bxLsY411JIgb', 'P96FF58pI8', 'PNTFncE4F3'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, auQNSjlsC2wc6UUNIw.csHigh entropy of concatenated method names: 'ToString', 'JbYTNPPpt8', 'vylThqKGFT', 'xNRTqSUJWr', 'tlETWTZF2r', 'zupTIkiXjC', 'qD6TSmDrmB', 'BxwTLVa7CG', 'tPmTb48XVB', 'wdeT8tmleW'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, AnXZ9imeCSfGdKyMyN.csHigh entropy of concatenated method names: 'qNqrx6c3pR', 'NHgrMTOtnD', 'I2srdB9NNk', 'EmDrhCuK6g', 'QCUrWc4P1C', 'lK7rIfotaX', 'liArL1I8pP', 'w1krbLlH7s', 'a9WroBbluW', 'FVirNkj7Pc'
          Source: 0.2.4lHZn6Ri2B.exe.bf90000.3.raw.unpack, bvY7S6M2sarJKlwqBp.csHigh entropy of concatenated method names: 'LniAXhwQkk', 'JpkAV2OMHu', 'RmHAxeWLrv', 'fJeAMCUPfV', 'cgAAKSELKT', 'LqJATV4tlQ', 'Et6A4IA49P', 'a5WA1FkfPN', 'jvtAEQq3QW', 'sVkAcrp9Or'

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: 4lHZn6Ri2B.exe PID: 7136, type: MEMORYSTR
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeAPI/Special instruction interceptor: Address: 7FFD3122D324
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeAPI/Special instruction interceptor: Address: 7FFD31230774
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeAPI/Special instruction interceptor: Address: 7FFD31230154
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeAPI/Special instruction interceptor: Address: 7FFD3122D8A4
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeAPI/Special instruction interceptor: Address: 7FFD3122DA44
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeAPI/Special instruction interceptor: Address: 7FFD3122D1E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFD3122D324
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFD31230774
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFD3122D944
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFD3122D504
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFD3122D544
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFD3122D1E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFD31230154
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFD3122D8A4
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI/Special instruction interceptor: Address: 7FFD3122DA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 4B9904 second address: 4B990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\NETSTAT.EXERDTSC instruction interceptor: First address: 4B9B7E second address: 4B9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeMemory allocated: 3110000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeMemory allocated: 32C0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeMemory allocated: 52C0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeMemory allocated: 96E0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeMemory allocated: A6E0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeMemory allocated: A8F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeMemory allocated: B8F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeMemory allocated: C010000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeMemory allocated: D010000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeMemory allocated: E010000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_00409AB0 rdtsc 4_2_00409AB0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeThread delayed: delay time: 240000Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeThread delayed: delay time: 239890Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeThread delayed: delay time: 239781Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeThread delayed: delay time: 239616Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeThread delayed: delay time: 239500Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeThread delayed: delay time: 239351Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeThread delayed: delay time: 239234Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeThread delayed: delay time: 239125Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeThread delayed: delay time: 238996Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeWindow / User API: threadDelayed 763Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeWindow / User API: threadDelayed 616Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6678Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3008Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 9752Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 885Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEWindow / User API: threadDelayed 9830Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeAPI coverage: 1.7 %
          Source: C:\Windows\SysWOW64\NETSTAT.EXEAPI coverage: 2.0 %
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exe TID: 6432Thread sleep time: -2767011611056431s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exe TID: 6432Thread sleep time: -240000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exe TID: 6432Thread sleep time: -239890s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exe TID: 6432Thread sleep time: -239781s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exe TID: 6432Thread sleep time: -239616s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exe TID: 6432Thread sleep time: -239500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exe TID: 6432Thread sleep time: -239351s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exe TID: 6432Thread sleep time: -239234s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exe TID: 6432Thread sleep time: -239125s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exe TID: 6432Thread sleep time: -238996s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5940Thread sleep time: -6456360425798339s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 7136Thread sleep count: 9752 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 7136Thread sleep time: -19504000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 7136Thread sleep count: 184 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 7136Thread sleep time: -368000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 5932Thread sleep count: 140 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 5932Thread sleep time: -280000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 5932Thread sleep count: 9830 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXE TID: 5932Thread sleep time: -19660000s >= -30000sJump to behavior
          Source: C:\Windows\System32\svchost.exe TID: 6576Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\svchost.exe TID: 6576Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Windows\SysWOW64\NETSTAT.EXELast function: Thread delayed
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeThread delayed: delay time: 240000Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeThread delayed: delay time: 239890Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeThread delayed: delay time: 239781Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeThread delayed: delay time: 239616Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeThread delayed: delay time: 239500Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeThread delayed: delay time: 239351Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeThread delayed: delay time: 239234Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeThread delayed: delay time: 239125Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeThread delayed: delay time: 238996Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000005.00000002.3528137291.0000000008979000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2837116040.0000000008976000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2838856214.000000000897E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1069029871.0000000008975000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWD Loopback Controller
          Source: explorer.exe, 00000005.00000000.1070233476.0000000008B61000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#4&>
          Source: explorer.exe, 00000005.00000000.1069029871.0000000008975000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000005.00000000.1058617487.0000000000C47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000k
          Source: explorer.exe, 00000005.00000003.2837758655.0000000008BF1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}?
          Source: 4lHZn6Ri2B.exe, 00000000.00000002.1072190326.0000000007AA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}
          Source: 4lHZn6Ri2B.exe, 00000000.00000002.1072190326.0000000007AA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 00000005.00000002.3528137291.0000000008AA3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3528137291.0000000008AF4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2838337750.0000000008ADA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1069029871.0000000008AA3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2837116040.0000000008AF4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2837116040.0000000008AA3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.1069029871.0000000008AF4000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 0000000A.00000002.2851920573.000001F5E0854000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000005.00000003.2835914008.0000000008CAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000i\J
          Source: explorer.exe, 00000005.00000002.3526128767.0000000007255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTrpVMWare
          Source: explorer.exe, 00000005.00000002.3529105767.0000000008C65000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: svchost.exe, 0000000A.00000002.2849436252.000001F5DB22B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP}
          Source: explorer.exe, 00000005.00000000.1058617487.0000000000C47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000005.00000003.2837758655.0000000008BF1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.1059868006.0000000003020000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_00409AB0 rdtsc 4_2_00409AB0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0040ACF0 LdrLoadDll,4_2_0040ACF0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B8158 mov eax, dword ptr fs:[00000030h]4_2_015B8158
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01526154 mov eax, dword ptr fs:[00000030h]4_2_01526154
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01526154 mov eax, dword ptr fs:[00000030h]4_2_01526154
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151C156 mov eax, dword ptr fs:[00000030h]4_2_0151C156
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B4144 mov eax, dword ptr fs:[00000030h]4_2_015B4144
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B4144 mov eax, dword ptr fs:[00000030h]4_2_015B4144
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B4144 mov ecx, dword ptr fs:[00000030h]4_2_015B4144
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B4144 mov eax, dword ptr fs:[00000030h]4_2_015B4144
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B4144 mov eax, dword ptr fs:[00000030h]4_2_015B4144
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CA118 mov ecx, dword ptr fs:[00000030h]4_2_015CA118
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CA118 mov eax, dword ptr fs:[00000030h]4_2_015CA118
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CA118 mov eax, dword ptr fs:[00000030h]4_2_015CA118
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CA118 mov eax, dword ptr fs:[00000030h]4_2_015CA118
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015E0115 mov eax, dword ptr fs:[00000030h]4_2_015E0115
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CE10E mov eax, dword ptr fs:[00000030h]4_2_015CE10E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CE10E mov ecx, dword ptr fs:[00000030h]4_2_015CE10E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CE10E mov eax, dword ptr fs:[00000030h]4_2_015CE10E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CE10E mov eax, dword ptr fs:[00000030h]4_2_015CE10E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CE10E mov ecx, dword ptr fs:[00000030h]4_2_015CE10E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CE10E mov eax, dword ptr fs:[00000030h]4_2_015CE10E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CE10E mov eax, dword ptr fs:[00000030h]4_2_015CE10E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CE10E mov ecx, dword ptr fs:[00000030h]4_2_015CE10E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CE10E mov eax, dword ptr fs:[00000030h]4_2_015CE10E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CE10E mov ecx, dword ptr fs:[00000030h]4_2_015CE10E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01550124 mov eax, dword ptr fs:[00000030h]4_2_01550124
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159E1D0 mov eax, dword ptr fs:[00000030h]4_2_0159E1D0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159E1D0 mov eax, dword ptr fs:[00000030h]4_2_0159E1D0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159E1D0 mov ecx, dword ptr fs:[00000030h]4_2_0159E1D0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159E1D0 mov eax, dword ptr fs:[00000030h]4_2_0159E1D0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159E1D0 mov eax, dword ptr fs:[00000030h]4_2_0159E1D0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015E61C3 mov eax, dword ptr fs:[00000030h]4_2_015E61C3
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015E61C3 mov eax, dword ptr fs:[00000030h]4_2_015E61C3
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015501F8 mov eax, dword ptr fs:[00000030h]4_2_015501F8
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015F61E5 mov eax, dword ptr fs:[00000030h]4_2_015F61E5
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A019F mov eax, dword ptr fs:[00000030h]4_2_015A019F
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A019F mov eax, dword ptr fs:[00000030h]4_2_015A019F
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A019F mov eax, dword ptr fs:[00000030h]4_2_015A019F
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A019F mov eax, dword ptr fs:[00000030h]4_2_015A019F
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151A197 mov eax, dword ptr fs:[00000030h]4_2_0151A197
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151A197 mov eax, dword ptr fs:[00000030h]4_2_0151A197
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151A197 mov eax, dword ptr fs:[00000030h]4_2_0151A197
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01560185 mov eax, dword ptr fs:[00000030h]4_2_01560185
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015DC188 mov eax, dword ptr fs:[00000030h]4_2_015DC188
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015DC188 mov eax, dword ptr fs:[00000030h]4_2_015DC188
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015C4180 mov eax, dword ptr fs:[00000030h]4_2_015C4180
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015C4180 mov eax, dword ptr fs:[00000030h]4_2_015C4180
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01522050 mov eax, dword ptr fs:[00000030h]4_2_01522050
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A6050 mov eax, dword ptr fs:[00000030h]4_2_015A6050
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154C073 mov eax, dword ptr fs:[00000030h]4_2_0154C073
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0153E016 mov eax, dword ptr fs:[00000030h]4_2_0153E016
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0153E016 mov eax, dword ptr fs:[00000030h]4_2_0153E016
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0153E016 mov eax, dword ptr fs:[00000030h]4_2_0153E016
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0153E016 mov eax, dword ptr fs:[00000030h]4_2_0153E016
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A4000 mov ecx, dword ptr fs:[00000030h]4_2_015A4000
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015C2000 mov eax, dword ptr fs:[00000030h]4_2_015C2000
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015C2000 mov eax, dword ptr fs:[00000030h]4_2_015C2000
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015C2000 mov eax, dword ptr fs:[00000030h]4_2_015C2000
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015C2000 mov eax, dword ptr fs:[00000030h]4_2_015C2000
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015C2000 mov eax, dword ptr fs:[00000030h]4_2_015C2000
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015C2000 mov eax, dword ptr fs:[00000030h]4_2_015C2000
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015C2000 mov eax, dword ptr fs:[00000030h]4_2_015C2000
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015C2000 mov eax, dword ptr fs:[00000030h]4_2_015C2000
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B6030 mov eax, dword ptr fs:[00000030h]4_2_015B6030
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151A020 mov eax, dword ptr fs:[00000030h]4_2_0151A020
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151C020 mov eax, dword ptr fs:[00000030h]4_2_0151C020
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A20DE mov eax, dword ptr fs:[00000030h]4_2_015A20DE
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151C0F0 mov eax, dword ptr fs:[00000030h]4_2_0151C0F0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015620F0 mov ecx, dword ptr fs:[00000030h]4_2_015620F0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151A0E3 mov ecx, dword ptr fs:[00000030h]4_2_0151A0E3
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A60E0 mov eax, dword ptr fs:[00000030h]4_2_015A60E0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015280E9 mov eax, dword ptr fs:[00000030h]4_2_015280E9
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152208A mov eax, dword ptr fs:[00000030h]4_2_0152208A
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015E60B8 mov eax, dword ptr fs:[00000030h]4_2_015E60B8
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015E60B8 mov ecx, dword ptr fs:[00000030h]4_2_015E60B8
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B80A8 mov eax, dword ptr fs:[00000030h]4_2_015B80A8
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A035C mov eax, dword ptr fs:[00000030h]4_2_015A035C
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A035C mov eax, dword ptr fs:[00000030h]4_2_015A035C
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A035C mov eax, dword ptr fs:[00000030h]4_2_015A035C
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A035C mov ecx, dword ptr fs:[00000030h]4_2_015A035C
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A035C mov eax, dword ptr fs:[00000030h]4_2_015A035C
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A035C mov eax, dword ptr fs:[00000030h]4_2_015A035C
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015EA352 mov eax, dword ptr fs:[00000030h]4_2_015EA352
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015C8350 mov ecx, dword ptr fs:[00000030h]4_2_015C8350
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A2349 mov eax, dword ptr fs:[00000030h]4_2_015A2349
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A2349 mov eax, dword ptr fs:[00000030h]4_2_015A2349
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A2349 mov eax, dword ptr fs:[00000030h]4_2_015A2349
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A2349 mov eax, dword ptr fs:[00000030h]4_2_015A2349
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A2349 mov eax, dword ptr fs:[00000030h]4_2_015A2349
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A2349 mov eax, dword ptr fs:[00000030h]4_2_015A2349
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A2349 mov eax, dword ptr fs:[00000030h]4_2_015A2349
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A2349 mov eax, dword ptr fs:[00000030h]4_2_015A2349
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A2349 mov eax, dword ptr fs:[00000030h]4_2_015A2349
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A2349 mov eax, dword ptr fs:[00000030h]4_2_015A2349
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A2349 mov eax, dword ptr fs:[00000030h]4_2_015A2349
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A2349 mov eax, dword ptr fs:[00000030h]4_2_015A2349
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A2349 mov eax, dword ptr fs:[00000030h]4_2_015A2349
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A2349 mov eax, dword ptr fs:[00000030h]4_2_015A2349
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A2349 mov eax, dword ptr fs:[00000030h]4_2_015A2349
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015C437C mov eax, dword ptr fs:[00000030h]4_2_015C437C
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151C310 mov ecx, dword ptr fs:[00000030h]4_2_0151C310
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01540310 mov ecx, dword ptr fs:[00000030h]4_2_01540310
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155A30B mov eax, dword ptr fs:[00000030h]4_2_0155A30B
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155A30B mov eax, dword ptr fs:[00000030h]4_2_0155A30B
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155A30B mov eax, dword ptr fs:[00000030h]4_2_0155A30B
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CE3DB mov eax, dword ptr fs:[00000030h]4_2_015CE3DB
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CE3DB mov eax, dword ptr fs:[00000030h]4_2_015CE3DB
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CE3DB mov ecx, dword ptr fs:[00000030h]4_2_015CE3DB
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CE3DB mov eax, dword ptr fs:[00000030h]4_2_015CE3DB
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015C43D4 mov eax, dword ptr fs:[00000030h]4_2_015C43D4
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015C43D4 mov eax, dword ptr fs:[00000030h]4_2_015C43D4
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015DC3CD mov eax, dword ptr fs:[00000030h]4_2_015DC3CD
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152A3C0 mov eax, dword ptr fs:[00000030h]4_2_0152A3C0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152A3C0 mov eax, dword ptr fs:[00000030h]4_2_0152A3C0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152A3C0 mov eax, dword ptr fs:[00000030h]4_2_0152A3C0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152A3C0 mov eax, dword ptr fs:[00000030h]4_2_0152A3C0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152A3C0 mov eax, dword ptr fs:[00000030h]4_2_0152A3C0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152A3C0 mov eax, dword ptr fs:[00000030h]4_2_0152A3C0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015283C0 mov eax, dword ptr fs:[00000030h]4_2_015283C0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015283C0 mov eax, dword ptr fs:[00000030h]4_2_015283C0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015283C0 mov eax, dword ptr fs:[00000030h]4_2_015283C0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015283C0 mov eax, dword ptr fs:[00000030h]4_2_015283C0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A63C0 mov eax, dword ptr fs:[00000030h]4_2_015A63C0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0153E3F0 mov eax, dword ptr fs:[00000030h]4_2_0153E3F0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0153E3F0 mov eax, dword ptr fs:[00000030h]4_2_0153E3F0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0153E3F0 mov eax, dword ptr fs:[00000030h]4_2_0153E3F0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015563FF mov eax, dword ptr fs:[00000030h]4_2_015563FF
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015303E9 mov eax, dword ptr fs:[00000030h]4_2_015303E9
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015303E9 mov eax, dword ptr fs:[00000030h]4_2_015303E9
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015303E9 mov eax, dword ptr fs:[00000030h]4_2_015303E9
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015303E9 mov eax, dword ptr fs:[00000030h]4_2_015303E9
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015303E9 mov eax, dword ptr fs:[00000030h]4_2_015303E9
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015303E9 mov eax, dword ptr fs:[00000030h]4_2_015303E9
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015303E9 mov eax, dword ptr fs:[00000030h]4_2_015303E9
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015303E9 mov eax, dword ptr fs:[00000030h]4_2_015303E9
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01518397 mov eax, dword ptr fs:[00000030h]4_2_01518397
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01518397 mov eax, dword ptr fs:[00000030h]4_2_01518397
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01518397 mov eax, dword ptr fs:[00000030h]4_2_01518397
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151E388 mov eax, dword ptr fs:[00000030h]4_2_0151E388
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151E388 mov eax, dword ptr fs:[00000030h]4_2_0151E388
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151E388 mov eax, dword ptr fs:[00000030h]4_2_0151E388
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154438F mov eax, dword ptr fs:[00000030h]4_2_0154438F
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154438F mov eax, dword ptr fs:[00000030h]4_2_0154438F
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151A250 mov eax, dword ptr fs:[00000030h]4_2_0151A250
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01526259 mov eax, dword ptr fs:[00000030h]4_2_01526259
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015DA250 mov eax, dword ptr fs:[00000030h]4_2_015DA250
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015DA250 mov eax, dword ptr fs:[00000030h]4_2_015DA250
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A8243 mov eax, dword ptr fs:[00000030h]4_2_015A8243
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A8243 mov ecx, dword ptr fs:[00000030h]4_2_015A8243
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D0274 mov eax, dword ptr fs:[00000030h]4_2_015D0274
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D0274 mov eax, dword ptr fs:[00000030h]4_2_015D0274
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D0274 mov eax, dword ptr fs:[00000030h]4_2_015D0274
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D0274 mov eax, dword ptr fs:[00000030h]4_2_015D0274
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D0274 mov eax, dword ptr fs:[00000030h]4_2_015D0274
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D0274 mov eax, dword ptr fs:[00000030h]4_2_015D0274
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D0274 mov eax, dword ptr fs:[00000030h]4_2_015D0274
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D0274 mov eax, dword ptr fs:[00000030h]4_2_015D0274
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D0274 mov eax, dword ptr fs:[00000030h]4_2_015D0274
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D0274 mov eax, dword ptr fs:[00000030h]4_2_015D0274
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D0274 mov eax, dword ptr fs:[00000030h]4_2_015D0274
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D0274 mov eax, dword ptr fs:[00000030h]4_2_015D0274
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01524260 mov eax, dword ptr fs:[00000030h]4_2_01524260
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01524260 mov eax, dword ptr fs:[00000030h]4_2_01524260
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01524260 mov eax, dword ptr fs:[00000030h]4_2_01524260
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151826B mov eax, dword ptr fs:[00000030h]4_2_0151826B
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151823B mov eax, dword ptr fs:[00000030h]4_2_0151823B
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152A2C3 mov eax, dword ptr fs:[00000030h]4_2_0152A2C3
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152A2C3 mov eax, dword ptr fs:[00000030h]4_2_0152A2C3
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152A2C3 mov eax, dword ptr fs:[00000030h]4_2_0152A2C3
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152A2C3 mov eax, dword ptr fs:[00000030h]4_2_0152A2C3
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152A2C3 mov eax, dword ptr fs:[00000030h]4_2_0152A2C3
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015302E1 mov eax, dword ptr fs:[00000030h]4_2_015302E1
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015302E1 mov eax, dword ptr fs:[00000030h]4_2_015302E1
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015302E1 mov eax, dword ptr fs:[00000030h]4_2_015302E1
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155E284 mov eax, dword ptr fs:[00000030h]4_2_0155E284
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155E284 mov eax, dword ptr fs:[00000030h]4_2_0155E284
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A0283 mov eax, dword ptr fs:[00000030h]4_2_015A0283
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A0283 mov eax, dword ptr fs:[00000030h]4_2_015A0283
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A0283 mov eax, dword ptr fs:[00000030h]4_2_015A0283
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015302A0 mov eax, dword ptr fs:[00000030h]4_2_015302A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015302A0 mov eax, dword ptr fs:[00000030h]4_2_015302A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B62A0 mov eax, dword ptr fs:[00000030h]4_2_015B62A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B62A0 mov ecx, dword ptr fs:[00000030h]4_2_015B62A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B62A0 mov eax, dword ptr fs:[00000030h]4_2_015B62A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B62A0 mov eax, dword ptr fs:[00000030h]4_2_015B62A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B62A0 mov eax, dword ptr fs:[00000030h]4_2_015B62A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B62A0 mov eax, dword ptr fs:[00000030h]4_2_015B62A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01528550 mov eax, dword ptr fs:[00000030h]4_2_01528550
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01528550 mov eax, dword ptr fs:[00000030h]4_2_01528550
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155656A mov eax, dword ptr fs:[00000030h]4_2_0155656A
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155656A mov eax, dword ptr fs:[00000030h]4_2_0155656A
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155656A mov eax, dword ptr fs:[00000030h]4_2_0155656A
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B6500 mov eax, dword ptr fs:[00000030h]4_2_015B6500
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015F4500 mov eax, dword ptr fs:[00000030h]4_2_015F4500
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015F4500 mov eax, dword ptr fs:[00000030h]4_2_015F4500
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015F4500 mov eax, dword ptr fs:[00000030h]4_2_015F4500
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015F4500 mov eax, dword ptr fs:[00000030h]4_2_015F4500
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015F4500 mov eax, dword ptr fs:[00000030h]4_2_015F4500
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015F4500 mov eax, dword ptr fs:[00000030h]4_2_015F4500
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015F4500 mov eax, dword ptr fs:[00000030h]4_2_015F4500
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530535 mov eax, dword ptr fs:[00000030h]4_2_01530535
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530535 mov eax, dword ptr fs:[00000030h]4_2_01530535
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530535 mov eax, dword ptr fs:[00000030h]4_2_01530535
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530535 mov eax, dword ptr fs:[00000030h]4_2_01530535
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530535 mov eax, dword ptr fs:[00000030h]4_2_01530535
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530535 mov eax, dword ptr fs:[00000030h]4_2_01530535
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154E53E mov eax, dword ptr fs:[00000030h]4_2_0154E53E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154E53E mov eax, dword ptr fs:[00000030h]4_2_0154E53E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154E53E mov eax, dword ptr fs:[00000030h]4_2_0154E53E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154E53E mov eax, dword ptr fs:[00000030h]4_2_0154E53E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154E53E mov eax, dword ptr fs:[00000030h]4_2_0154E53E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015265D0 mov eax, dword ptr fs:[00000030h]4_2_015265D0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155A5D0 mov eax, dword ptr fs:[00000030h]4_2_0155A5D0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155A5D0 mov eax, dword ptr fs:[00000030h]4_2_0155A5D0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155E5CF mov eax, dword ptr fs:[00000030h]4_2_0155E5CF
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155E5CF mov eax, dword ptr fs:[00000030h]4_2_0155E5CF
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015225E0 mov eax, dword ptr fs:[00000030h]4_2_015225E0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154E5E7 mov eax, dword ptr fs:[00000030h]4_2_0154E5E7
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154E5E7 mov eax, dword ptr fs:[00000030h]4_2_0154E5E7
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154E5E7 mov eax, dword ptr fs:[00000030h]4_2_0154E5E7
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154E5E7 mov eax, dword ptr fs:[00000030h]4_2_0154E5E7
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154E5E7 mov eax, dword ptr fs:[00000030h]4_2_0154E5E7
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154E5E7 mov eax, dword ptr fs:[00000030h]4_2_0154E5E7
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154E5E7 mov eax, dword ptr fs:[00000030h]4_2_0154E5E7
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154E5E7 mov eax, dword ptr fs:[00000030h]4_2_0154E5E7
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155C5ED mov eax, dword ptr fs:[00000030h]4_2_0155C5ED
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155C5ED mov eax, dword ptr fs:[00000030h]4_2_0155C5ED
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155E59C mov eax, dword ptr fs:[00000030h]4_2_0155E59C
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01522582 mov eax, dword ptr fs:[00000030h]4_2_01522582
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01522582 mov ecx, dword ptr fs:[00000030h]4_2_01522582
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01554588 mov eax, dword ptr fs:[00000030h]4_2_01554588
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015445B1 mov eax, dword ptr fs:[00000030h]4_2_015445B1
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015445B1 mov eax, dword ptr fs:[00000030h]4_2_015445B1
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A05A7 mov eax, dword ptr fs:[00000030h]4_2_015A05A7
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A05A7 mov eax, dword ptr fs:[00000030h]4_2_015A05A7
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A05A7 mov eax, dword ptr fs:[00000030h]4_2_015A05A7
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015DA456 mov eax, dword ptr fs:[00000030h]4_2_015DA456
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151645D mov eax, dword ptr fs:[00000030h]4_2_0151645D
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154245A mov eax, dword ptr fs:[00000030h]4_2_0154245A
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155E443 mov eax, dword ptr fs:[00000030h]4_2_0155E443
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155E443 mov eax, dword ptr fs:[00000030h]4_2_0155E443
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155E443 mov eax, dword ptr fs:[00000030h]4_2_0155E443
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155E443 mov eax, dword ptr fs:[00000030h]4_2_0155E443
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155E443 mov eax, dword ptr fs:[00000030h]4_2_0155E443
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155E443 mov eax, dword ptr fs:[00000030h]4_2_0155E443
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155E443 mov eax, dword ptr fs:[00000030h]4_2_0155E443
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155E443 mov eax, dword ptr fs:[00000030h]4_2_0155E443
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154A470 mov eax, dword ptr fs:[00000030h]4_2_0154A470
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154A470 mov eax, dword ptr fs:[00000030h]4_2_0154A470
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154A470 mov eax, dword ptr fs:[00000030h]4_2_0154A470
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015AC460 mov ecx, dword ptr fs:[00000030h]4_2_015AC460
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01558402 mov eax, dword ptr fs:[00000030h]4_2_01558402
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01558402 mov eax, dword ptr fs:[00000030h]4_2_01558402
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01558402 mov eax, dword ptr fs:[00000030h]4_2_01558402
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155A430 mov eax, dword ptr fs:[00000030h]4_2_0155A430
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151E420 mov eax, dword ptr fs:[00000030h]4_2_0151E420
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151E420 mov eax, dword ptr fs:[00000030h]4_2_0151E420
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151E420 mov eax, dword ptr fs:[00000030h]4_2_0151E420
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151C427 mov eax, dword ptr fs:[00000030h]4_2_0151C427
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A6420 mov eax, dword ptr fs:[00000030h]4_2_015A6420
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A6420 mov eax, dword ptr fs:[00000030h]4_2_015A6420
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A6420 mov eax, dword ptr fs:[00000030h]4_2_015A6420
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A6420 mov eax, dword ptr fs:[00000030h]4_2_015A6420
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A6420 mov eax, dword ptr fs:[00000030h]4_2_015A6420
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A6420 mov eax, dword ptr fs:[00000030h]4_2_015A6420
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A6420 mov eax, dword ptr fs:[00000030h]4_2_015A6420
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015204E5 mov ecx, dword ptr fs:[00000030h]4_2_015204E5
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015DA49A mov eax, dword ptr fs:[00000030h]4_2_015DA49A
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015544B0 mov ecx, dword ptr fs:[00000030h]4_2_015544B0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015AA4B0 mov eax, dword ptr fs:[00000030h]4_2_015AA4B0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015264AB mov eax, dword ptr fs:[00000030h]4_2_015264AB
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01520750 mov eax, dword ptr fs:[00000030h]4_2_01520750
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562750 mov eax, dword ptr fs:[00000030h]4_2_01562750
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562750 mov eax, dword ptr fs:[00000030h]4_2_01562750
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015AE75D mov eax, dword ptr fs:[00000030h]4_2_015AE75D
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A4755 mov eax, dword ptr fs:[00000030h]4_2_015A4755
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155674D mov esi, dword ptr fs:[00000030h]4_2_0155674D
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155674D mov eax, dword ptr fs:[00000030h]4_2_0155674D
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155674D mov eax, dword ptr fs:[00000030h]4_2_0155674D
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01528770 mov eax, dword ptr fs:[00000030h]4_2_01528770
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530770 mov eax, dword ptr fs:[00000030h]4_2_01530770
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530770 mov eax, dword ptr fs:[00000030h]4_2_01530770
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530770 mov eax, dword ptr fs:[00000030h]4_2_01530770
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530770 mov eax, dword ptr fs:[00000030h]4_2_01530770
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530770 mov eax, dword ptr fs:[00000030h]4_2_01530770
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530770 mov eax, dword ptr fs:[00000030h]4_2_01530770
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530770 mov eax, dword ptr fs:[00000030h]4_2_01530770
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530770 mov eax, dword ptr fs:[00000030h]4_2_01530770
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530770 mov eax, dword ptr fs:[00000030h]4_2_01530770
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530770 mov eax, dword ptr fs:[00000030h]4_2_01530770
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530770 mov eax, dword ptr fs:[00000030h]4_2_01530770
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530770 mov eax, dword ptr fs:[00000030h]4_2_01530770
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01520710 mov eax, dword ptr fs:[00000030h]4_2_01520710
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01550710 mov eax, dword ptr fs:[00000030h]4_2_01550710
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155C700 mov eax, dword ptr fs:[00000030h]4_2_0155C700
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155273C mov eax, dword ptr fs:[00000030h]4_2_0155273C
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155273C mov ecx, dword ptr fs:[00000030h]4_2_0155273C
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155273C mov eax, dword ptr fs:[00000030h]4_2_0155273C
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159C730 mov eax, dword ptr fs:[00000030h]4_2_0159C730
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155C720 mov eax, dword ptr fs:[00000030h]4_2_0155C720
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155C720 mov eax, dword ptr fs:[00000030h]4_2_0155C720
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152C7C0 mov eax, dword ptr fs:[00000030h]4_2_0152C7C0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A07C3 mov eax, dword ptr fs:[00000030h]4_2_015A07C3
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015247FB mov eax, dword ptr fs:[00000030h]4_2_015247FB
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015247FB mov eax, dword ptr fs:[00000030h]4_2_015247FB
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015427ED mov eax, dword ptr fs:[00000030h]4_2_015427ED
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015427ED mov eax, dword ptr fs:[00000030h]4_2_015427ED
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015427ED mov eax, dword ptr fs:[00000030h]4_2_015427ED
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015AE7E1 mov eax, dword ptr fs:[00000030h]4_2_015AE7E1
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015C678E mov eax, dword ptr fs:[00000030h]4_2_015C678E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015207AF mov eax, dword ptr fs:[00000030h]4_2_015207AF
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D47A0 mov eax, dword ptr fs:[00000030h]4_2_015D47A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0153C640 mov eax, dword ptr fs:[00000030h]4_2_0153C640
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01552674 mov eax, dword ptr fs:[00000030h]4_2_01552674
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015E866E mov eax, dword ptr fs:[00000030h]4_2_015E866E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015E866E mov eax, dword ptr fs:[00000030h]4_2_015E866E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155A660 mov eax, dword ptr fs:[00000030h]4_2_0155A660
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155A660 mov eax, dword ptr fs:[00000030h]4_2_0155A660
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01562619 mov eax, dword ptr fs:[00000030h]4_2_01562619
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159E609 mov eax, dword ptr fs:[00000030h]4_2_0159E609
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0153260B mov eax, dword ptr fs:[00000030h]4_2_0153260B
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0153260B mov eax, dword ptr fs:[00000030h]4_2_0153260B
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0153260B mov eax, dword ptr fs:[00000030h]4_2_0153260B
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0153260B mov eax, dword ptr fs:[00000030h]4_2_0153260B
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0153260B mov eax, dword ptr fs:[00000030h]4_2_0153260B
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0153260B mov eax, dword ptr fs:[00000030h]4_2_0153260B
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0153260B mov eax, dword ptr fs:[00000030h]4_2_0153260B
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0153E627 mov eax, dword ptr fs:[00000030h]4_2_0153E627
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01556620 mov eax, dword ptr fs:[00000030h]4_2_01556620
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01558620 mov eax, dword ptr fs:[00000030h]4_2_01558620
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152262C mov eax, dword ptr fs:[00000030h]4_2_0152262C
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155A6C7 mov ebx, dword ptr fs:[00000030h]4_2_0155A6C7
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155A6C7 mov eax, dword ptr fs:[00000030h]4_2_0155A6C7
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159E6F2 mov eax, dword ptr fs:[00000030h]4_2_0159E6F2
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159E6F2 mov eax, dword ptr fs:[00000030h]4_2_0159E6F2
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159E6F2 mov eax, dword ptr fs:[00000030h]4_2_0159E6F2
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159E6F2 mov eax, dword ptr fs:[00000030h]4_2_0159E6F2
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A06F1 mov eax, dword ptr fs:[00000030h]4_2_015A06F1
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A06F1 mov eax, dword ptr fs:[00000030h]4_2_015A06F1
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01524690 mov eax, dword ptr fs:[00000030h]4_2_01524690
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01524690 mov eax, dword ptr fs:[00000030h]4_2_01524690
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015566B0 mov eax, dword ptr fs:[00000030h]4_2_015566B0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155C6A6 mov eax, dword ptr fs:[00000030h]4_2_0155C6A6
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A0946 mov eax, dword ptr fs:[00000030h]4_2_015A0946
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015C4978 mov eax, dword ptr fs:[00000030h]4_2_015C4978
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015C4978 mov eax, dword ptr fs:[00000030h]4_2_015C4978
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015AC97C mov eax, dword ptr fs:[00000030h]4_2_015AC97C
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01546962 mov eax, dword ptr fs:[00000030h]4_2_01546962
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01546962 mov eax, dword ptr fs:[00000030h]4_2_01546962
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01546962 mov eax, dword ptr fs:[00000030h]4_2_01546962
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0156096E mov eax, dword ptr fs:[00000030h]4_2_0156096E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0156096E mov edx, dword ptr fs:[00000030h]4_2_0156096E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0156096E mov eax, dword ptr fs:[00000030h]4_2_0156096E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015AC912 mov eax, dword ptr fs:[00000030h]4_2_015AC912
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01518918 mov eax, dword ptr fs:[00000030h]4_2_01518918
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01518918 mov eax, dword ptr fs:[00000030h]4_2_01518918
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159E908 mov eax, dword ptr fs:[00000030h]4_2_0159E908
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159E908 mov eax, dword ptr fs:[00000030h]4_2_0159E908
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A892A mov eax, dword ptr fs:[00000030h]4_2_015A892A
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B892B mov eax, dword ptr fs:[00000030h]4_2_015B892B
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152A9D0 mov eax, dword ptr fs:[00000030h]4_2_0152A9D0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152A9D0 mov eax, dword ptr fs:[00000030h]4_2_0152A9D0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152A9D0 mov eax, dword ptr fs:[00000030h]4_2_0152A9D0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152A9D0 mov eax, dword ptr fs:[00000030h]4_2_0152A9D0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152A9D0 mov eax, dword ptr fs:[00000030h]4_2_0152A9D0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152A9D0 mov eax, dword ptr fs:[00000030h]4_2_0152A9D0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015549D0 mov eax, dword ptr fs:[00000030h]4_2_015549D0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015EA9D3 mov eax, dword ptr fs:[00000030h]4_2_015EA9D3
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B69C0 mov eax, dword ptr fs:[00000030h]4_2_015B69C0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015529F9 mov eax, dword ptr fs:[00000030h]4_2_015529F9
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015529F9 mov eax, dword ptr fs:[00000030h]4_2_015529F9
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015AE9E0 mov eax, dword ptr fs:[00000030h]4_2_015AE9E0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A89B3 mov esi, dword ptr fs:[00000030h]4_2_015A89B3
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A89B3 mov eax, dword ptr fs:[00000030h]4_2_015A89B3
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015A89B3 mov eax, dword ptr fs:[00000030h]4_2_015A89B3
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015329A0 mov eax, dword ptr fs:[00000030h]4_2_015329A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015329A0 mov eax, dword ptr fs:[00000030h]4_2_015329A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015329A0 mov eax, dword ptr fs:[00000030h]4_2_015329A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015329A0 mov eax, dword ptr fs:[00000030h]4_2_015329A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015329A0 mov eax, dword ptr fs:[00000030h]4_2_015329A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015329A0 mov eax, dword ptr fs:[00000030h]4_2_015329A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015329A0 mov eax, dword ptr fs:[00000030h]4_2_015329A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015329A0 mov eax, dword ptr fs:[00000030h]4_2_015329A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015329A0 mov eax, dword ptr fs:[00000030h]4_2_015329A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015329A0 mov eax, dword ptr fs:[00000030h]4_2_015329A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015329A0 mov eax, dword ptr fs:[00000030h]4_2_015329A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015329A0 mov eax, dword ptr fs:[00000030h]4_2_015329A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015329A0 mov eax, dword ptr fs:[00000030h]4_2_015329A0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015209AD mov eax, dword ptr fs:[00000030h]4_2_015209AD
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015209AD mov eax, dword ptr fs:[00000030h]4_2_015209AD
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01550854 mov eax, dword ptr fs:[00000030h]4_2_01550854
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01524859 mov eax, dword ptr fs:[00000030h]4_2_01524859
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01524859 mov eax, dword ptr fs:[00000030h]4_2_01524859
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01532840 mov ecx, dword ptr fs:[00000030h]4_2_01532840
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015AE872 mov eax, dword ptr fs:[00000030h]4_2_015AE872
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015AE872 mov eax, dword ptr fs:[00000030h]4_2_015AE872
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B6870 mov eax, dword ptr fs:[00000030h]4_2_015B6870
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B6870 mov eax, dword ptr fs:[00000030h]4_2_015B6870
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015AC810 mov eax, dword ptr fs:[00000030h]4_2_015AC810
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01542835 mov eax, dword ptr fs:[00000030h]4_2_01542835
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01542835 mov eax, dword ptr fs:[00000030h]4_2_01542835
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01542835 mov eax, dword ptr fs:[00000030h]4_2_01542835
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01542835 mov ecx, dword ptr fs:[00000030h]4_2_01542835
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01542835 mov eax, dword ptr fs:[00000030h]4_2_01542835
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01542835 mov eax, dword ptr fs:[00000030h]4_2_01542835
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155A830 mov eax, dword ptr fs:[00000030h]4_2_0155A830
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015C483A mov eax, dword ptr fs:[00000030h]4_2_015C483A
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015C483A mov eax, dword ptr fs:[00000030h]4_2_015C483A
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154E8C0 mov eax, dword ptr fs:[00000030h]4_2_0154E8C0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155C8F9 mov eax, dword ptr fs:[00000030h]4_2_0155C8F9
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155C8F9 mov eax, dword ptr fs:[00000030h]4_2_0155C8F9
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015EA8E4 mov eax, dword ptr fs:[00000030h]4_2_015EA8E4
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015AC89D mov eax, dword ptr fs:[00000030h]4_2_015AC89D
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01520887 mov eax, dword ptr fs:[00000030h]4_2_01520887
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CEB50 mov eax, dword ptr fs:[00000030h]4_2_015CEB50
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D4B4B mov eax, dword ptr fs:[00000030h]4_2_015D4B4B
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D4B4B mov eax, dword ptr fs:[00000030h]4_2_015D4B4B
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B6B40 mov eax, dword ptr fs:[00000030h]4_2_015B6B40
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015B6B40 mov eax, dword ptr fs:[00000030h]4_2_015B6B40
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015EAB40 mov eax, dword ptr fs:[00000030h]4_2_015EAB40
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015C8B42 mov eax, dword ptr fs:[00000030h]4_2_015C8B42
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0151CB7E mov eax, dword ptr fs:[00000030h]4_2_0151CB7E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159EB1D mov eax, dword ptr fs:[00000030h]4_2_0159EB1D
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159EB1D mov eax, dword ptr fs:[00000030h]4_2_0159EB1D
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159EB1D mov eax, dword ptr fs:[00000030h]4_2_0159EB1D
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159EB1D mov eax, dword ptr fs:[00000030h]4_2_0159EB1D
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159EB1D mov eax, dword ptr fs:[00000030h]4_2_0159EB1D
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159EB1D mov eax, dword ptr fs:[00000030h]4_2_0159EB1D
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159EB1D mov eax, dword ptr fs:[00000030h]4_2_0159EB1D
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159EB1D mov eax, dword ptr fs:[00000030h]4_2_0159EB1D
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159EB1D mov eax, dword ptr fs:[00000030h]4_2_0159EB1D
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154EB20 mov eax, dword ptr fs:[00000030h]4_2_0154EB20
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154EB20 mov eax, dword ptr fs:[00000030h]4_2_0154EB20
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015E8B28 mov eax, dword ptr fs:[00000030h]4_2_015E8B28
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015E8B28 mov eax, dword ptr fs:[00000030h]4_2_015E8B28
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CEBD0 mov eax, dword ptr fs:[00000030h]4_2_015CEBD0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01540BCB mov eax, dword ptr fs:[00000030h]4_2_01540BCB
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01540BCB mov eax, dword ptr fs:[00000030h]4_2_01540BCB
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01540BCB mov eax, dword ptr fs:[00000030h]4_2_01540BCB
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01520BCD mov eax, dword ptr fs:[00000030h]4_2_01520BCD
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01520BCD mov eax, dword ptr fs:[00000030h]4_2_01520BCD
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01520BCD mov eax, dword ptr fs:[00000030h]4_2_01520BCD
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01528BF0 mov eax, dword ptr fs:[00000030h]4_2_01528BF0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01528BF0 mov eax, dword ptr fs:[00000030h]4_2_01528BF0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01528BF0 mov eax, dword ptr fs:[00000030h]4_2_01528BF0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154EBFC mov eax, dword ptr fs:[00000030h]4_2_0154EBFC
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015ACBF0 mov eax, dword ptr fs:[00000030h]4_2_015ACBF0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530BBE mov eax, dword ptr fs:[00000030h]4_2_01530BBE
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530BBE mov eax, dword ptr fs:[00000030h]4_2_01530BBE
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D4BB0 mov eax, dword ptr fs:[00000030h]4_2_015D4BB0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015D4BB0 mov eax, dword ptr fs:[00000030h]4_2_015D4BB0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01526A50 mov eax, dword ptr fs:[00000030h]4_2_01526A50
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01526A50 mov eax, dword ptr fs:[00000030h]4_2_01526A50
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01526A50 mov eax, dword ptr fs:[00000030h]4_2_01526A50
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01526A50 mov eax, dword ptr fs:[00000030h]4_2_01526A50
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01526A50 mov eax, dword ptr fs:[00000030h]4_2_01526A50
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01526A50 mov eax, dword ptr fs:[00000030h]4_2_01526A50
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01526A50 mov eax, dword ptr fs:[00000030h]4_2_01526A50
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530A5B mov eax, dword ptr fs:[00000030h]4_2_01530A5B
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01530A5B mov eax, dword ptr fs:[00000030h]4_2_01530A5B
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159CA72 mov eax, dword ptr fs:[00000030h]4_2_0159CA72
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0159CA72 mov eax, dword ptr fs:[00000030h]4_2_0159CA72
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155CA6F mov eax, dword ptr fs:[00000030h]4_2_0155CA6F
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155CA6F mov eax, dword ptr fs:[00000030h]4_2_0155CA6F
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155CA6F mov eax, dword ptr fs:[00000030h]4_2_0155CA6F
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015CEA60 mov eax, dword ptr fs:[00000030h]4_2_015CEA60
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015ACA11 mov eax, dword ptr fs:[00000030h]4_2_015ACA11
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01544A35 mov eax, dword ptr fs:[00000030h]4_2_01544A35
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01544A35 mov eax, dword ptr fs:[00000030h]4_2_01544A35
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155CA38 mov eax, dword ptr fs:[00000030h]4_2_0155CA38
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155CA24 mov eax, dword ptr fs:[00000030h]4_2_0155CA24
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0154EA2E mov eax, dword ptr fs:[00000030h]4_2_0154EA2E
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01520AD0 mov eax, dword ptr fs:[00000030h]4_2_01520AD0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01554AD0 mov eax, dword ptr fs:[00000030h]4_2_01554AD0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01554AD0 mov eax, dword ptr fs:[00000030h]4_2_01554AD0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01576ACC mov eax, dword ptr fs:[00000030h]4_2_01576ACC
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01576ACC mov eax, dword ptr fs:[00000030h]4_2_01576ACC
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01576ACC mov eax, dword ptr fs:[00000030h]4_2_01576ACC
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155AAEE mov eax, dword ptr fs:[00000030h]4_2_0155AAEE
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0155AAEE mov eax, dword ptr fs:[00000030h]4_2_0155AAEE
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01558A90 mov edx, dword ptr fs:[00000030h]4_2_01558A90
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152EA80 mov eax, dword ptr fs:[00000030h]4_2_0152EA80
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152EA80 mov eax, dword ptr fs:[00000030h]4_2_0152EA80
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152EA80 mov eax, dword ptr fs:[00000030h]4_2_0152EA80
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152EA80 mov eax, dword ptr fs:[00000030h]4_2_0152EA80
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152EA80 mov eax, dword ptr fs:[00000030h]4_2_0152EA80
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152EA80 mov eax, dword ptr fs:[00000030h]4_2_0152EA80
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152EA80 mov eax, dword ptr fs:[00000030h]4_2_0152EA80
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152EA80 mov eax, dword ptr fs:[00000030h]4_2_0152EA80
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_0152EA80 mov eax, dword ptr fs:[00000030h]4_2_0152EA80
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_015F4A80 mov eax, dword ptr fs:[00000030h]4_2_015F4A80
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01528AA0 mov eax, dword ptr fs:[00000030h]4_2_01528AA0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01528AA0 mov eax, dword ptr fs:[00000030h]4_2_01528AA0
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01576AA4 mov eax, dword ptr fs:[00000030h]4_2_01576AA4
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01520D59 mov eax, dword ptr fs:[00000030h]4_2_01520D59
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01520D59 mov eax, dword ptr fs:[00000030h]4_2_01520D59
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01520D59 mov eax, dword ptr fs:[00000030h]4_2_01520D59
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01528D59 mov eax, dword ptr fs:[00000030h]4_2_01528D59
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01528D59 mov eax, dword ptr fs:[00000030h]4_2_01528D59
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01528D59 mov eax, dword ptr fs:[00000030h]4_2_01528D59
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeCode function: 4_2_01528D59 mov eax, dword ptr fs:[00000030h]4_2_01528D59
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004F2167 GetProcessHeap,htons,htons,InternalGetTcpTableWithOwnerModule,htons,htons,InternalGetTcpTable2,htons,htons,HeapFree,InternalGetBoundTcpEndpointTable,htons,htons,HeapFree,htons,htons,InternalGetTcp6TableWithOwnerModule,htons,htons,InternalGetTcp6Table2,htons,htons,HeapFree,InternalGetBoundTcp6EndpointTable,htons,htons,HeapFree,InternalGetUdpTableWithOwnerModule,htons,HeapFree,InternalGetUdp6TableWithOwnerModule,htons,HeapFree,7_2_004F2167
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004F5DC0 SetUnhandledExceptionFilter,7_2_004F5DC0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004F5C30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_004F5C30
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4lHZn6Ri2B.exe"
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4lHZn6Ri2B.exe"Jump to behavior
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeNtClose: Indirect: 0x14BA56C
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeNtQueueApcThread: Indirect: 0x14BA4F2Jump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeMemory written: C:\Users\user\Desktop\4lHZn6Ri2B.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection loaded: NULL target: C:\Windows\SysWOW64\NETSTAT.EXE protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXESection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeThread register set: target process: 2528Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEThread register set: target process: 2528Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeSection unmapped: C:\Windows\SysWOW64\NETSTAT.EXE base address: 4F0000Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: memset,OpenProcess,K32GetModuleBaseNameW,CompareStringW,CompareStringW,GetSystemDirectoryW,LoadLibraryExW,GetProcAddress,K32GetModuleBaseNameW,CloseHandle,LocalFree,FreeLibrary, svchost.exe7_2_004F38D2
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\4lHZn6Ri2B.exe"Jump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeProcess created: C:\Users\user\Desktop\4lHZn6Ri2B.exe "C:\Users\user\Desktop\4lHZn6Ri2B.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\4lHZn6Ri2B.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004F58B6 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,7_2_004F58B6
          Source: explorer.exe, 00000005.00000000.1062521266.00000000045E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3521645519.00000000011B0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1058975280.00000000011B1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000002.3521645519.00000000011B0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1058975280.00000000011B1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000002.3521645519.00000000011B0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1058975280.00000000011B1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
          Source: explorer.exe, 00000005.00000000.1058617487.0000000000C20000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3520878054.0000000000C20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman
          Source: explorer.exe, 00000005.00000002.3521645519.00000000011B0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.1058975280.00000000011B1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000005.00000000.1070233476.0000000008CAB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.3529105767.0000000008CAB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000003.2835914008.0000000008CAB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndQE
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeQueries volume information: C:\Users\user\Desktop\4lHZn6Ri2B.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: unknown VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: unknown VolumeInformationJump to behavior
          Source: C:\Windows\System32\svchost.exeQueries volume information: unknown VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004F5FE5 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,7_2_004F5FE5
          Source: C:\Users\user\Desktop\4lHZn6Ri2B.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.4lHZn6Ri2B.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.4lHZn6Ri2B.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.3520154106.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.3521233716.0000000002B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1066684814.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1121066600.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.3521121426.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1066684814.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.4lHZn6Ri2B.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.4lHZn6Ri2B.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.4lHZn6Ri2B.exe.4ddec10.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.4lHZn6Ri2B.exe.4d6bff0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.3520154106.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.3521233716.0000000002B50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1066684814.00000000042C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1121066600.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.3521121426.0000000002B20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1066684814.0000000004B8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 7_2_004F4B96 fprintf,GetUdpStatisticsEx,GetIpStatisticsEx,SnmpUtilMemAlloc,fprintf,fprintf,SnmpUtilMemFree,fprintf,fprintf,SnmpUtilMemAlloc,SnmpUtilOidCpy,SnmpUtilVarBindFree,SnmpUtilVarBindFree,SnmpUtilVarBindFree,SnmpUtilVarBindFree,GetIcmpStatisticsEx,GetTcpStatisticsEx,7_2_004F4B96

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Shared Modules          		1
          DLL Side-Loading          		1
          Access Token Manipulation          		1
          Masquerading          		OS Credential Dumping1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		12
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts522
          Process Injection          		11
          Disable or Modify Tools          		LSASS Memory241
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media1
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          Abuse Elevation Control Mechanism          		51
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive12
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
          DLL Side-Loading          		1
          Access Token Manipulation          		NTDS51
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script522
          Process Injection          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials1
          System Network Configuration Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Abuse Elevation Control Mechanism          		DCSync1
          System Network Connections Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job3
          Obfuscated Files or Information          		Proc Filesystem1
          File and Directory Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Software Packing          		/etc/passwd and /etc/shadow223
          System Information Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
          Timestomp          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
          DLL Side-Loading          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1634881 Sample: 4lHZn6Ri2B.exe Startdate: 11/03/2025 Architecture: WINDOWS Score: 100 37 www.hsg.xyz 2->37 39 www.uoysbuddy.online 2->39 41 9 other IPs or domains 2->41 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Antivirus detection for URL or domain 2->61 65 9 other signatures 2->65 11 4lHZn6Ri2B.exe 3 2->11         started        14 svchost.exe 1 1 2->14         started        signatures3 63 Performs DNS queries to domains with low reputation 37->63 process4 dnsIp5 69 Adds a directory exclusion to Windows Defender 11->69 71 Tries to detect virtualization through RDTSC time measurements 11->71 73 Injects a PE file into a foreign processes 11->73 75 Switches to a custom stack to bypass stack traces 11->75 17 4lHZn6Ri2B.exe 11->17         started        20 powershell.exe 23 11->20         started        45 127.0.0.1 unknown unknown 14->45 signatures6 process7 signatures8 47 Modifies the context of a thread in another process (thread injection) 17->47 49 Maps a DLL or memory area into another process 17->49 51 Sample uses process hollowing technique 17->51 55 2 other signatures 17->55 22 explorer.exe 78 1 17->22 injected 53 Loading BitLocker PowerShell Module 20->53 26 WmiPrvSE.exe 20->26         started        28 conhost.exe 20->28         started        process9 dnsIp10 43 204.79.197.203, 443 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->43 67 Uses netstat to query active network connections and open ports 22->67 30 NETSTAT.EXE 22->30         started        signatures11 process12 signatures13 77 Modifies the context of a thread in another process (thread injection) 30->77 79 Maps a DLL or memory area into another process 30->79 81 Tries to detect virtualization through RDTSC time measurements 30->81 83 Switches to a custom stack to bypass stack traces 30->83 33 cmd.exe 1 30->33         started        process14 process15 35 conhost.exe 33->35         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.