Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Fareit-FST36F52D915DF6.4070

Overview

General Information

Sample Name:SecuriteInfo.com.Fareit-FST36F52D915DF6.4070 (renamed file extension from 4070 to exe)
Analysis ID:278883
MD5:36f52d915df68631a4b713f15021c4d6
SHA1:e1c22e4bfaffe9772e81590b255f82824ca56a72
SHA256:90a94255c2017221edd00cc99acd98a33e112e1182d9fd146d6a4ad9aa96921e

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Creates autostart registry keys with suspicious values (likely registry only malware)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • SecuriteInfo.com.Fareit-FST36F52D915DF6.exe (PID: 6792 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Fareit-FST36F52D915DF6.exe' MD5: 36F52D915DF68631A4B713F15021C4D6)
    • SecuriteInfo.com.Fareit-FST36F52D915DF6.exe (PID: 6388 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Fareit-FST36F52D915DF6.exe' MD5: 36F52D915DF68631A4B713F15021C4D6)
      • Morningsu.exe (PID: 6128 cmdline: 'C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exe' MD5: 36F52D915DF68631A4B713F15021C4D6)
        • Morningsu.exe (PID: 6548 cmdline: 'C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exe' MD5: 36F52D915DF68631A4B713F15021C4D6)
          • explorer.exe (PID: 3508 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
            • cmstp.exe (PID: 2940 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
              • cmd.exe (PID: 6348 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
                • conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • wscript.exe (PID: 5720 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
            • autochk.exe (PID: 5664 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)
            • raserver.exe (PID: 4476 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
  • wscript.exe (PID: 6812 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • Morningsu.exe (PID: 1416 cmdline: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exe MD5: 36F52D915DF68631A4B713F15021C4D6)
      • Morningsu.exe (PID: 4144 cmdline: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exe MD5: 36F52D915DF68631A4B713F15021C4D6)
  • wscript.exe (PID: 6940 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • Morningsu.exe (PID: 6172 cmdline: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exe MD5: 36F52D915DF68631A4B713F15021C4D6)
      • Morningsu.exe (PID: 5516 cmdline: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exe MD5: 36F52D915DF68631A4B713F15021C4D6)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.420922014.000000001F0F0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000012.00000002.420922014.000000001F0F0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x74b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x12b35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x12621:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x12c37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x12daf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1189c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x89c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x17ea7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x18eaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000012.00000002.420922014.000000001F0F0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x157b9:$sqlite3step: 68 34 1C 7B E1
    • 0x158cc:$sqlite3step: 68 34 1C 7B E1
    • 0x157e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1590d:$sqlite3text: 68 38 2A 90 C5
    • 0x157fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x15923:$sqlite3blob: 68 53 D8 7F 8C
    00000014.00000002.463634844.000000000054B000.00000004.00000020.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x17c64:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    00000014.00000002.466460312.0000000002B10000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 41 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: SecuriteInfo.com.Fareit-FST36F52D915DF6.exeAvira: detected
      Antivirus detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeAvira: detection malicious, Label: TR/Injector.ruzzg
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeVirustotal: Detection: 50%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeReversingLabs: Detection: 60%
      Multi AV Scanner detection for submitted fileShow sources
      Source: SecuriteInfo.com.Fareit-FST36F52D915DF6.exeVirustotal: Detection: 50%Perma Link
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000012.00000002.420922014.000000001F0F0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.466460312.0000000002B10000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.437514100.0000000003360000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.398639505.0000000000060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.469414937.000000001EFE0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.463494000.00000000003A0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.434698711.0000000000060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.438710538.000000001F230000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.462985191.0000000000170000.00000040.00000001.sdmp, type: MEMORY
      Source: 6.0.Morningsu.exe.400000.0.unpackAvira: Label: TR/Injector.ruzzg
      Source: 21.0.Morningsu.exe.400000.0.unpackAvira: Label: TR/Injector.ruzzg
      Source: 17.0.Morningsu.exe.400000.0.unpackAvira: Label: TR/Injector.ruzzg
      Source: 16.0.Morningsu.exe.400000.0.unpackAvira: Label: TR/Injector.ruzzg
      Source: 12.0.Morningsu.exe.400000.0.unpackAvira: Label: TR/Injector.ruzzg
      Source: 3.0.SecuriteInfo.com.Fareit-FST36F52D915DF6.exe.400000.0.unpackAvira: Label: TR/Injector.ruzzg
      Source: 3.2.SecuriteInfo.com.Fareit-FST36F52D915DF6.exe.2540000.1.unpackAvira: Label: TR/Injector.ruzzg
      Source: 18.0.Morningsu.exe.400000.0.unpackAvira: Label: TR/Injector.ruzzg
      Source: 0.0.SecuriteInfo.com.Fareit-FST36F52D915DF6.exe.400000.0.unpackAvira: Label: TR/Injector.ruzzg
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_00562D0E InternetReadFile,18_2_00562D0E
      Source: unknownDNS traffic detected: queries for: wtstransit.com.sg
      Source: explorer.exe, 00000013.00000000.437593388.000000000DFC8000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: Morningsu.exe, 00000011.00000002.463176954.0000000000560000.00000040.00000001.sdmp, Morningsu.exe, 00000012.00000002.398764684.0000000000560000.00000040.00000001.sdmp, Morningsu.exe, 00000015.00000002.434785491.0000000000560000.00000040.00000001.sdmpString found in binary or memory: http://urquilam.com.ar/ihaus/media/mode/xbchost/microsofthost.bin
      Source: explorer.exe, 00000013.00000002.470885353.0000000002870000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000013.00000000.430471017.0000000007C99000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000013.00000000.434951800.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: Morningsu.exe, 00000011.00000002.463176954.0000000000560000.00000040.00000001.sdmp, Morningsu.exe, 00000012.00000002.398764684.0000000000560000.00000040.00000001.sdmp, Morningsu.exe, 00000015.00000002.434785491.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://wtstransit.com.sg/wtstransit/schhost/conhost.bin
      Source: Morningsu.exe, 00000011.00000002.463176954.0000000000560000.00000040.00000001.sdmp, Morningsu.exe, 00000012.00000002.398764684.0000000000560000.00000040.00000001.sdmp, Morningsu.exe, 00000015.00000002.434785491.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://wtstransit.com.sg/wtstransit/schhost/conhost.binhttp://urquilam.com.ar/ihaus/media/mode/xbch
      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000012.00000002.420922014.000000001F0F0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.466460312.0000000002B10000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.437514100.0000000003360000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.398639505.0000000000060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.469414937.000000001EFE0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.463494000.00000000003A0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.434698711.0000000000060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.438710538.000000001F230000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000011.00000002.462985191.0000000000170000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000012.00000002.420922014.000000001F0F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000012.00000002.420922014.000000001F0F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000014.00000002.463634844.000000000054B000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000014.00000002.466460312.0000000002B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000014.00000002.466460312.0000000002B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000013.00000000.437985766.000000000EFAF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000019.00000002.437514100.0000000003360000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000019.00000002.437514100.0000000003360000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000012.00000002.398639505.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000012.00000002.398639505.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000014.00000002.470056922.0000000004ABF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000011.00000002.469414937.000000001EFE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000011.00000002.469414937.000000001EFE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000014.00000002.463494000.00000000003A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000014.00000002.463494000.00000000003A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000015.00000002.434698711.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000015.00000002.434698711.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000015.00000002.438710538.000000001F230000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000015.00000002.438710538.000000001F230000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000011.00000002.462985191.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000011.00000002.462985191.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Fareit-FST36F52D915DF6.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Fareit-FST36F52D915DF6.exeCode function: 0_2_02220EF7 NtWriteVirtualMemory,0_2_02220EF7
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Fareit-FST36F52D915DF6.exeCode function: 0_2_02222D0E NtMapViewOfSection,0_2_02222D0E
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Fareit-FST36F52D915DF6.exeCode function: 0_2_02222970 NtProtectVirtualMemory,0_2_02222970
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Fareit-FST36F52D915DF6.exeCode function: 0_2_0222015C EnumWindows,NtSetInformationThread,TerminateProcess,0_2_0222015C
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Fareit-FST36F52D915DF6.exeCode function: 0_2_022210C3 NtWriteVirtualMemory,0_2_022210C3
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Fareit-FST36F52D915DF6.exeCode function: 0_2_02222D15 NtMapViewOfSection,0_2_02222D15
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Fareit-FST36F52D915DF6.exeCode function: 0_2_02222D41 NtMapViewOfSection,0_2_02222D41
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Fareit-FST36F52D915DF6.exeCode function: 0_2_022201BD NtSetInformationThread,TerminateProcess,0_2_022201BD
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Fareit-FST36F52D915DF6.exeCode function: 3_2_0056015C EnumWindows,NtSetInformationThread,NtProtectVirtualMemory,TerminateProcess,3_2_0056015C
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Fareit-FST36F52D915DF6.exeCode function: 3_2_00562970 NtProtectVirtualMemory,3_2_00562970
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Fareit-FST36F52D915DF6.exeCode function: 3_2_005602E3 NtProtectVirtualMemory,3_2_005602E3
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Fareit-FST36F52D915DF6.exeCode function: 3_2_005602E0 NtProtectVirtualMemory,3_2_005602E0
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Fareit-FST36F52D915DF6.exeCode function: 3_2_005601BD NtSetInformationThread,TerminateProcess,3_2_005601BD
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 12_2_02132D0E NtUnmapViewOfSection,12_2_02132D0E
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 12_2_0213015C EnumWindows,NtSetInformationThread,TerminateProcess,12_2_0213015C
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 12_2_02132970 NtProtectVirtualMemory,12_2_02132970
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 12_2_02130EF7 NtWriteVirtualMemory,12_2_02130EF7
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 12_2_02132D15 NtUnmapViewOfSection,12_2_02132D15
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 12_2_02132D41 NtUnmapViewOfSection,12_2_02132D41
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 12_2_021301BD NtSetInformationThread,TerminateProcess,12_2_021301BD
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 12_2_021310C3 NtWriteVirtualMemory,12_2_021310C3
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379710 NtQueryInformationToken,LdrInitializeThunk,17_2_1F379710
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379780 NtMapViewOfSection,LdrInitializeThunk,17_2_1F379780
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379660 NtAllocateVirtualMemory,LdrInitializeThunk,17_2_1F379660
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F3796E0 NtFreeVirtualMemory,LdrInitializeThunk,17_2_1F3796E0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F3795D0 NtClose,LdrInitializeThunk,17_2_1F3795D0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379A00 NtProtectVirtualMemory,LdrInitializeThunk,17_2_1F379A00
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379A50 NtCreateFile,LdrInitializeThunk,17_2_1F379A50
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379910 NtAdjustPrivilegesToken,LdrInitializeThunk,17_2_1F379910
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F3799A0 NtCreateSection,LdrInitializeThunk,17_2_1F3799A0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379860 NtQuerySystemInformation,LdrInitializeThunk,17_2_1F379860
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379840 NtDelayExecution,LdrInitializeThunk,17_2_1F379840
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F3798F0 NtReadVirtualMemory,LdrInitializeThunk,17_2_1F3798F0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379730 NtQueryVirtualMemory,17_2_1F379730
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F37A710 NtOpenProcessToken,17_2_1F37A710
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F37A770 NtOpenThread,17_2_1F37A770
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379770 NtSetInformationFile,17_2_1F379770
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379760 NtOpenProcess,17_2_1F379760
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F3797A0 NtUnmapViewOfSection,17_2_1F3797A0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379FE0 NtCreateMutant,17_2_1F379FE0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379610 NtEnumerateValueKey,17_2_1F379610
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379670 NtQueryInformationProcess,17_2_1F379670
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379650 NtQueryValueKey,17_2_1F379650
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F3796D0 NtCreateKey,17_2_1F3796D0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F37AD30 NtSetContextThread,17_2_1F37AD30
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379520 NtWaitForSingleObject,17_2_1F379520
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379560 NtWriteFile,17_2_1F379560
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379540 NtReadFile,17_2_1F379540
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F3795F0 NtQueryInformationFile,17_2_1F3795F0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379B00 NtSetValueKey,17_2_1F379B00
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F37A3B0 NtGetContextThread,17_2_1F37A3B0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379A20 NtResumeThread,17_2_1F379A20
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379A10 NtQuerySection,17_2_1F379A10
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379A80 NtOpenDirectoryObject,17_2_1F379A80
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379950 NtQueueApcThread,17_2_1F379950
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F3799D0 NtCreateProcessEx,17_2_1F3799D0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F379820 NtEnumerateKey,17_2_1F379820
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F37B040 NtSuspendThread,17_2_1F37B040
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F3798A0 NtWriteVirtualMemory,17_2_1F3798A0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_0056015C EnumWindows,NtSetInformationThread,NtProtectVirtualMemory,LdrInitializeThunk,17_2_0056015C
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_00562970 NtProtectVirtualMemory,17_2_00562970
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_005601BD NtSetInformationThread,17_2_005601BD
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_005602E3 NtProtectVirtualMemory,17_2_005602E3
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_005602E0 NtProtectVirtualMemory,17_2_005602E0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389710 NtQueryInformationToken,LdrInitializeThunk,18_2_1F389710
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F3897A0 NtUnmapViewOfSection,LdrInitializeThunk,18_2_1F3897A0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389780 NtMapViewOfSection,LdrInitializeThunk,18_2_1F389780
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389660 NtAllocateVirtualMemory,LdrInitializeThunk,18_2_1F389660
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F3896E0 NtFreeVirtualMemory,LdrInitializeThunk,18_2_1F3896E0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389540 NtReadFile,LdrInitializeThunk,18_2_1F389540
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F3895D0 NtClose,LdrInitializeThunk,18_2_1F3895D0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389A20 NtResumeThread,LdrInitializeThunk,18_2_1F389A20
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389A00 NtProtectVirtualMemory,LdrInitializeThunk,18_2_1F389A00
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389A50 NtCreateFile,LdrInitializeThunk,18_2_1F389A50
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389910 NtAdjustPrivilegesToken,LdrInitializeThunk,18_2_1F389910
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F3899A0 NtCreateSection,LdrInitializeThunk,18_2_1F3899A0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389860 NtQuerySystemInformation,LdrInitializeThunk,18_2_1F389860
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389840 NtDelayExecution,LdrInitializeThunk,18_2_1F389840
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F3898F0 NtReadVirtualMemory,LdrInitializeThunk,18_2_1F3898F0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389730 NtQueryVirtualMemory,18_2_1F389730
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F38A710 NtOpenProcessToken,18_2_1F38A710
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F38A770 NtOpenThread,18_2_1F38A770
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389770 NtSetInformationFile,18_2_1F389770
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389760 NtOpenProcess,18_2_1F389760
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389FE0 NtCreateMutant,18_2_1F389FE0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389610 NtEnumerateValueKey,18_2_1F389610
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389670 NtQueryInformationProcess,18_2_1F389670
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389650 NtQueryValueKey,18_2_1F389650
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F3896D0 NtCreateKey,18_2_1F3896D0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F38AD30 NtSetContextThread,18_2_1F38AD30
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389520 NtWaitForSingleObject,18_2_1F389520
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389560 NtWriteFile,18_2_1F389560
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F3895F0 NtQueryInformationFile,18_2_1F3895F0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389B00 NtSetValueKey,18_2_1F389B00
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F38A3B0 NtGetContextThread,18_2_1F38A3B0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389A10 NtQuerySection,18_2_1F389A10
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389A80 NtOpenDirectoryObject,18_2_1F389A80
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389950 NtQueueApcThread,18_2_1F389950
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F3899D0 NtCreateProcessEx,18_2_1F3899D0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F389820 NtEnumerateKey,18_2_1F389820
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F38B040 NtSuspendThread,18_2_1F38B040
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F3898A0 NtWriteVirtualMemory,18_2_1F3898A0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_0056015C EnumWindows,NtSetInformationThread,NtProtectVirtualMemory,LdrInitializeThunk,18_2_0056015C
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_00562970 NtProtectVirtualMemory,18_2_00562970
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_005601BD NtSetInformationThread,18_2_005601BD
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_005602E3 NtProtectVirtualMemory,18_2_005602E3
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_005602E0 NtProtectVirtualMemory,18_2_005602E0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9540 NtReadFile,LdrInitializeThunk,20_2_045F9540
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F95D0 NtClose,LdrInitializeThunk,20_2_045F95D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9650 NtQueryValueKey,LdrInitializeThunk,20_2_045F9650
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9660 NtAllocateVirtualMemory,LdrInitializeThunk,20_2_045F9660
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F96D0 NtCreateKey,LdrInitializeThunk,20_2_045F96D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F96E0 NtFreeVirtualMemory,LdrInitializeThunk,20_2_045F96E0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9710 NtQueryInformationToken,LdrInitializeThunk,20_2_045F9710
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9FE0 NtCreateMutant,LdrInitializeThunk,20_2_045F9FE0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9780 NtMapViewOfSection,LdrInitializeThunk,20_2_045F9780
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9840 NtDelayExecution,LdrInitializeThunk,20_2_045F9840
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9860 NtQuerySystemInformation,LdrInitializeThunk,20_2_045F9860
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,20_2_045F9910
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F99A0 NtCreateSection,LdrInitializeThunk,20_2_045F99A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9A50 NtCreateFile,LdrInitializeThunk,20_2_045F9A50
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9560 NtWriteFile,20_2_045F9560
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045FAD30 NtSetContextThread,20_2_045FAD30
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9520 NtWaitForSingleObject,20_2_045F9520
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F95F0 NtQueryInformationFile,20_2_045F95F0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9670 NtQueryInformationProcess,20_2_045F9670
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9610 NtEnumerateValueKey,20_2_045F9610
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045FA770 NtOpenThread,20_2_045FA770
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9770 NtSetInformationFile,20_2_045F9770
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9760 NtOpenProcess,20_2_045F9760
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045FA710 NtOpenProcessToken,20_2_045FA710
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9730 NtQueryVirtualMemory,20_2_045F9730
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F97A0 NtUnmapViewOfSection,20_2_045F97A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045FB040 NtSuspendThread,20_2_045FB040
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9820 NtEnumerateKey,20_2_045F9820
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F98F0 NtReadVirtualMemory,20_2_045F98F0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F98A0 NtWriteVirtualMemory,20_2_045F98A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9950 NtQueueApcThread,20_2_045F9950
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F99D0 NtCreateProcessEx,20_2_045F99D0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9A10 NtQuerySection,20_2_045F9A10
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9A00 NtProtectVirtualMemory,20_2_045F9A00
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9A20 NtResumeThread,20_2_045F9A20
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9A80 NtOpenDirectoryObject,20_2_045F9A80
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045F9B00 NtSetValueKey,20_2_045F9B00
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045FA3B0 NtGetContextThread,20_2_045FA3B0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_02B26BC0 NtCreateFile,20_2_02B26BC0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_02B26CF0 NtClose,20_2_02B26CF0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_02B26C70 NtReadFile,20_2_02B26C70
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_02B26DA0 NtAllocateVirtualMemory,20_2_02B26DA0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_02B26D9B NtAllocateVirtualMemory,20_2_02B26D9B
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9710 NtQueryInformationToken,LdrInitializeThunk,21_2_1F4C9710
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9780 NtMapViewOfSection,LdrInitializeThunk,21_2_1F4C9780
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C97A0 NtUnmapViewOfSection,LdrInitializeThunk,21_2_1F4C97A0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9660 NtAllocateVirtualMemory,LdrInitializeThunk,21_2_1F4C9660
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C96E0 NtFreeVirtualMemory,LdrInitializeThunk,21_2_1F4C96E0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9540 NtReadFile,LdrInitializeThunk,21_2_1F4C9540
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C95D0 NtClose,LdrInitializeThunk,21_2_1F4C95D0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9A50 NtCreateFile,LdrInitializeThunk,21_2_1F4C9A50
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9A00 NtProtectVirtualMemory,LdrInitializeThunk,21_2_1F4C9A00
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9A20 NtResumeThread,LdrInitializeThunk,21_2_1F4C9A20
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,21_2_1F4C9910
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C99A0 NtCreateSection,LdrInitializeThunk,21_2_1F4C99A0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9840 NtDelayExecution,LdrInitializeThunk,21_2_1F4C9840
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9860 NtQuerySystemInformation,LdrInitializeThunk,21_2_1F4C9860
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C98F0 NtReadVirtualMemory,LdrInitializeThunk,21_2_1F4C98F0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9760 NtOpenProcess,21_2_1F4C9760
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4CA770 NtOpenThread,21_2_1F4CA770
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9770 NtSetInformationFile,21_2_1F4C9770
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4CA710 NtOpenProcessToken,21_2_1F4CA710
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9730 NtQueryVirtualMemory,21_2_1F4C9730
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9FE0 NtCreateMutant,21_2_1F4C9FE0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9650 NtQueryValueKey,21_2_1F4C9650
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9670 NtQueryInformationProcess,21_2_1F4C9670
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9610 NtEnumerateValueKey,21_2_1F4C9610
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C96D0 NtCreateKey,21_2_1F4C96D0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9560 NtWriteFile,21_2_1F4C9560
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9520 NtWaitForSingleObject,21_2_1F4C9520
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4CAD30 NtSetContextThread,21_2_1F4CAD30
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C95F0 NtQueryInformationFile,21_2_1F4C95F0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9B00 NtSetValueKey,21_2_1F4C9B00
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4CA3B0 NtGetContextThread,21_2_1F4CA3B0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9A10 NtQuerySection,21_2_1F4C9A10
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9A80 NtOpenDirectoryObject,21_2_1F4C9A80
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9950 NtQueueApcThread,21_2_1F4C9950
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C99D0 NtCreateProcessEx,21_2_1F4C99D0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4CB040 NtSuspendThread,21_2_1F4CB040
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C9820 NtEnumerateKey,21_2_1F4C9820
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4C98A0 NtWriteVirtualMemory,21_2_1F4C98A0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_0056015C EnumWindows,NtSetInformationThread,NtProtectVirtualMemory,LdrInitializeThunk,21_2_0056015C
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_00562970 NtProtectVirtualMemory,21_2_00562970
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_005601BD NtSetInformationThread,21_2_005601BD
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_005602E3 NtProtectVirtualMemory,21_2_005602E3
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_005602E0 NtProtectVirtualMemory,21_2_005602E0
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054395D0 NtClose,LdrInitializeThunk,25_2_054395D0
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439FE0 NtCreateMutant,LdrInitializeThunk,25_2_05439FE0
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439660 NtAllocateVirtualMemory,LdrInitializeThunk,25_2_05439660
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054396E0 NtFreeVirtualMemory,LdrInitializeThunk,25_2_054396E0
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439910 NtAdjustPrivilegesToken,LdrInitializeThunk,25_2_05439910
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439860 NtQuerySystemInformation,LdrInitializeThunk,25_2_05439860
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439540 NtReadFile,25_2_05439540
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439560 NtWriteFile,25_2_05439560
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439520 NtWaitForSingleObject,25_2_05439520
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_0543AD30 NtSetContextThread,25_2_0543AD30
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054395F0 NtQueryInformationFile,25_2_054395F0
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439760 NtOpenProcess,25_2_05439760
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_0543A770 NtOpenThread,25_2_0543A770
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439770 NtSetInformationFile,25_2_05439770
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_0543A710 NtOpenProcessToken,25_2_0543A710
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439710 NtQueryInformationToken,25_2_05439710
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439730 NtQueryVirtualMemory,25_2_05439730
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439780 NtMapViewOfSection,25_2_05439780
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054397A0 NtUnmapViewOfSection,25_2_054397A0
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439650 NtQueryValueKey,25_2_05439650
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439670 NtQueryInformationProcess,25_2_05439670
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439610 NtEnumerateValueKey,25_2_05439610
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054396D0 NtCreateKey,25_2_054396D0
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439950 NtQueueApcThread,25_2_05439950
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054399D0 NtCreateProcessEx,25_2_054399D0
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054399A0 NtCreateSection,25_2_054399A0
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_0543B040 NtSuspendThread,25_2_0543B040
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439840 NtDelayExecution,25_2_05439840
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439820 NtEnumerateKey,25_2_05439820
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054398F0 NtReadVirtualMemory,25_2_054398F0
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054398A0 NtWriteVirtualMemory,25_2_054398A0
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439B00 NtSetValueKey,25_2_05439B00
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_0543A3B0 NtGetContextThread,25_2_0543A3B0
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439A50 NtCreateFile,25_2_05439A50
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439A00 NtProtectVirtualMemory,25_2_05439A00
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439A10 NtQuerySection,25_2_05439A10
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439A20 NtResumeThread,25_2_05439A20
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05439A80 NtOpenDirectoryObject,25_2_05439A80
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_03376BC0 NtCreateFile,25_2_03376BC0
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_03376DA0 NtAllocateVirtualMemory,25_2_03376DA0
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_03376C70 NtReadFile,25_2_03376C70
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_03376CF0 NtClose,25_2_03376CF0
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_03376D9B NtAllocateVirtualMemory,25_2_03376D9B
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F40DFCE17_2_1F40DFCE
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F401FF117_2_1F401FF1
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F356E3017_2_1F356E30
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F3FD61617_2_1F3FD616
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F402EF717_2_1F402EF7
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F330D2017_2_1F330D20
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F401D5517_2_1F401D55
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F402D0717_2_1F402D07
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F4025DD17_2_1F4025DD
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F36258117_2_1F362581
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F3F2D8217_2_1F3F2D82
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F34D5E017_2_1F34D5E0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F34841F17_2_1F34841F
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F35B47717_2_1F35B477
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F3FD46617_2_1F3FD466
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F3F449617_2_1F3F4496
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F35A30917_2_1F35A309
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F402B2817_2_1F402B28
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F3DCB4F17_2_1F3DCB4F
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F35AB4017_2_1F35AB40
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F36EBB017_2_1F36EBB0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F36138B17_2_1F36138B
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F3E23E317_2_1F3E23E3
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F3F03DA17_2_1F3F03DA
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F3FDBD217_2_1F3FDBD2
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F36ABD817_2_1F36ABD8
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F35B23617_2_1F35B236
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F3EFA2B17_2_1F3EFA2B
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F3F4AEF17_2_1F3F4AEF
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F4022AE17_2_1F4022AE
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F35412017_2_1F354120
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F33F90017_2_1F33F900
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F3599BF17_2_1F3599BF
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F35A83017_2_1F35A830
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F3F100217_2_1F3F1002
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F40E82417_2_1F40E824
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F3620A017_2_1F3620A0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F34B09017_2_1F34B090
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F4028EC17_2_1F4028EC
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_1F4020A817_2_1F4020A8
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 17_2_0056015C17_2_0056015C
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F41DFCE18_2_1F41DFCE
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F411FF118_2_1F411FF1
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F366E3018_2_1F366E30
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F40D61618_2_1F40D616
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F412EF718_2_1F412EF7
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F340D2018_2_1F340D20
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F411D5518_2_1F411D55
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F412D0718_2_1F412D07
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F4125DD18_2_1F4125DD
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F37258118_2_1F372581
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F402D8218_2_1F402D82
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F35D5E018_2_1F35D5E0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F40D46618_2_1F40D466
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F35841F18_2_1F35841F
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F36B47718_2_1F36B477
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F40449618_2_1F404496
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F36A30918_2_1F36A309
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F412B2818_2_1F412B28
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F3ECB4F18_2_1F3ECB4F
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F36AB4018_2_1F36AB40
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F37EBB018_2_1F37EBB0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F40DBD218_2_1F40DBD2
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F4003DA18_2_1F4003DA
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F36EB9A18_2_1F36EB9A
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F37138B18_2_1F37138B
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F3F23E318_2_1F3F23E3
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F37ABD818_2_1F37ABD8
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F36B23618_2_1F36B236
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F3FFA2B18_2_1F3FFA2B
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F404AEF18_2_1F404AEF
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F4122AE18_2_1F4122AE
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F36412018_2_1F364120
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F34F90018_2_1F34F900
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F3699BF18_2_1F3699BF
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F36A83018_2_1F36A830
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F40100218_2_1F401002
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F41E82418_2_1F41E824
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F3720A018_2_1F3720A0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F35B09018_2_1F35B090
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F4128EC18_2_1F4128EC
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_1F4120A818_2_1F4120A8
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 18_2_0056015C18_2_0056015C
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_0467D46620_2_0467D466
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045DB47720_2_045DB477
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045C841F20_2_045C841F
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_0467449620_2_04674496
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_04681D5520_2_04681D55
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_04682D0720_2_04682D07
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045B0D2020_2_045B0D20
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_046825DD20_2_046825DD
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045CD5E020_2_045CD5E0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045E258120_2_045E2581
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_04672D8220_2_04672D82
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045D560020_2_045D5600
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045D6E3020_2_045D6E30
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_0467D61620_2_0467D616
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_04682EF720_2_04682EF7
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_04661EB620_2_04661EB6
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_04681FF120_2_04681FF1
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_0468DFCE20_2_0468DFCE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_0468E82420_2_0468E824
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_0467100220_2_04671002
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045DA83020_2_045DA830
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_046828EC20_2_046828EC
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_046820A820_2_046820A8
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045CB09020_2_045CB090
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045E20A020_2_045E20A0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045BF90020_2_045BF900
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045D412020_2_045D4120
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045D99BF20_2_045D99BF
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_0466FA2B20_2_0466FA2B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045DB23620_2_045DB236
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_04674AEF20_2_04674AEF
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_046822AE20_2_046822AE
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045DAB4020_2_045DAB40
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_0465CB4F20_2_0465CB4F
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_04682B2820_2_04682B28
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045DA30920_2_045DA309
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_046623E320_2_046623E3
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045EABD820_2_045EABD8
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_0467DBD220_2_0467DBD2
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_046703DA20_2_046703DA
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045DEB9A20_2_045DEB9A
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045E138B20_2_045E138B
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_045EEBB020_2_045EEBB0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_02B178F020_2_02B178F0
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: 20_2_02B178EB20_2_02B178EB
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F55DFCE21_2_1F55DFCE
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F551FF121_2_1F551FF1
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F54D61621_2_1F54D616
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4A560021_2_1F4A5600
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4A6E3021_2_1F4A6E30
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F552EF721_2_1F552EF7
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F531EB621_2_1F531EB6
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F551D5521_2_1F551D55
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F552D0721_2_1F552D07
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F480D2021_2_1F480D20
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F5525DD21_2_1F5525DD
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F49D5E021_2_1F49D5E0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4B258121_2_1F4B2581
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F542D8221_2_1F542D82
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F54D46621_2_1F54D466
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4AB47721_2_1F4AB477
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F49841F21_2_1F49841F
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F54449621_2_1F544496
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4AAB4021_2_1F4AAB40
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F52CB4F21_2_1F52CB4F
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4AA30921_2_1F4AA309
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F552B2821_2_1F552B28
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F54DBD221_2_1F54DBD2
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F5403DA21_2_1F5403DA
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4BABD821_2_1F4BABD8
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F5323E321_2_1F5323E3
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4B138B21_2_1F4B138B
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4AEB9A21_2_1F4AEB9A
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4BEBB021_2_1F4BEBB0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F53FA2B21_2_1F53FA2B
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4AB23621_2_1F4AB236
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F544AEF21_2_1F544AEF
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F5522AE21_2_1F5522AE
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F48F90021_2_1F48F900
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4A412021_2_1F4A4120
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4A99BF21_2_1F4A99BF
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F54100221_2_1F541002
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F55E82421_2_1F55E824
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4AA83021_2_1F4AA830
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F5528EC21_2_1F5528EC
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F49B09021_2_1F49B090
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F4B20A021_2_1F4B20A0
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_1F5520A821_2_1F5520A8
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: 21_2_0056015C21_2_0056015C
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054C1D5525_2_054C1D55
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_053F0D2025_2_053F0D20
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054C2D0725_2_054C2D07
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054C25DD25_2_054C25DD
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_0540D5E025_2_0540D5E0
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_0542258125_2_05422581
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054B2D8225_2_054B2D82
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054BD46625_2_054BD466
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_0541B47725_2_0541B477
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_0540841F25_2_0540841F
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054B449625_2_054B4496
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054CDFCE25_2_054CDFCE
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054C1FF125_2_054C1FF1
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_0541560025_2_05415600
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054BD61625_2_054BD616
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_05416E3025_2_05416E30
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054C2EF725_2_054C2EF7
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054A1EB625_2_054A1EB6
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_053FF90025_2_053FF900
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_0541412025_2_05414120
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054199BF25_2_054199BF
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054B100225_2_054B1002
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054CE82425_2_054CE824
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_0541A83025_2_0541A830
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054C28EC25_2_054C28EC
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_0540B09025_2_0540B090
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054220A025_2_054220A0
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054C20A825_2_054C20A8
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_0541AB4025_2_0541AB40
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_0549CB4F25_2_0549CB4F
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_0541A30925_2_0541A309
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054C2B2825_2_054C2B28
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054B03DA25_2_054B03DA
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054BDBD225_2_054BDBD2
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_0542ABD825_2_0542ABD8
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054A23E325_2_054A23E3
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_0542138B25_2_0542138B
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_0541EB9A25_2_0541EB9A
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_0542EBB025_2_0542EBB0
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054AFA2B25_2_054AFA2B
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_0541B23625_2_0541B236
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054B4AEF25_2_054B4AEF
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_054C22AE25_2_054C22AE
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_033678F025_2_033678F0
      Source: C:\Windows\SysWOW64\wscript.exeCode function: 25_2_033678EB25_2_033678EB
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: String function: 1F33B150 appears 136 times
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: String function: 1F34B150 appears 139 times
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeCode function: String function: 1F48B150 appears 145 times
      Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 053FB150 appears 145 times
      Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 045BB150 appears 145 times
      Source: SecuriteInfo.com.Fareit-FST36F52D915DF6.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Morningsu.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: SecuriteInfo.com.Fareit-FST36F52D915DF6.exe, 00000000.00000002.257013964.00000000021D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Fareit-FST36F52D915DF6.exe
      Source: SecuriteInfo.com.Fareit-FST36F52D915DF6.exe, 00000000.00000000.195387649.000000000041D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStolesder.exe vs SecuriteInfo.com.Fareit-FST36F52D915DF6.exe
      Source: SecuriteInfo.com.Fareit-FST36F52D915DF6.exe, 00000003.00000002.276794314.000000000255D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStolesder.exe vs SecuriteInfo.com.Fareit-FST36F52D915DF6.exe
      Source: SecuriteInfo.com.Fareit-FST36F52D915DF6.exe, 00000003.00000002.276718185.00000000023F0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SecuriteInfo.com.Fareit-FST36F52D915DF6.exe
      Source: SecuriteInfo.com.Fareit-FST36F52D915DF6.exe, 00000003.00000002.276718185.00000000023F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Fareit-FST36F52D915DF6.exe
      Source: SecuriteInfo.com.Fareit-FST36F52D915DF6.exeBinary or memory string: OriginalFilenameStolesder.exe vs SecuriteInfo.com.Fareit-FST36F52D915DF6.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
      Source: 00000012.00000002.420922014.000000001F0F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000012.00000002.420922014.000000001F0F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000014.00000002.463634844.000000000054B000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000014.00000002.466460312.0000000002B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000014.00000002.466460312.0000000002B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000013.00000000.437985766.000000000EFAF000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000019.00000002.437514100.0000000003360000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000019.00000002.437514100.0000000003360000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000012.00000002.398639505.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000012.00000002.398639505.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000014.00000002.470056922.0000000004ABF000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000011.00000002.469414937.000000001EFE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000011.00000002.469414937.000000001EFE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000014.00000002.463494000.00000000003A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000014.00000002.463494000.00000000003A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000015.00000002.434698711.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000015.00000002.434698711.0000000000060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000015.00000002.438710538.000000001F230000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000015.00000002.438710538.000000001F230000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000011.00000002.462985191.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000011.00000002.462985191.0000000000170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: SecuriteInfo.com.Fareit-FST36F52D915DF6.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: Morningsu.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@24/2@3/1
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_01
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Fareit-FST36F52D915DF6.exeFile created: C:\Users\user\AppData\Local\Temp\~DFCB0A9E4E9063362E.TMPJump to behavior
      Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.vbs'
      Source: SecuriteInfo.com.Fareit-FST36F52D915DF6.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Fareit-FST36F52D915DF6.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Fareit-FST36F52D915DF6.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Fareit-FST36F52D915DF6.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\cmstp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\tumidhjrnepun\Morningsu.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: SecuriteInfo.com.Fareit-FST36F52D915DF6.exeVirustotal: Detection: 50%
      Source: C:\Users\user\Desktop\SecuriteInfo.com.Fareit-FST36F52D915DF6.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Fareit-FST36F52D915DF6.exeJump to behavior
      Source: