Loading ...

Play interactive tourEdit tour

Analysis Report FSvvTtQaTe

Overview

General Information

Sample Name:FSvvTtQaTe (renamed file extension from none to exe)
Analysis ID:318713
MD5:dc128b7f9c2b6926c426de8f0e249ad9
SHA1:b453f5ffe50e506bde88ea77665859e040f182c6
SHA256:93d99d2cd1283d50475a5860cc3ea76438f51b4419792ce9bfc3fde3fd574ba4
Tags:Gozi

Most interesting Screenshot:

Detection

Gozi Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected Gozi e-Banking trojan
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Allocates memory in foreign processes
Contain functionality to detect virtual machines
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Sigma detected: Suspicious Svchost Process
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Writes to foreign memory regions
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to read the PEB
Contains functionality to simulate keystroke presses
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
HTTP GET or POST without a user agent
PE file contains an invalid checksum
Queries device information via Setup API
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • FSvvTtQaTe.exe (PID: 3612 cmdline: 'C:\Users\user\Desktop\FSvvTtQaTe.exe' MD5: DC128B7F9C2B6926C426DE8F0E249AD9)
    • cmd.exe (PID: 6684 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\user~1\AppData\Local\Temp\2B92\15C9.bat' 'C:\Users\user~1\AppData\Roaming\MICROS~1\AppXtcse\AJRovrcp.exe' 'C:\Users\user~1\Desktop\FSVVTT~1.EXE'' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6740 cmdline: cmd /C ''C:\Users\user~1\AppData\Roaming\MICROS~1\AppXtcse\AJRovrcp.exe' 'C:\Users\user~1\Desktop\FSVVTT~1.EXE'' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • AJRovrcp.exe (PID: 6752 cmdline: 'C:\Users\user~1\AppData\Roaming\MICROS~1\AppXtcse\AJRovrcp.exe' 'C:\Users\user~1\Desktop\FSVVTT~1.EXE' MD5: DC128B7F9C2B6926C426DE8F0E249AD9)
          • svchost.exe (PID: 6868 cmdline: C:\Windows\system32\svchost.exe MD5: 32569E403279B3FD2EDB7EBD036273FA)
            • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
              • AJRovrcp.exe (PID: 6580 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exe' MD5: DC128B7F9C2B6926C426DE8F0E249AD9)
                • svchost.exe (PID: 6668 cmdline: C:\Windows\system32\svchost.exe MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • AJRovrcp.exe (PID: 5884 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exe' MD5: DC128B7F9C2B6926C426DE8F0E249AD9)
    • svchost.exe (PID: 6672 cmdline: C:\Windows\system32\svchost.exe MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000002.402582101.0000000000440000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000017.00000002.402194983.0000000000D00000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      Process Memory Space: svchost.exe PID: 6672JoeSecurity_UrsnifYara detected UrsnifJoe Security
        Process Memory Space: svchost.exe PID: 6668JoeSecurity_UrsnifYara detected UrsnifJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          24.2.svchost.exe.400000.0.unpackUrsnifUrsnif Payloadkevoreilly & enzo
          • 0x2b102:$crypto64_1: 41 8B 02 FF C1 41 33 C3 45 8B 1A 41 33 C0 D3 C8 41 89 02 49 83 C2 04 83 C2 FF 75 D9
          • 0x1fe38:$decrypt_config64: 44 8B D9 33 C0 45 33 C9 44 33 1D 49 C5 01 00 4C 8B D2 48 85 D2 74 37 4C 8D 42 10 45 3B 0A 73 2E ...
          23.2.svchost.exe.cc0000.0.unpackUrsnifUrsnif Payloadkevoreilly & enzo
          • 0x2b102:$crypto64_1: 41 8B 02 FF C1 41 33 C3 45 8B 1A 41 33 C0 D3 C8 41 89 02 49 83 C2 04 83 C2 FF 75 D9
          • 0x1fe38:$decrypt_config64: 44 8B D9 33 C0 45 33 C9 44 33 1D 49 C5 01 00 4C 8B D2 48 85 D2 74 37 4C 8D 42 10 45 3B 0A 73 2E ...

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspicious Svchost ProcessShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\system32\svchost.exe, CommandLine: C:\Windows\system32\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: 'C:\Users\user~1\AppData\Roaming\MICROS~1\AppXtcse\AJRovrcp.exe' 'C:\Users\user~1\Desktop\FSVVTT~1.EXE', ParentImage: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exe, ParentProcessId: 6752, ProcessCommandLine: C:\Windows\system32\svchost.exe, ProcessId: 6868
          Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe, CommandLine: C:\Windows\system32\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: 'C:\Users\user~1\AppData\Roaming\MICROS~1\AppXtcse\AJRovrcp.exe' 'C:\Users\user~1\Desktop\FSVVTT~1.EXE', ParentImage: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exe, ParentProcessId: 6752, ProcessCommandLine: C:\Windows\system32\svchost.exe, ProcessId: 6868

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: FSvvTtQaTe.exeAvira: detected
          Source: FSvvTtQaTe.exeAvira: detected
          Multi AV Scanner detection for submitted fileShow sources
          Source: FSvvTtQaTe.exeMetadefender: Detection: 56%Perma Link
          Source: FSvvTtQaTe.exeReversingLabs: Detection: 89%
          Source: FSvvTtQaTe.exeMetadefender: Detection: 56%Perma Link
          Source: FSvvTtQaTe.exeReversingLabs: Detection: 89%
          Machine Learning detection for sampleShow sources
          Source: FSvvTtQaTe.exeJoe Sandbox ML: detected
          Source: FSvvTtQaTe.exeJoe Sandbox ML: detected
          Source: 0.3.FSvvTtQaTe.exe.a60000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 21.0.AJRovrcp.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
          Source: 18.3.AJRovrcp.exe.bd0000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 18.0.AJRovrcp.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
          Source: 13.0.AJRovrcp.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
          Source: 21.3.AJRovrcp.exe.a60000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.0.FSvvTtQaTe.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
          Source: 13.3.AJRovrcp.exe.2230000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.3.FSvvTtQaTe.exe.a60000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 21.0.AJRovrcp.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
          Source: 18.3.AJRovrcp.exe.bd0000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 18.0.AJRovrcp.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
          Source: 13.0.AJRovrcp.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
          Source: 21.3.AJRovrcp.exe.a60000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.0.FSvvTtQaTe.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
          Source: 13.3.AJRovrcp.exe.2230000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_004040DA HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_004040DA
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_004040DA HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_004040DA
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 18_2_004040DA HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,18_2_004040DA
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 21_2_004040DA HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,21_2_004040DA
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CDD95C HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,23_2_00CDD95C
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE04D0 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,23_2_00CE04D0
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CDDDB0 lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,23_2_00CDDDB0
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0041D95C HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,24_2_0041D95C
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_004204D0 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,24_2_004204D0
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0041DDB0 lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,24_2_0041DDB0
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CC939C wcscpy,GetLogicalDriveStringsW,HeapAlloc,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,HeapFree,HeapFree,23_2_00CC939C
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CC939C wcscpy,GetLogicalDriveStringsW,HeapAlloc,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,HeapFree,HeapFree,23_2_00CC939C
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Temp\Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Roaming\MICROS~1\AppXtcse\Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Temp\2B92\Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Temp\Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Roaming\MICROS~1\AppXtcse\Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Temp\2B92\Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Local\Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user~1\AppData\Jump to behavior

          Networking:

          barindex
          Found Tor onion addressShow sources
          Source: svchost.exe, 00000017.00000002.402194983.0000000000D00000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrLastTaskLastConfigCrHookOpHookExec.onion/TorClientTorCrc%s %s HTTP/1.1
          Source: svchost.exe, 00000018.00000002.402582101.0000000000440000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrLastTaskLastConfigCrHookOpHookExec.onion/TorClientTorCrc%s %s HTTP/1.1
          Source: svchost.exe, 00000017.00000002.402194983.0000000000D00000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrLastTaskLastConfigCrHookOpHookExec.onion/TorClientTorCrc%s %s HTTP/1.1
          Source: svchost.exe, 00000018.00000002.402582101.0000000000440000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrLastTaskLastConfigCrHookOpHookExec.onion/TorClientTorCrc%s %s HTTP/1.1
          Source: global trafficHTTP traffic detected: GET /licenses/gpl.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl-3.0.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl-3.0.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl-3.0.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl-3.0.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl-3.0.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl-3.0.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl-3.0.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl-3.0.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE8270 HeapAlloc,ResetEvent,InternetReadFile,GetLastError,HeapFree,HttpQueryInfoA,HeapAlloc,SetEvent,23_2_00CE8270
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE8270 HeapAlloc,ResetEvent,InternetReadFile,GetLastError,HeapFree,HttpQueryInfoA,HeapAlloc,SetEvent,23_2_00CE8270
          Source: global trafficHTTP traffic detected: GET /licenses/gpl.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl-3.0.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl-3.0.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl-3.0.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl-3.0.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl-3.0.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl-3.0.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl-3.0.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: global trafficHTTP traffic detected: GET /licenses/gpl-3.0.txt HTTP/1.1Host: www.gnu.orgConnection: Keep-AliveCache-Control: no-cache
          Source: unknownDNS traffic detected: queries for: www.gnu.org
          Source: unknownDNS traffic detected: queries for: www.gnu.org
          Source: svchost.exeString found in binary or memory: http://constitution.org/usdeclar.txt
          Source: svchost.exe, 00000017.00000002.402194983.0000000000D00000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.402582101.0000000000440000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: svchost.exe, 00000017.00000002.402194983.0000000000D00000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.402582101.0000000000440000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
          Source: explorer.exe, 00000014.00000000.912582629.000000000EE1F000.00000004.00000001.sdmpString found in binary or memory: http://programuserandussource.ru/pav/64.bin
          Source: explorer.exe, 00000014.00000000.912591596.000000000EE2D000.00000004.00000001.sdmpString found in binary or memory: http://programuserandussource.ru/pav/64.binN$
          Source: explorer.exe, 00000014.00000000.912582629.000000000EE1F000.00000004.00000001.sdmpString found in binary or memory: http://programuserandussource.ru/pav/64.bina
          Source: explorer.exe, 00000014.00000000.912591596.000000000EE2D000.00000004.00000001.sdmpString found in binary or memory: http://programuserandussource.ru/pav/64.binl;
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000014.00000000.390274006.0000000006840000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: svchost.exe, 00000017.00000002.403090604.0000019D87E58000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/
          Source: svchost.exe, 00000017.00000002.403090604.0000019D87E58000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/2
          Source: explorer.exe, 00000014.00000000.912623857.000000000EE73000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.403174578.0000019D87E71000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.497549710.0000029D8C672000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/licenses/gpl-3.0.txt
          Source: svchost.exe, 00000017.00000002.403090604.0000019D87E58000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/licenses/gpl-3.0.txt(
          Source: svchost.exe, 00000017.00000002.403090604.0000019D87E58000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/licenses/gpl-3.0.txtB
          Source: svchost.exe, 00000017.00000002.403090604.0000019D87E58000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.497531773.0000029D8C65B000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/licenses/gpl-3.0.txtSecurity=Impersonation
          Source: svchost.exe, 00000018.00000002.497549710.0000029D8C672000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/licenses/gpl-3.0.txtf7d
          Source: svchost.exe, 00000018.00000002.497531773.0000029D8C65B000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/licenses/gpl-3.0.txthttp://www.gnu.org/licenses/gpl-3.0.txt
          Source: svchost.exe, 00000017.00000002.402940248.0000019D87E2E000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.404628875.0000029D8C613000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/licenses/gpl.txt
          Source: svchost.exe, 00000018.00000002.404628875.0000029D8C613000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/licenses/gpl.txtInfo
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: svchost.exe, 0000000E.00000003.345408262.0000019ED7877000.00000004.00000001.sdmp, explorer.exe, 00000014.00000000.912623857.000000000EE73000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.396205034.0000019D87E76000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.396779166.0000029D8C678000.00000004.00000001.sdmpString found in binary or memory: https://fsf.org/
          Source: svchost.exe, 00000018.00000002.497531773.0000029D8C65B000.00000004.00000001.sdmpString found in binary or memory: https://www.gnu.org/licenses/
          Source: explorer.exe, 00000014.00000003.403284289.000000000E101000.00000004.00000040.sdmp, svchost.exe, 00000017.00000003.396205034.0000019D87E76000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.497531773.0000029D8C65B000.00000004.00000001.sdmpString found in binary or memory: https://www.gnu.org/licenses/why-not-lgpl.html
          Source: svchost.exeString found in binary or memory: http://constitution.org/usdeclar.txt
          Source: svchost.exe, 00000017.00000002.402194983.0000000000D00000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.402582101.0000000000440000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: svchost.exe, 00000017.00000002.402194983.0000000000D00000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.402582101.0000000000440000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
          Source: explorer.exe, 00000014.00000000.912582629.000000000EE1F000.00000004.00000001.sdmpString found in binary or memory: http://programuserandussource.ru/pav/64.bin
          Source: explorer.exe, 00000014.00000000.912591596.000000000EE2D000.00000004.00000001.sdmpString found in binary or memory: http://programuserandussource.ru/pav/64.binN$
          Source: explorer.exe, 00000014.00000000.912582629.000000000EE1F000.00000004.00000001.sdmpString found in binary or memory: http://programuserandussource.ru/pav/64.bina
          Source: explorer.exe, 00000014.00000000.912591596.000000000EE2D000.00000004.00000001.sdmpString found in binary or memory: http://programuserandussource.ru/pav/64.binl;
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000014.00000000.390274006.0000000006840000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: svchost.exe, 00000017.00000002.403090604.0000019D87E58000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/
          Source: svchost.exe, 00000017.00000002.403090604.0000019D87E58000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/2
          Source: explorer.exe, 00000014.00000000.912623857.000000000EE73000.00000004.00000001.sdmp, svchost.exe, 00000017.00000002.403174578.0000019D87E71000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.497549710.0000029D8C672000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/licenses/gpl-3.0.txt
          Source: svchost.exe, 00000017.00000002.403090604.0000019D87E58000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/licenses/gpl-3.0.txt(
          Source: svchost.exe, 00000017.00000002.403090604.0000019D87E58000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/licenses/gpl-3.0.txtB
          Source: svchost.exe, 00000017.00000002.403090604.0000019D87E58000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.497531773.0000029D8C65B000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/licenses/gpl-3.0.txtSecurity=Impersonation
          Source: svchost.exe, 00000018.00000002.497549710.0000029D8C672000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/licenses/gpl-3.0.txtf7d
          Source: svchost.exe, 00000018.00000002.497531773.0000029D8C65B000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/licenses/gpl-3.0.txthttp://www.gnu.org/licenses/gpl-3.0.txt
          Source: svchost.exe, 00000017.00000002.402940248.0000019D87E2E000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.404628875.0000029D8C613000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/licenses/gpl.txt
          Source: svchost.exe, 00000018.00000002.404628875.0000029D8C613000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/licenses/gpl.txtInfo
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000014.00000000.402732922.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: svchost.exe, 0000000E.00000003.345408262.0000019ED7877000.00000004.00000001.sdmp, explorer.exe, 00000014.00000000.912623857.000000000EE73000.00000004.00000001.sdmp, svchost.exe, 00000017.00000003.396205034.0000019D87E76000.00000004.00000001.sdmp, svchost.exe, 00000018.00000003.396779166.0000029D8C678000.00000004.00000001.sdmpString found in binary or memory: https://fsf.org/
          Source: svchost.exe, 00000018.00000002.497531773.0000029D8C65B000.00000004.00000001.sdmpString found in binary or memory: https://www.gnu.org/licenses/
          Source: explorer.exe, 00000014.00000003.403284289.000000000E101000.00000004.00000040.sdmp, svchost.exe, 00000017.00000003.396205034.0000019D87E76000.00000004.00000001.sdmp, svchost.exe, 00000018.00000002.497531773.0000029D8C65B000.00000004.00000001.sdmpString found in binary or memory: https://www.gnu.org/licenses/why-not-lgpl.html

          Key, Mouse, Clipboard, Microphone and Screen Capturing:

          barindex
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000018.00000002.402582101.0000000000440000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.402194983.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6672, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6668, type: MEMORY

          E-Banking Fraud:

          barindex
          Detected Gozi e-Banking trojanShow sources
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, %systemroot%\system32\c_1252.nls0_2_004040DA
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, %systemroot%\system32\c_1252.nls0_2_004040DA
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, %systemroot%\system32\c_1252.nls18_2_004040DA
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, %systemroot%\system32\c_1252.nls21_2_004040DA
          Source: C:\Windows\System32\svchost.exeCode function: HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose, %systemroot%\system32\c_1252.nls23_2_00CE04D0
          Source: C:\Windows\System32\svchost.exeCode function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ff23_2_00CC1FE0
          Source: C:\Windows\System32\svchost.exeCode function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ie23_2_00CC1FE0
          Source: C:\Windows\System32\svchost.exeCode function: HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose, %systemroot%\system32\c_1252.nls24_2_004204D0
          Source: C:\Windows\System32\svchost.exeCode function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ff24_2_00401FE0
          Source: C:\Windows\System32\svchost.exeCode function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ie24_2_00401FE0
          Yara detected UrsnifShow sources
          Source: Yara matchFile source: 00000018.00000002.402582101.0000000000440000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.402194983.0000000000D00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6672, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6668, type: MEMORY
          Disables SPDY (HTTP compression, likely to perform web injects)Show sources
          Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0Jump to behavior
          Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0Jump to behavior

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 24.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
          Source: 23.2.svchost.exe.cc0000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
          Source: 24.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
          Source: 23.2.svchost.exe.cc0000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeProcess Stats: CPU usage > 98%
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeProcess Stats: CPU usage > 98%
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_00402A1A ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,ZwQueryInformationToken,ZwQueryInformationToken,memcpy,ZwClose,ZwClose,0_2_00402A1A
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_00403C74 memset,ZwQueryInformationProcess,0_2_00403C74
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_00402703 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,0_2_00402703
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_00403E26 NtQuerySystemInformation,RtlNtStatusToDosError,0_2_00403E26
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_00403F3F NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,0_2_00403F3F
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_004026C4 NtMapViewOfSection,RtlNtStatusToDosError,0_2_004026C4
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_004038D6 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,0_2_004038D6
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_004065D9 NtQueryVirtualMemory,0_2_004065D9
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_00403EFE NtWriteVirtualMemory,VirtualProtectEx,RtlNtStatusToDosError,SetLastError,0_2_00403EFE
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_00403F8F GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,0_2_00403F8F
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_00401C93 VirtualAlloc,memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,0_2_00401C93
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_00403E9C NtGetContextThread,RtlNtStatusToDosError,0_2_00403E9C
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_00403EBD NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,0_2_00403EBD
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_00402A1A ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,ZwQueryInformationToken,ZwQueryInformationToken,memcpy,ZwClose,ZwClose,0_2_00402A1A
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_00403C74 memset,ZwQueryInformationProcess,0_2_00403C74
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_00402703 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,0_2_00402703
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_00403E26 NtQuerySystemInformation,RtlNtStatusToDosError,0_2_00403E26
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_00403F3F NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,0_2_00403F3F
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_004026C4 NtMapViewOfSection,RtlNtStatusToDosError,0_2_004026C4
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_004038D6 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,0_2_004038D6
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_004065D9 NtQueryVirtualMemory,0_2_004065D9
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_00403EFE NtWriteVirtualMemory,VirtualProtectEx,RtlNtStatusToDosError,SetLastError,0_2_00403EFE
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_00403F8F GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,0_2_00403F8F
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_00401C93 VirtualAlloc,memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,0_2_00401C93
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_00403E9C NtGetContextThread,RtlNtStatusToDosError,0_2_00403E9C
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_00403EBD NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,0_2_00403EBD
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 18_2_0040346E NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,18_2_0040346E
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 18_2_00402703 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,18_2_00402703
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 18_2_00402A1A ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,ZwQueryInformationToken,ZwQueryInformationToken,memcpy,ZwClose,ZwClose,18_2_00402A1A
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 18_2_00403E26 NtQuerySystemInformation,RtlNtStatusToDosError,18_2_00403E26
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 18_2_00403F3F NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,18_2_00403F3F
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 18_2_004026C4 NtMapViewOfSection,RtlNtStatusToDosError,18_2_004026C4
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 18_2_004032D8 NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,18_2_004032D8
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 18_2_004034E3 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,18_2_004034E3
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 18_2_00403EFE NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,18_2_00403EFE
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 18_2_00401C93 VirtualAlloc,memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,FindCloseChangeNotification,18_2_00401C93
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 18_2_00403C74 memset,ZwQueryInformationProcess,18_2_00403C74
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 18_2_004038D6 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,18_2_004038D6
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 18_2_004065D9 NtQueryVirtualMemory,18_2_004065D9
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 18_2_00403F8F GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,18_2_00403F8F
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 18_2_00403E9C NtGetContextThread,RtlNtStatusToDosError,18_2_00403E9C
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 18_2_00403EBD NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,18_2_00403EBD
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 21_2_0040346E NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,21_2_0040346E
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 21_2_00402703 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,21_2_00402703
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 21_2_00402A1A ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,ZwQueryInformationToken,ZwQueryInformationToken,memcpy,ZwClose,ZwClose,21_2_00402A1A
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 21_2_00403E26 NtQuerySystemInformation,RtlNtStatusToDosError,21_2_00403E26
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 21_2_00403F3F NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,21_2_00403F3F
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 21_2_004026C4 NtMapViewOfSection,RtlNtStatusToDosError,21_2_004026C4
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 21_2_004032D8 NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,21_2_004032D8
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 21_2_004034E3 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,21_2_004034E3
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 21_2_00403EFE NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,21_2_00403EFE
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 21_2_00401C93 VirtualAlloc,memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,FindCloseChangeNotification,21_2_00401C93
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 21_2_00403C74 memset,ZwQueryInformationProcess,21_2_00403C74
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 21_2_004038D6 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,21_2_004038D6
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 21_2_004065D9 NtQueryVirtualMemory,21_2_004065D9
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 21_2_00403F8F GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,21_2_00403F8F
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 21_2_00403E9C NtGetContextThread,RtlNtStatusToDosError,21_2_00403E9C
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 21_2_00403EBD NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,21_2_00403EBD
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE60CC NtMapViewOfSection,RtlNtStatusToDosError,23_2_00CE60CC
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE0154 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,23_2_00CE0154
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CD1A1C InitializeCriticalSection,HeapAlloc,memset,InitializeCriticalSection,CreateMutexExA,GetLastError,CloseHandle,HeapAlloc,InitializeCriticalSection,InitializeCriticalSection,GetVersion,GetModuleHandleA,HeapAlloc,GetUserNameA,HeapAlloc,GetUserNameA,memcpy,GetModuleHandleA,GetModuleHandleA,HeapFree,GetModuleHandleA,CreateThread,CloseHandle,GetLastError,GetShellWindow,GetWindowThreadProcessId,ZwQueryInformationProcess,OpenProcess,NtSuspendProcess,RtlNtStatusToDosError,NtResumeProcess,RtlNtStatusToDosError,CloseHandle,GetLastError,ExitProcess,HeapAlloc,CreateThread,CreateEventA,CreateThread,GetLastError,LoadLibraryA,CreateNamedPipeA,CreateThread,GetLastError,CloseHandle,GetLastError,StrChrA,HeapFree,HeapAlloc,wsprintfA,CreateThread,23_2_00CD1A1C
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CDF4E8 NtQueryInformationProcess,23_2_00CDF4E8
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE55BC memset,VirtualProtectEx,ResumeThread,WaitForSingleObject,SuspendThread,NtGetContextThread,RtlNtStatusToDosError,VirtualProtectEx,GetLastError,ResumeThread,23_2_00CE55BC
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE0E90 memset,ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,HeapAlloc,ZwQueryInformationToken,HeapFree,ZwClose,ZwClose,23_2_00CE0E90
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CDF7DC memset,NtGetContextThread,RtlNtStatusToDosError,memcpy,NtSetContextThread,NtSetContextThread,RtlNtStatusToDosError,GetLastError,23_2_00CDF7DC
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE4F6C memset,NtCreateSection,memset,RtlNtStatusToDosError,memcpy,memcpy,memcpy,memcpy,memcpy,GetModuleHandleA,memcpy,memcpy,HeapAlloc,memset,HeapFree,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,23_2_00CE4F6C
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE005C HeapFree,HeapAlloc,NtQuerySystemInformation,RtlNtStatusToDosError,23_2_00CE005C
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE01A0 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,23_2_00CE01A0
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE0108 NtReadVirtualMemory,NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,23_2_00CE0108
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CD2B58 NtUnmapViewOfSection,RtlNtStatusToDosError,HeapFree,23_2_00CD2B58
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE4D84 HeapAlloc,memset,ZwQueryInformationProcess,HeapFree,23_2_00CE4D84
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CDF554 ZwQueryInformationProcess,HeapAlloc,HeapAlloc,StrRChrA,HeapFree,HeapFree,23_2_00CDF554
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CC8E3C ZwQueryKey,lstrlenW,HeapAlloc,ZwQueryKey,lstrcpyW,HeapFree,HeapFree,23_2_00CC8E3C
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_004260CC NtMapViewOfSection,RtlNtStatusToDosError,24_2_004260CC
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00420154 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,24_2_00420154
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00411A1C InitializeCriticalSection,HeapAlloc,memset,InitializeCriticalSection,CreateMutexExA,GetLastError,CloseHandle,HeapAlloc,InitializeCriticalSection,InitializeCriticalSection,GetVersion,GetModuleHandleA,HeapAlloc,GetUserNameA,HeapAlloc,GetUserNameA,memcpy,GetModuleHandleA,GetModuleHandleA,HeapFree,GetModuleHandleA,CreateThread,CloseHandle,GetLastError,GetShellWindow,GetWindowThreadProcessId,ZwQueryInformationProcess,OpenProcess,NtSuspendProcess,RtlNtStatusToDosError,NtResumeProcess,RtlNtStatusToDosError,CloseHandle,GetLastError,ExitProcess,HeapAlloc,CreateThread,CreateEventA,CreateThread,GetLastError,LoadLibraryA,CreateNamedPipeA,CreateThread,GetLastError,CloseHandle,GetLastError,StrChrA,HeapFree,HeapAlloc,wsprintfA,CreateThread,24_2_00411A1C
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0041F4E8 NtQueryInformationProcess,24_2_0041F4E8
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_004255BC memset,VirtualProtectEx,ResumeThread,WaitForSingleObject,SuspendThread,NtGetContextThread,RtlNtStatusToDosError,VirtualProtectEx,GetLastError,ResumeThread,24_2_004255BC
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00420E90 memset,ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,HeapAlloc,ZwQueryInformationToken,HeapFree,ZwClose,ZwClose,24_2_00420E90
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00424F6C memset,NtCreateSection,memset,RtlNtStatusToDosError,memcpy,memcpy,memcpy,memcpy,memcpy,GetModuleHandleA,memcpy,memcpy,HeapAlloc,memset,HeapFree,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,24_2_00424F6C
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0041F7DC memset,NtGetContextThread,RtlNtStatusToDosError,memcpy,NtSetContextThread,NtSetContextThread,RtlNtStatusToDosError,GetLastError,24_2_0041F7DC
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0042005C HeapFree,HeapAlloc,NtQuerySystemInformation,RtlNtStatusToDosError,24_2_0042005C
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00420108 NtReadVirtualMemory,NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,24_2_00420108
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_004201A0 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,24_2_004201A0
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00412B58 NtUnmapViewOfSection,RtlNtStatusToDosError,HeapFree,24_2_00412B58
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0041F554 ZwQueryInformationProcess,HeapAlloc,HeapAlloc,StrRChrA,HeapFree,HeapFree,24_2_0041F554
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00424D84 HeapAlloc,memset,ZwQueryInformationProcess,HeapFree,24_2_00424D84
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00408E3C ZwQueryKey,lstrlenW,HeapAlloc,ZwQueryKey,lstrcpyW,HeapFree,HeapFree,24_2_00408E3C
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE5AF4 CreateProcessAsUserA,23_2_00CE5AF4
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE5AF4 CreateProcessAsUserA,23_2_00CE5AF4
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_004063B80_2_004063B8
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeCode function: 0_2_004063B80_2_004063B8
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 18_2_004063B818_2_004063B8
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeCode function: 21_2_004063B821_2_004063B8
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE8A6023_2_00CE8A60
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CD1A1C23_2_00CD1A1C
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CC13E423_2_00CC13E4
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE4F6C23_2_00CE4F6C
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CED8D823_2_00CED8D8
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CCC8EC23_2_00CCC8EC
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CCD09023_2_00CCD090
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CCB0A423_2_00CCB0A4
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CCF8BC23_2_00CCF8BC
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE704023_2_00CE7040
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CC100023_2_00CC1000
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CDA01823_2_00CDA018
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CDD14C23_2_00CDD14C
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CD914423_2_00CD9144
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CDD95C23_2_00CDD95C
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CDF96023_2_00CDF960
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CDB97023_2_00CDB970
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE7AC823_2_00CE7AC8
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CD4AC423_2_00CD4AC4
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CDAAEC23_2_00CDAAEC
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CC6A7023_2_00CC6A70
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CCF22423_2_00CCF224
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CD023C23_2_00CD023C
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CD2BC823_2_00CD2BC8
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE9BE823_2_00CE9BE8
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CDCBE423_2_00CDCBE4
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CEAB4423_2_00CEAB44
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CF2B6023_2_00CF2B60
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CC9CD823_2_00CC9CD8
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE04D023_2_00CE04D0
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CCACF823_2_00CCACF8
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CEC44423_2_00CEC444
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CD046C23_2_00CD046C
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CF242023_2_00CF2420
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CEA55C23_2_00CEA55C
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CC5D0C23_2_00CC5D0C
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CCDED023_2_00CCDED0
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE96D023_2_00CE96D0
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CD16EC23_2_00CD16EC
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE469C23_2_00CE469C
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CC3EB423_2_00CC3EB4
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CDC6B023_2_00CDC6B0
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CC464C23_2_00CC464C
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CCAE6C23_2_00CCAE6C
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CD360823_2_00CD3608
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CD963C23_2_00CD963C
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CC1FE023_2_00CC1FE0
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CDC7AC23_2_00CDC7AC
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE8FA023_2_00CE8FA0
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE67B423_2_00CE67B4
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE2F6823_2_00CE2F68
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CD0F0C23_2_00CD0F0C
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CC670423_2_00CC6704
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CE273023_2_00CE2730
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00D150F423_2_00D150F4
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00D1280F23_2_00D1280F
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00D079B923_2_00D079B9
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00D1B25423_2_00D1B254
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00D1AA6A23_2_00D1AA6A
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00D1336423_2_00D13364
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00D1BB1423_2_00D1BB14
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00D29CDC23_2_00D29CDC
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00D1244323_2_00D12443
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00428A6024_2_00428A60
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00411A1C24_2_00411A1C
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_004013E424_2_004013E4
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00424F6C24_2_00424F6C
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0042704024_2_00427040
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0040100024_2_00401000
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0042E80024_2_0042E800
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0041A01824_2_0041A018
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0042D8D824_2_0042D8D8
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0040C8EC24_2_0040C8EC
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0040D09024_2_0040D090
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0040B0A424_2_0040B0A4
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0040F8BC24_2_0040F8BC
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0041914424_2_00419144
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0041D14C24_2_0041D14C
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0041D95C24_2_0041D95C
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0041F96024_2_0041F960
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0041B97024_2_0041B970
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00406A7024_2_00406A70
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0040F22424_2_0040F224
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0041023C24_2_0041023C
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00414AC424_2_00414AC4
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00427AC824_2_00427AC8
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0041AAEC24_2_0041AAEC
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0042AB4424_2_0042AB44
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00432B6024_2_00432B60
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00412BC824_2_00412BC8
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0041CBE424_2_0041CBE4
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00429BE824_2_00429BE8
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0042C44424_2_0042C444
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0041046C24_2_0041046C
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0043242024_2_00432420
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_004204D024_2_004204D0
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00409CD824_2_00409CD8
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0040ACF824_2_0040ACF8
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0042A55C24_2_0042A55C
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00405D0C24_2_00405D0C
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0040464C24_2_0040464C
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0040AE6C24_2_0040AE6C
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0041360824_2_00413608
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0041963C24_2_0041963C
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0040DED024_2_0040DED0
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_004296D024_2_004296D0
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_004116EC24_2_004116EC
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0042469C24_2_0042469C
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0041C6B024_2_0041C6B0
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00403EB424_2_00403EB4
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00422F6824_2_00422F68
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0040670424_2_00406704
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00410F0C24_2_00410F0C
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0042273024_2_00422730
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00401FE024_2_00401FE0
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00428FA024_2_00428FA0
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0041C7AC24_2_0041C7AC
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_004267B424_2_004267B4
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0045280F24_2_0045280F
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_004550F424_2_004550F4
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_004479B924_2_004479B9
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0045B25424_2_0045B254
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0045AA6A24_2_0045AA6A
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0045336424_2_00453364
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0045BB1424_2_0045BB14
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_0045244324_2_00452443
          Source: C:\Windows\System32\svchost.exeCode function: 24_2_00469CDC24_2_00469CDC
          Source: FSvvTtQaTe.exe, 00000000.00000002.312713622.00000000008A0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs FSvvTtQaTe.exe
          Source: FSvvTtQaTe.exe, 00000000.00000002.312713622.00000000008A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs FSvvTtQaTe.exe
          Source: FSvvTtQaTe.exe, 00000000.00000002.312661841.0000000000850000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs FSvvTtQaTe.exe
          Source: FSvvTtQaTe.exe, 00000000.00000002.312713622.00000000008A0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs FSvvTtQaTe.exe
          Source: FSvvTtQaTe.exe, 00000000.00000002.312713622.00000000008A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs FSvvTtQaTe.exe
          Source: FSvvTtQaTe.exe, 00000000.00000002.312661841.0000000000850000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs FSvvTtQaTe.exe
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeSection loaded: gqycfilt.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeSection loaded: gqycfilt.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeSection loaded: gqycfilt.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeSection loaded: gqycfilt.dllJump to behavior
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeSection loaded: gqycfilt.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeSection loaded: gqycfilt.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeSection loaded: gqycfilt.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeSection loaded: gqycfilt.dllJump to behavior
          Source: 24.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
          Source: 23.2.svchost.exe.cc0000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
          Source: 24.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
          Source: 23.2.svchost.exe.cc0000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
          Source: FSvvTtQaTe.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: FSvvTtQaTe.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@17/2@5/1
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CCEE8C memset,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,23_2_00CCEE8C
          Source: C:\Windows\System32\svchost.exeCode function: 23_2_00CCEE8C memset,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,23_2_00CCEE8C
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\AppXtcseJump to behavior
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\AppXtcseJump to behavior
          Source: C:\Windows\System32\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\{2B082F5E-8E7F-9501-F08F-A2992433F6DD}
          Source: C:\Windows\System32\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\{37E6BC4A-2A8E-81E7-EC5B-FE45E0BF1249}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_01
          Source: C:\Windows\System32\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\{034E574A-861B-2DBD-A8E7-1AB15C0BEE75}
          Source: C:\Windows\System32\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\{2B082F5E-8E7F-9501-F08F-A2992433F6DD}
          Source: C:\Windows\System32\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\{37E6BC4A-2A8E-81E7-EC5B-FE45E0BF1249}
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6692:120:WilError_01
          Source: C:\Windows\System32\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\{034E574A-861B-2DBD-A8E7-1AB15C0BEE75}
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeFile created: C:\Users\user~1\AppData\Local\Temp\2B92Jump to behavior
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeFile created: C:\Users\user~1\AppData\Local\Temp\2B92Jump to behavior
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user~1\AppData\Local\Temp\2B92\15C9.bat' 'C:\Users\user~1\AppData\Roaming\MICROS~1\AppXtcse\AJRovrcp.exe' 'C:\Users\user~1\Desktop\FSVVTT~1.EXE''
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user~1\AppData\Local\Temp\2B92\15C9.bat' 'C:\Users\user~1\AppData\Roaming\MICROS~1\AppXtcse\AJRovrcp.exe' 'C:\Users\user~1\Desktop\FSVVTT~1.EXE''
          Source: FSvvTtQaTe.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: FSvvTtQaTe.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: FSvvTtQaTe.exeMetadefender: Detection: 56%
          Source: FSvvTtQaTe.exeReversingLabs: Detection: 89%
          Source: FSvvTtQaTe.exeMetadefender: Detection: 56%
          Source: FSvvTtQaTe.exeReversingLabs: Detection: 89%
          Source: svchost.exeString found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
          Source: svchost.exeString found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
          Source: svchost.exeString found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
          Source: svchost.exeString found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeFile read: C:\Users\user\Desktop\FSvvTtQaTe.exeJump to behavior
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeFile read: C:\Users\user\Desktop\FSvvTtQaTe.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\FSvvTtQaTe.exe 'C:\Users\user\Desktop\FSvvTtQaTe.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user~1\AppData\Local\Temp\2B92\15C9.bat' 'C:\Users\user~1\AppData\Roaming\MICROS~1\AppXtcse\AJRovrcp.exe' 'C:\Users\user~1\Desktop\FSVVTT~1.EXE''
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C ''C:\Users\user~1\AppData\Roaming\MICROS~1\AppXtcse\AJRovrcp.exe' 'C:\Users\user~1\Desktop\FSVVTT~1.EXE''
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exe 'C:\Users\user~1\AppData\Roaming\MICROS~1\AppXtcse\AJRovrcp.exe' 'C:\Users\user~1\Desktop\FSVVTT~1.EXE'
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exe 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exe 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exe'
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user~1\AppData\Local\Temp\2B92\15C9.bat' 'C:\Users\user~1\AppData\Roaming\MICROS~1\AppXtcse\AJRovrcp.exe' 'C:\Users\user~1\Desktop\FSVVTT~1.EXE''Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C ''C:\Users\user~1\AppData\Roaming\MICROS~1\AppXtcse\AJRovrcp.exe' 'C:\Users\user~1\Desktop\FSVVTT~1.EXE''Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exe 'C:\Users\user~1\AppData\Roaming\MICROS~1\AppXtcse\AJRovrcp.exe' 'C:\Users\user~1\Desktop\FSVVTT~1.EXE'Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\FSvvTtQaTe.exe 'C:\Users\user\Desktop\FSvvTtQaTe.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user~1\AppData\Local\Temp\2B92\15C9.bat' 'C:\Users\user~1\AppData\Roaming\MICROS~1\AppXtcse\AJRovrcp.exe' 'C:\Users\user~1\Desktop\FSVVTT~1.EXE''
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C ''C:\Users\user~1\AppData\Roaming\MICROS~1\AppXtcse\AJRovrcp.exe' 'C:\Users\user~1\Desktop\FSVVTT~1.EXE''
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exe 'C:\Users\user~1\AppData\Roaming\MICROS~1\AppXtcse\AJRovrcp.exe' 'C:\Users\user~1\Desktop\FSVVTT~1.EXE'
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exe 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exe 'C:\Users\user\AppData\Roaming\Microsoft\AppXtcse\AJRovrcp.exe'
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
          Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
          Source: C:\Users\user\Desktop\FSvvTtQaTe.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Users\user~1\AppData\Local\Temp\2B92\15C9.bat' 'C:\Users\user~1\AppData\Roaming\MICROS~1\AppXtcse\AJRovrcp.exe' 'C:\Users\user~1\Desktop\FSVVTT~1.EXE''Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C ''C:\Users\us