Analysis Report gzU8odwaPalRTGB.exe

Overview

General Information

Sample Name:	gzU8odwaPalRTGB.exe
Analysis ID:	383962
MD5:	bc0859493d8419f5ffe0468d23938256
SHA1:	70c3b42db2fc29bb0de21db911b85adf600fb9f2
SHA256:	64f1791681e261b0e652130f8f7fca8e1098a4c03fee49652a14d682681f85cf
Tags:	Formbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: gzU8odwaPalRTGB.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\fgEePtnFJH.exe

Avira: detection malicious, Label: HEUR/AGEN.1138557

Found malware configuration

Source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.smarttel.management/msc/"], "decoy": ["vanwertfamilyhealth.com", "amiawke.com", "hq-leaks.net", "playersgolfworld.info", "atlantaoffshore.com", "redstateaf.com", "leosquad.world", "elchtec.com", "mjshenanigans.com", "rbsccj.com", "360healthy.life", "sympa.digital", "afrotresor.com", "amazingliberty.com", "realsults.com", "preethamgudichuttu.com", "anastasiavegilates.com", "blockchainfest.asia", "viaverdeproject.net", "shouryashukla.com", "african-elephant.com", "factorysale.online", "vqxxmrxhpsho.mobi", "munchstaging.com", "codealemayohabrha.com", "melrosecakecompany.com", "themaskamigo.com", "aviatop.online", "coivdanswers.com", "geralouittane.com", "amazonshack.com", "aeguana.info", "samaalkaleej.com", "disruptorgen.com", "crystalcpv.com", "lsertsex.com", "affiliatesupersummit.com", "tintuc-247.info", "balakawu.com", "smartecomall.com", "chorahouses.com", "bellezaorganica.club", "greenbayhemorrhoidcenter.com", "iklanlaskar.com", "oldtownbusinessdistrict.com", "hindmetalhouse.com", "diligentpom.com", "genetic-web.com", "novergi.com", "sincetimebegan.com", "foodyfie.com", "wfiboostrs.com", "startuphrs.com", "vkjuzcsh.icu", "primarewards.net", "snappygarden.com", "rangerpoint.net", "meramission.com", "adsatadvanstar.com", "railrockers.com", "smartlightinggreenidea.com", "streetsmartlove.net", "shnfxj.com", "sms-master.online"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\fgEePtnFJH.exe

ReversingLabs: Detection: 29%

Multi AV Scanner detection for submitted file

Source: gzU8odwaPalRTGB.exe

ReversingLabs: Detection: 29%

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\fgEePtnFJH.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: gzU8odwaPalRTGB.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 5.2.RegSvcs.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: gzU8odwaPalRTGB.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: gzU8odwaPalRTGB.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.291054222.000000000EC20000.00000002.00000001.sdmp
Source:	Binary string: RegSvcs.pdb, source: rundll32.exe, 0000000F.00000002.506707645.000000000549F000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000005.00000002.306866453.000000000100F000.00000040.00000001.sdmp, rundll32.exe, 0000000F.00000002.505143843.000000000508F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, rundll32.exe
Source:	Binary string: rundll32.pdb source: RegSvcs.exe, 00000005.00000002.306707675.0000000000DE0000.00000040.00000001.sdmp
Source:	Binary string: rundll32.pdbGCTL source: RegSvcs.exe, 00000005.00000002.306707675.0000000000DE0000.00000040.00000001.sdmp
Source:	Binary string: RegSvcs.pdb source: rundll32.exe, 0000000F.00000002.506707645.000000000549F000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.291054222.000000000EC20000.00000002.00000001.sdmp

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop edi	5_2_00416CA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop edi	5_2_00417D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi	15_2_00F76CA2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi	15_2_00F77D70

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.smarttel.management/msc/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /msc/?szr8=ZuDCMQ3I4T3VSTegk+AGxuqfe6TeNyWCjdwuw+un6PC0oplRc+HjqgF4wozRSCgma/XR&4hnPsj=W2J4SLjHGHypclVp HTTP/1.1Host: www.novergi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /msc/?szr8=SLnxv5WEj6Yhjlrb8B4FzKU74ag+VtkikWCAHb2VKlwGrAtgyss6rL13pJnEzWIQGWFv&4hnPsj=W2J4SLjHGHypclVp HTTP/1.1Host: www.realsults.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: ACPCA ACPCA
Source: Joe Sandbox View	ASN Name: HKMTC-AS-APHONGKONGMegalayerTechnologyCoLimitedHK HKMTC-AS-APHONGKONGMegalayerTechnologyCoLimitedHK

Source: global traffic	HTTP traffic detected: GET /msc/?szr8=ZuDCMQ3I4T3VSTegk+AGxuqfe6TeNyWCjdwuw+un6PC0oplRc+HjqgF4wozRSCgma/XR&4hnPsj=W2J4SLjHGHypclVp HTTP/1.1Host: www.novergi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /msc/?szr8=SLnxv5WEj6Yhjlrb8B4FzKU74ag+VtkikWCAHb2VKlwGrAtgyss6rL13pJnEzWIQGWFv&4hnPsj=W2J4SLjHGHypclVp HTTP/1.1Host: www.realsults.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

DNS traffic detected: queries for: www.novergi.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 11:13:25 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 327Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6d 73 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /msc/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: gzU8odwaPalRTGB.exe, 00000000.00000003.237699855.000000000194D000.00000004.00000001.sdmp	String found in binary or memory: http://en.w
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261130122.00000000030E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: gzU8odwaPalRTGB.exe	String found in binary or memory: http://tempuri.org/GridOneHSDataSet.xsd
Source: gzU8odwaPalRTGB.exe	String found in binary or memory: http://tempuri.org/HighScoresDataSet.xsd
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266271453.0000000006290000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comcetab
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266271453.0000000006290000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.como
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, gzU8odwaPalRTGB.exe, 00000000.00000003.238346544.00000000062AE000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.238372995.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comc6l=
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.238372995.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comicwl
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.238340434.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comnMlB
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, gzU8odwaPalRTGB.exe, 00000000.00000003.240223538.00000000062CD000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.240412200.0000000006294000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/y
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.240223538.00000000062CD000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn;
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.240236409.0000000006294000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnN
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.240236409.0000000006294000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnc
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.241670026.0000000006294000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.241670026.0000000006294000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/F
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.241670026.0000000006294000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, gzU8odwaPalRTGB.exe, 00000000.00000003.238136203.00000000062AE000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.238136203.00000000062AE000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.coma-d
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.239669252.0000000006296000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.krv
Source: explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.238853595.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com6l=
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.238739060.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comhlg
Source: gzU8odwaPalRTGB.exe, 00000000.00000003.238853595.00000000062AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comn
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D56E58 NtQueryInformationProcess,	0_2_07D56E58
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D56E51 NtQueryInformationProcess,	0_2_07D56E51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00419D60 NtCreateFile,	5_2_00419D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00419E10 NtReadFile,	5_2_00419E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00419E90 NtClose,	5_2_00419E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00419F40 NtAllocateVirtualMemory,	5_2_00419F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00419D5A NtCreateFile,	5_2_00419D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00419E0A NtReadFile,	5_2_00419E0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00419F3A NtAllocateVirtualMemory,	5_2_00419F3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F598F0 NtReadVirtualMemory,LdrInitializeThunk,	5_2_00F598F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59860 NtQuerySystemInformation,LdrInitializeThunk,	5_2_00F59860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59840 NtDelayExecution,LdrInitializeThunk,	5_2_00F59840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F599A0 NtCreateSection,LdrInitializeThunk,	5_2_00F599A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59910 NtAdjustPrivilegesToken,LdrInitializeThunk,	5_2_00F59910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59A50 NtCreateFile,LdrInitializeThunk,	5_2_00F59A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59A20 NtResumeThread,LdrInitializeThunk,	5_2_00F59A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59A00 NtProtectVirtualMemory,LdrInitializeThunk,	5_2_00F59A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F595D0 NtClose,LdrInitializeThunk,	5_2_00F595D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59540 NtReadFile,LdrInitializeThunk,	5_2_00F59540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F596E0 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_00F596E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59660 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_00F59660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F597A0 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_00F597A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59780 NtMapViewOfSection,LdrInitializeThunk,	5_2_00F59780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59710 NtQueryInformationToken,LdrInitializeThunk,	5_2_00F59710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F598A0 NtWriteVirtualMemory,	5_2_00F598A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F5B040 NtSuspendThread,	5_2_00F5B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59820 NtEnumerateKey,	5_2_00F59820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F599D0 NtCreateProcessEx,	5_2_00F599D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59950 NtQueueApcThread,	5_2_00F59950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59A80 NtOpenDirectoryObject,	5_2_00F59A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59A10 NtQuerySection,	5_2_00F59A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F5A3B0 NtGetContextThread,	5_2_00F5A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59B00 NtSetValueKey,	5_2_00F59B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F595F0 NtQueryInformationFile,	5_2_00F595F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59560 NtWriteFile,	5_2_00F59560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F5AD30 NtSetContextThread,	5_2_00F5AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59520 NtWaitForSingleObject,	5_2_00F59520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F596D0 NtCreateKey,	5_2_00F596D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59670 NtQueryInformationProcess,	5_2_00F59670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59650 NtQueryValueKey,	5_2_00F59650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59610 NtEnumerateValueKey,	5_2_00F59610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59FE0 NtCreateMutant,	5_2_00F59FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59770 NtSetInformationFile,	5_2_00F59770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F5A770 NtOpenThread,	5_2_00F5A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59760 NtOpenProcess,	5_2_00F59760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F59730 NtQueryVirtualMemory,	5_2_00F59730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F5A710 NtOpenProcessToken,	5_2_00F5A710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9860 NtQuerySystemInformation,LdrInitializeThunk,	15_2_04FD9860
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9840 NtDelayExecution,LdrInitializeThunk,	15_2_04FD9840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD95D0 NtClose,LdrInitializeThunk,	15_2_04FD95D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD99A0 NtCreateSection,LdrInitializeThunk,	15_2_04FD99A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9540 NtReadFile,LdrInitializeThunk,	15_2_04FD9540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_04FD9910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD96E0 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_04FD96E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD96D0 NtCreateKey,LdrInitializeThunk,	15_2_04FD96D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9660 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_04FD9660
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9A50 NtCreateFile,LdrInitializeThunk,	15_2_04FD9A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9650 NtQueryValueKey,LdrInitializeThunk,	15_2_04FD9650
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9FE0 NtCreateMutant,LdrInitializeThunk,	15_2_04FD9FE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9780 NtMapViewOfSection,LdrInitializeThunk,	15_2_04FD9780
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9710 NtQueryInformationToken,LdrInitializeThunk,	15_2_04FD9710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD98F0 NtReadVirtualMemory,	15_2_04FD98F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD98A0 NtWriteVirtualMemory,	15_2_04FD98A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FDB040 NtSuspendThread,	15_2_04FDB040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9820 NtEnumerateKey,	15_2_04FD9820
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD95F0 NtQueryInformationFile,	15_2_04FD95F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD99D0 NtCreateProcessEx,	15_2_04FD99D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9560 NtWriteFile,	15_2_04FD9560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9950 NtQueueApcThread,	15_2_04FD9950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FDAD30 NtSetContextThread,	15_2_04FDAD30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9520 NtWaitForSingleObject,	15_2_04FD9520
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9A80 NtOpenDirectoryObject,	15_2_04FD9A80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9670 NtQueryInformationProcess,	15_2_04FD9670
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9A20 NtResumeThread,	15_2_04FD9A20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9610 NtEnumerateValueKey,	15_2_04FD9610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9A10 NtQuerySection,	15_2_04FD9A10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9A00 NtProtectVirtualMemory,	15_2_04FD9A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FDA3B0 NtGetContextThread,	15_2_04FDA3B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD97A0 NtUnmapViewOfSection,	15_2_04FD97A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9770 NtSetInformationFile,	15_2_04FD9770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FDA770 NtOpenThread,	15_2_04FDA770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9760 NtOpenProcess,	15_2_04FD9760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9730 NtQueryVirtualMemory,	15_2_04FD9730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FDA710 NtOpenProcessToken,	15_2_04FDA710
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FD9B00 NtSetValueKey,	15_2_04FD9B00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F79D60 NtCreateFile,	15_2_00F79D60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F79E90 NtClose,	15_2_00F79E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F79E10 NtReadFile,	15_2_00F79E10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F79F40 NtAllocateVirtualMemory,	15_2_00F79F40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F79D5A NtCreateFile,	15_2_00F79D5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F79E0A NtReadFile,	15_2_00F79E0A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F79F3A NtAllocateVirtualMemory,	15_2_00F79F3A

Detected potential crypto function

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_00D5DCE7	0_2_00D5DCE7
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_00D5A9EA	0_2_00D5A9EA
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_0167C2B0	0_2_0167C2B0
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_01679990	0_2_01679990
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D5C4B8	0_2_07D5C4B8
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D55430	0_2_07D55430
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D5D2C8	0_2_07D5D2C8
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D5C180	0_2_07D5C180
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D51FE8	0_2_07D51FE8
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D5CC08	0_2_07D5CC08
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D5F998	0_2_07D5F998
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D50780	0_2_07D50780
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D50770	0_2_07D50770
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D56478	0_2_07D56478
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D56468	0_2_07D56468
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D55420	0_2_07D55420
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D59158	0_2_07D59158
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D59148	0_2_07D59148
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D51FD8	0_2_07D51FD8
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D56FF0	0_2_07D56FF0
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D56FE0	0_2_07D56FE0
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D51E08	0_2_07D51E08
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D51DF8	0_2_07D51DF8
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D55D21	0_2_07D55D21
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D58C88	0_2_07D58C88
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D58C78	0_2_07D58C78
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D51B90	0_2_07D51B90
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D51B80	0_2_07D51B80
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D52B68	0_2_07D52B68
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D52AE9	0_2_07D52AE9
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D51988	0_2_07D51988
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_07D51978	0_2_07D51978
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FDE8FB	0_2_08FDE8FB
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FDF8E8	0_2_08FDF8E8
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FD88A0	0_2_08FD88A0
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FDAC50	0_2_08FDAC50
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FDCC43	0_2_08FDCC43
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FDAEA0	0_2_08FDAEA0
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FDDF50	0_2_08FDDF50
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FD5170	0_2_08FD5170
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FD32E0	0_2_08FD32E0
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FDE2A3	0_2_08FDE2A3
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FD1540	0_2_08FD1540
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FDD7C0	0_2_08FDD7C0
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_08FDF8D8	0_2_08FDF8D8
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_00D5AAC7	0_2_00D5AAC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00401030	5_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041E9AA	5_2_0041E9AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041E25B	5_2_0041E25B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402D89	5_2_00402D89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402D90	5_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00409E40	5_2_00409E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00409E3F	5_2_00409E3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041DFF2	5_2_0041DFF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041CFA3	5_2_0041CFA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00402FB0	5_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F420A0	5_2_00F420A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE20A8	5_2_00FE20A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F2B090	5_2_00F2B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FD1002	5_2_00FD1002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F34120	5_2_00F34120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F1F900	5_2_00F1F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE22AE	5_2_00FE22AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FDDBD2	5_2_00FDDBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F4EBB0	5_2_00F4EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE2B28	5_2_00FE2B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F2841F	5_2_00F2841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F2D5E0	5_2_00F2D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE25DD	5_2_00FE25DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F42581	5_2_00F42581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE1D55	5_2_00FE1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F10D20	5_2_00F10D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE2D07	5_2_00FE2D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE2EF7	5_2_00FE2EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F36E30	5_2_00F36E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00FE1FF1	5_2_00FE1FF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05061D55	15_2_05061D55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC20A0	15_2_04FC20A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FAB090	15_2_04FAB090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FA841F	15_2_04FA841F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_05051002	15_2_05051002
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FAD5E0	15_2_04FAD5E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FC2581	15_2_04FC2581
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F90D20	15_2_04F90D20
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FB4120	15_2_04FB4120
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04F9F900	15_2_04F9F900
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FB6E30	15_2_04FB6E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FCEBB0	15_2_04FCEBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F7E9AA	15_2_00F7E9AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F7E25B	15_2_00F7E25B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F62D90	15_2_00F62D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F62D89	15_2_00F62D89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F69E40	15_2_00F69E40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F69E3F	15_2_00F69E3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F7DFF2	15_2_00F7DFF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F62FB0	15_2_00F62FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F7CFA3	15_2_00F7CFA3

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00F1B150 appears 35 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04F9B150 appears 35 times

Sample file is different than original file name gathered from version info

Source: gzU8odwaPalRTGB.exe, 00000000.00000002.272310690.0000000007B80000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs gzU8odwaPalRTGB.exe
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.260380327.0000000000DF4000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameExceptionFromErrorCode.exe4 vs gzU8odwaPalRTGB.exe
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.272159297.0000000007880000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs gzU8odwaPalRTGB.exe
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.272662463.000000000EF50000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs gzU8odwaPalRTGB.exe
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.272291076.00000000079F0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs gzU8odwaPalRTGB.exe
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.272908381.000000000F050000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs gzU8odwaPalRTGB.exe
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.272908381.000000000F050000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs gzU8odwaPalRTGB.exe
Source: gzU8odwaPalRTGB.exe	Binary or memory string: OriginalFilenameExceptionFromErrorCode.exe4 vs gzU8odwaPalRTGB.exe

Uses 32bit PE files

Source: gzU8odwaPalRTGB.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: gzU8odwaPalRTGB.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: fgEePtnFJH.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/4@3/2

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe

File created: C:\Users\user\AppData\Roaming\fgEePtnFJH.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:248:120:WilError_01
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Mutant created: \Sessions\1\BaseNamedObjects\HAnHNzedhOpevTaD
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: unknown	Process created: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe 'C:\Users\user\Desktop\gzU8odwaPalRTGB.exe'
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fgEePtnFJH' /XML 'C:\Users\user\AppData\Local\Temp\tmpDFE8.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fgEePtnFJH' /XML 'C:\Users\user\AppData\Local\Temp\tmpDFE8.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'	Jump to behavior

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_00D5D65F push es; retn 0001h	0_2_00D5D6BD
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Code function: 0_2_00D5DC4E push 00000000h; iretd	0_2_00D5DC98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00417C05 push cs; iretd	5_2_00417C22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040AE9D push edi; ret	5_2_0040AE9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041CEB5 push eax; ret	5_2_0041CF08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041CF6C push eax; ret	5_2_0041CF72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041CF02 push eax; ret	5_2_0041CF08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0041CF0B push eax; ret	5_2_0041CF72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_0040B7E3 push es; ret	5_2_0040B7EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 5_2_00F6D0D1 push ecx; ret	5_2_00F6D0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04FED0D1 push ecx; ret	15_2_04FED0E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F77C05 push cs; iretd	15_2_00F77C22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F7CEB5 push eax; ret	15_2_00F7CF08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F6AE9D push edi; ret	15_2_00F6AE9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F6B7E3 push es; ret	15_2_00F6B7EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F7CF6C push eax; ret	15_2_00F7CF72
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F7CF02 push eax; ret	15_2_00F7CF08
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00F7CF0B push eax; ret	15_2_00F7CF72

Source: initial sample	Static PE information: section name: .text entropy: 7.60992842493
Source: initial sample	Static PE information: section name: .text entropy: 7.60992842493

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match	File source: 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gzU8odwaPalRTGB.exe PID: 3092, type: MEMORY

Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 0000000000F698E4 second address: 0000000000F698EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 0000000000F69B5E second address: 0000000000F69B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe TID: 3568	Thread sleep time: -99182s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe TID: 1188	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6320	Thread sleep time: -54000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Thread delayed: delay time: 99182			Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000006.00000000.286465022.000000000891C000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000006.00000000.286069464.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000006.00000000.286465022.000000000891C000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: explorer.exe, 00000006.00000000.265198727.00000000011B3000.00000004.00000020.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.286595495.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000006.00000000.286069464.0000000008270000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000006.00000000.278440023.00000000053C4000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000006.00000000.286069464.0000000008270000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000006.00000000.286595495.00000000089B5000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000006.00000000.286069464.0000000008270000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\explorer.exe	Network Connect: 154.203.184.76 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.primarewards.net
Source: C:\Windows\explorer.exe	Domain query: www.novergi.com
Source: C:\Windows\explorer.exe	Network Connect: 162.0.213.203 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.realsults.com

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 3472			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 3472			Jump to behavior

Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 680008	Jump to behavior

Source: explorer.exe, 00000006.00000002.503872402.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.503679602.0000000003790000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.503872402.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.503679602.0000000003790000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.503872402.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.503679602.0000000003790000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000006.00000002.502352833.0000000001128000.00000004.00000020.sdmp	Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000006.00000002.503872402.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.503679602.0000000003790000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000006.00000002.503872402.0000000001640000.00000002.00000001.sdmp, rundll32.exe, 0000000F.00000002.503679602.0000000003790000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Analysis Report gzU8odwaPalRTGB.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.0.213.203	www.novergi.com	Canada		35893	ACPCA	true
154.203.184.76	www.realsults.com	Seychelles		139646	HKMTC-AS-APHONGKONGMegalayerTechnologyCoLimitedHK	true

Name	Malicious	Antivirus Detection	Reputation
www.smarttel.management/msc/	true	Avira URL Cloud: safe	low
http://www.novergi.com/msc/?szr8=ZuDCMQ3I4T3VSTegk+AGxuqfe6TeNyWCjdwuw+un6PC0oplRc+HjqgF4wozRSCgma/XR&4hnPsj=W2J4SLjHGHypclVp	true	Avira URL Cloud: safe	unknown
http://www.realsults.com/msc/?szr8=SLnxv5WEj6Yhjlrb8B4FzKU74ag+VtkikWCAHb2VKlwGrAtgyss6rL13pJnEzWIQGWFv&4hnPsj=W2J4SLjHGHypclVp	true	Avira URL Cloud: safe	unknown

ID:	383962
Product:	CloudBasic
Start time:	13:11:12
Start date:	08.04.2021
Sample:	gzU8odwaPalRTGB.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	bc0859493d8419f5ffe0468d23938256
SHA1:	70c3b42db2fc29bb0de21db911b85adf600fb9f2
SHA256:	64f1791681e261b0e652130f8f7fca8e1098a4c03fee49652a14d682681f85cf
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gzU8odwaPalRTGB.exe.log	ASCII text, with CRLF line terminators	1DC1A2DCC9EFAA84EABF4F6D6066565B	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Local\Temp\tmpDFE8.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	43D09D99A1183D27D8BD6C31F7FB6416	647674277B12D074FFE749E4CA879985ABA38A5E	53CE83C8B03890F5037D9B9CA3EF2B1438760AD61C5BD90020C82EE7C02AA6EA
C:\Users\user\AppData\Roaming\fgEePtnFJH.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	BC0859493D8419F5FFE0468D23938256	70C3B42DB2FC29BB0DE21DB911B85ADF600FB9F2	64F1791681E261B0E652130F8F7FCA8E1098A4C03FEE49652A14D682681F85CF
C:\Users\user\AppData\Roaming\fgEePtnFJH.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309