Loading ...

Play interactive tourEdit tour

Analysis Report bVsKNuwn30

Overview

General Information

Sample Name:bVsKNuwn30 (renamed file extension from none to exe)
Analysis ID:433069
MD5:3c88c6ef1a906bc81fc6b5b7fc478e0c
SHA1:1007ea59d9c209f367a1873ae6da2eac5fad81ef
SHA256:1754283e0b6bbbbeb69f165e54e3795d3e34ca14aa7bd8bd3b7dcdd97f7dfca8
Tags:exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • bVsKNuwn30.exe (PID: 6700 cmdline: 'C:\Users\user\Desktop\bVsKNuwn30.exe' MD5: 3C88C6EF1A906BC81FC6B5B7FC478E0C)
    • bVsKNuwn30.exe (PID: 5612 cmdline: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe MD5: 3C88C6EF1A906BC81FC6B5B7FC478E0C)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msiexec.exe (PID: 3532 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 5548 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.bucksnortneola.com/gw2/"], "decoy": ["kmampc.com", "swagsoldier.com", "achochapo.com", "nestymentemaestra.com", "rakuen-beans.info", "portaldainsolvencia.com", "nationaltodaytv.com", "monadiclab.com", "thebudgetfurnituredenver.com", "sifangzhouzi.com", "quangcaosonthach.com", "cbluebeltliveshop.com", "hyperrealmarketing.com", "dallasproducecompany.com", "zizhizhengshu.com", "becosyshe.com", "injectionhub.com", "wasteshelter.com", "gapegod.com", "danfrem.com", "emag.enterprises", "insomniaut.com", "margaretsboutiquenb.com", "bestmovies4k.com", "hsxytz.com", "veles.asia", "graphicoustic.com", "rzeroxi.com", "cristyleebennett.com", "vercoicsporno.club", "awdworldwide.com", "agrilast.com", "vineyardplaceseniorliving.com", "blancaholidaylets.com", "didixun.com", "localmiller.com", "gravityphysiotherapy.com", "couchtabledesktop.com", "cypresswoodsseniorliving.com", "mmdastro.com", "opportunitybsi.com", "deejspeaks.com", "alllivesmattertojesus.info", "clippingpathmask.com", "tuoitrechuatraisudoi.site", "mipecheritage.info", "acadeopolis.com", "52jnh.com", "thetrust.place", "highseachartersct.com", "booklarge.com", "kela-de.com", "ea-it-pantomath.com", "tricountyrr.com", "blackeye.online", "hidrovaco.com", "sleeplessreconnaissance.life", "newalbanyironworks.com", "scthxb.com", "bossssss.com", "isaostar.com", "pointredeem.com", "myfulfillmentproject.com", "toikawai.com"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
bVsKNuwn30.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
          00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 36 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          12.2.bVsKNuwn30.exe.660000.1.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            19.2.msiexec.exe.4eef834.4.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
              0.2.bVsKNuwn30.exe.6f0000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                12.2.bVsKNuwn30.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
                  12.2.bVsKNuwn30.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
                  • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
                  • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
                  • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
                  • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
                  • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
                  • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
                  • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
                  • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
                  • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
                  • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
                  • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
                  Click to see the 17 entries

                  Sigma Overview

                  No Sigma rule has matched

                  Signature Overview

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection:

                  barindex
                  Found malware configurationShow sources
                  Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.bucksnortneola.com/gw2/"], "decoy": ["kmampc.com", "swagsoldier.com", "achochapo.com", "nestymentemaestra.com", "rakuen-beans.info", "portaldainsolvencia.com", "nationaltodaytv.com", "monadiclab.com", "thebudgetfurnituredenver.com", "sifangzhouzi.com", "quangcaosonthach.com", "cbluebeltliveshop.com", "hyperrealmarketing.com", "dallasproducecompany.com", "zizhizhengshu.com", "becosyshe.com", "injectionhub.com", "wasteshelter.com", "gapegod.com", "danfrem.com", "emag.enterprises", "insomniaut.com", "margaretsboutiquenb.com", "bestmovies4k.com", "hsxytz.com", "veles.asia", "graphicoustic.com", "rzeroxi.com", "cristyleebennett.com", "vercoicsporno.club", "awdworldwide.com", "agrilast.com", "vineyardplaceseniorliving.com", "blancaholidaylets.com", "didixun.com", "localmiller.com", "gravityphysiotherapy.com", "couchtabledesktop.com", "cypresswoodsseniorliving.com", "mmdastro.com", "opportunitybsi.com", "deejspeaks.com", "alllivesmattertojesus.info", "clippingpathmask.com", "tuoitrechuatraisudoi.site", "mipecheritage.info", "acadeopolis.com", "52jnh.com", "thetrust.place", "highseachartersct.com", "booklarge.com", "kela-de.com", "ea-it-pantomath.com", "tricountyrr.com", "blackeye.online", "hidrovaco.com", "sleeplessreconnaissance.life", "newalbanyironworks.com", "scthxb.com", "bossssss.com", "isaostar.com", "pointredeem.com", "myfulfillmentproject.com", "toikawai.com"]}
                  Multi AV Scanner detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeVirustotal: Detection: 51%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeMetadefender: Detection: 20%Perma Link
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeReversingLabs: Detection: 55%
                  Multi AV Scanner detection for submitted fileShow sources
                  Source: bVsKNuwn30.exeVirustotal: Detection: 51%Perma Link
                  Source: bVsKNuwn30.exeMetadefender: Detection: 20%Perma Link
                  Source: bVsKNuwn30.exeReversingLabs: Detection: 55%
                  Yara detected FormBookShow sources
                  Source: Yara matchFile source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Machine Learning detection for dropped fileShow sources
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeJoe Sandbox ML: detected
                  Machine Learning detection for sampleShow sources
                  Source: bVsKNuwn30.exeJoe Sandbox ML: detected
                  Source: 12.2.bVsKNuwn30.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                  Source: 12.0.bVsKNuwn30.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                  Source: bVsKNuwn30.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: bVsKNuwn30.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: Binary string: msiexec.pdb source: bVsKNuwn30.exe, 0000000C.00000002.542351925.0000000000E20000.00000040.00000001.sdmp
                  Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.506028471.0000000007BA0000.00000002.00000001.sdmp
                  Source: Binary string: msiexec.pdbGCTL source: bVsKNuwn30.exe, 0000000C.00000002.542351925.0000000000E20000.00000040.00000001.sdmp
                  Source: Binary string: wntdll.pdbUGP source: bVsKNuwn30.exe, 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, msiexec.exe, 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp
                  Source: Binary string: wntdll.pdb source: bVsKNuwn30.exe, msiexec.exe
                  Source: Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.506028471.0000000007BA0000.00000002.00000001.sdmp
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h0_2_00F9F430
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 4x nop then pop esi12_2_004172E4
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 4x nop then pop edi12_2_00417D55
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop esi19_2_007C72E4
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi19_2_007C7D55

                  Networking:

                  barindex
                  C2 URLs / IPs found in malware configurationShow sources
                  Source: Malware configuration extractorURLs: www.bucksnortneola.com/gw2/
                  Source: bVsKNuwn30.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: bVsKNuwn30.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                  Source: bVsKNuwn30.exeString found in binary or memory: http://crl.comodoca.com/COMODORSAExtendedValidationCodeSigningCA.crl0
                  Source: bVsKNuwn30.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                  Source: bVsKNuwn30.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                  Source: bVsKNuwn30.exeString found in binary or memory: http://ocsp.comodoca.com0
                  Source: bVsKNuwn30.exeString found in binary or memory: http://ocsp.comodoca.com0#
                  Source: bVsKNuwn30.exeString found in binary or memory: http://ocsp.sectigo.com0
                  Source: bVsKNuwn30.exeString found in binary or memory: http://us1.unwiredlabs.com/v2/process.php
                  Source: bVsKNuwn30.exeString found in binary or memory: http://us1.unwiredlabs.com/v2/process.php?application/json;
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: explorer.exe, 0000000E.00000000.514555681.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                  Source: explorer.exe, 0000000E.00000000.507419135.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                  Source: bVsKNuwn30.exeString found in binary or memory: https://sectigo.com/CPS0D
                  Source: bVsKNuwn30.exeString found in binary or memory: https://sectigo.com/CPS0U
                  Source: bVsKNuwn30.exeString found in binary or memory: https://secure.comodo.com/CPS0L
                  Source: bVsKNuwn30.exe, 0000000C.00000002.542410721.0000000000EAA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                  E-Banking Fraud:

                  barindex
                  Yara detected FormBookShow sources
                  Source: Yara matchFile source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPE

                  System Summary:

                  barindex
                  Malicious sample detected (through community Yara rule)Show sources
                  Source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
                  Source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess Stats: CPU usage > 98%
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00419D60 NtCreateFile,12_2_00419D60
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00419E10 NtReadFile,12_2_00419E10
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00419E90 NtClose,12_2_00419E90
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00419F40 NtAllocateVirtualMemory,12_2_00419F40
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00419D5A NtCreateFile,12_2_00419D5A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00419E8B NtClose,12_2_00419E8B
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00419F3A NtAllocateVirtualMemory,12_2_00419F3A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,12_2_011A9910
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9540 NtReadFile,LdrInitializeThunk,12_2_011A9540
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A99A0 NtCreateSection,LdrInitializeThunk,12_2_011A99A0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A95D0 NtClose,LdrInitializeThunk,12_2_011A95D0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9840 NtDelayExecution,LdrInitializeThunk,12_2_011A9840
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9860 NtQuerySystemInformation,LdrInitializeThunk,12_2_011A9860
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A98F0 NtReadVirtualMemory,LdrInitializeThunk,12_2_011A98F0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9710 NtQueryInformationToken,LdrInitializeThunk,12_2_011A9710
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9780 NtMapViewOfSection,LdrInitializeThunk,12_2_011A9780
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A97A0 NtUnmapViewOfSection,LdrInitializeThunk,12_2_011A97A0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9A00 NtProtectVirtualMemory,LdrInitializeThunk,12_2_011A9A00
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9A20 NtResumeThread,LdrInitializeThunk,12_2_011A9A20
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9A50 NtCreateFile,LdrInitializeThunk,12_2_011A9A50
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9660 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_011A9660
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A96E0 NtFreeVirtualMemory,LdrInitializeThunk,12_2_011A96E0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011AAD30 NtSetContextThread,12_2_011AAD30
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9520 NtWaitForSingleObject,12_2_011A9520
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9950 NtQueueApcThread,12_2_011A9950
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9560 NtWriteFile,12_2_011A9560
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A99D0 NtCreateProcessEx,12_2_011A99D0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A95F0 NtQueryInformationFile,12_2_011A95F0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9820 NtEnumerateKey,12_2_011A9820
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011AB040 NtSuspendThread,12_2_011AB040
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A98A0 NtWriteVirtualMemory,12_2_011A98A0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011AA710 NtOpenProcessToken,12_2_011AA710
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9B00 NtSetValueKey,12_2_011A9B00
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9730 NtQueryVirtualMemory,12_2_011A9730
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9770 NtSetInformationFile,12_2_011A9770
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011AA770 NtOpenThread,12_2_011AA770
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9760 NtOpenProcess,12_2_011A9760
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011AA3B0 NtGetContextThread,12_2_011AA3B0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9FE0 NtCreateMutant,12_2_011A9FE0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9610 NtEnumerateValueKey,12_2_011A9610
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9A10 NtQuerySection,12_2_011A9A10
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9650 NtQueryValueKey,12_2_011A9650
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9670 NtQueryInformationProcess,12_2_011A9670
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A9A80 NtOpenDirectoryObject,12_2_011A9A80
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A96D0 NtCreateKey,12_2_011A96D0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29860 NtQuerySystemInformation,LdrInitializeThunk,19_2_04A29860
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29840 NtDelayExecution,LdrInitializeThunk,19_2_04A29840
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A299A0 NtCreateSection,LdrInitializeThunk,19_2_04A299A0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A295D0 NtClose,LdrInitializeThunk,19_2_04A295D0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29910 NtAdjustPrivilegesToken,LdrInitializeThunk,19_2_04A29910
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29540 NtReadFile,LdrInitializeThunk,19_2_04A29540
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A296E0 NtFreeVirtualMemory,LdrInitializeThunk,19_2_04A296E0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A296D0 NtCreateKey,LdrInitializeThunk,19_2_04A296D0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29660 NtAllocateVirtualMemory,LdrInitializeThunk,19_2_04A29660
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29650 NtQueryValueKey,LdrInitializeThunk,19_2_04A29650
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29A50 NtCreateFile,LdrInitializeThunk,19_2_04A29A50
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29780 NtMapViewOfSection,LdrInitializeThunk,19_2_04A29780
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29FE0 NtCreateMutant,LdrInitializeThunk,19_2_04A29FE0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29710 NtQueryInformationToken,LdrInitializeThunk,19_2_04A29710
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A298A0 NtWriteVirtualMemory,19_2_04A298A0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A298F0 NtReadVirtualMemory,19_2_04A298F0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29820 NtEnumerateKey,19_2_04A29820
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A2B040 NtSuspendThread,19_2_04A2B040
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A295F0 NtQueryInformationFile,19_2_04A295F0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A299D0 NtCreateProcessEx,19_2_04A299D0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29520 NtWaitForSingleObject,19_2_04A29520
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A2AD30 NtSetContextThread,19_2_04A2AD30
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29560 NtWriteFile,19_2_04A29560
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29950 NtQueueApcThread,19_2_04A29950
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29A80 NtOpenDirectoryObject,19_2_04A29A80
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29A20 NtResumeThread,19_2_04A29A20
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29A00 NtProtectVirtualMemory,19_2_04A29A00
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29610 NtEnumerateValueKey,19_2_04A29610
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29A10 NtQuerySection,19_2_04A29A10
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29670 NtQueryInformationProcess,19_2_04A29670
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A297A0 NtUnmapViewOfSection,19_2_04A297A0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A2A3B0 NtGetContextThread,19_2_04A2A3B0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29730 NtQueryVirtualMemory,19_2_04A29730
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29B00 NtSetValueKey,19_2_04A29B00
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A2A710 NtOpenProcessToken,19_2_04A2A710
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29760 NtOpenProcess,19_2_04A29760
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A29770 NtSetInformationFile,19_2_04A29770
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A2A770 NtOpenThread,19_2_04A2A770
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C9D60 NtCreateFile,19_2_007C9D60
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C9E10 NtReadFile,19_2_007C9E10
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C9E90 NtClose,19_2_007C9E90
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C9F40 NtAllocateVirtualMemory,19_2_007C9F40
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C9D5A NtCreateFile,19_2_007C9D5A
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C9E8B NtClose,19_2_007C9E8B
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C9F3A NtAllocateVirtualMemory,19_2_007C9F3A
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F917B00_2_00F917B0
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F91C280_2_00F91C28
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F91C180_2_00F91C18
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F917950_2_00F91795
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_0528F5280_2_0528F528
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_052800070_2_05280007
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_052800400_2_05280040
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_05286B280_2_05286B28
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0040103012_2_00401030
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041D8BA12_2_0041D8BA
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041D98812_2_0041D988
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041E2F212_2_0041E2F2
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_004012FB12_2_004012FB
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041DA9E12_2_0041DA9E
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00402D8812_2_00402D88
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00402D9012_2_00402D90
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00409E4012_2_00409E40
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041DE3112_2_0041DE31
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00409E3B12_2_00409E3B
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041D71912_2_0041D719
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041CFA312_2_0041CFA3
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041CFA612_2_0041CFA6
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00402FB012_2_00402FB0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041DFB012_2_0041DFB0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116F90012_2_0116F900
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01160D2012_2_01160D20
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0118412012_2_01184120
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01231D5512_2_01231D55
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0122100212_2_01221002
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117B09012_2_0117B090
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119EBB012_2_0119EBB0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01186E3012_2_01186E30
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A120A019_2_04A120A0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FB09019_2_049FB090
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049F841F19_2_049F841F
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AA100219_2_04AA1002
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1258119_2_04A12581
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049FD5E019_2_049FD5E0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A0412019_2_04A04120
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049EF90019_2_049EF900
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_049E0D2019_2_049E0D20
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04AB1D5519_2_04AB1D55
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A06E3019_2_04A06E30
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A1EBB019_2_04A1EBB0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007CE2F219_2_007CE2F2
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007B2D9019_2_007B2D90
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007B2D8819_2_007B2D88
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007B9E4019_2_007B9E40
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007B9E3B19_2_007B9E3B
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007B2FB019_2_007B2FB0
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007CCFA619_2_007CCFA6
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe 1754283E0B6BBBBEB69F165E54E3795D3E34CA14AA7BD8BD3B7DCDD97F7DFCA8
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 049EB150 appears 35 times
                  Source: bVsKNuwn30.exeStatic PE information: invalid certificate
                  Source: bVsKNuwn30.exe, 00000000.00000002.491736102.00000000050E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZcmwzsmpuvltki.dll" vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 00000000.00000002.484948523.000000000076E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRFL_0769002.exeB vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 00000000.00000002.491858013.0000000005120000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 00000000.00000002.491304602.0000000004FE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 00000000.00000002.490881651.0000000004F20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 00000000.00000002.489244106.0000000003ABD000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameZmhikajpuu.dll6 vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 00000000.00000002.491869526.0000000005130000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 0000000C.00000002.542377429.0000000000E2F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 0000000C.00000000.484196822.00000000006DE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameRFL_0769002.exeB vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exe, 0000000C.00000002.543477824.00000000013EF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs bVsKNuwn30.exe
                  Source: bVsKNuwn30.exeBinary or memory string: OriginalFilenameRFL_0769002.exeB vs bVsKNuwn30.exe
                  Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                  Source: bVsKNuwn30.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                  Source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000013.00000002.598613776.0000000000D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000013.00000002.598554261.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000000.00000002.489441014.0000000003B96000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 0000000C.00000000.484041587.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000013.00000002.598077257.00000000007B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 0000000C.00000002.542191970.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 0000000C.00000002.542282401.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000000.00000002.489573896.0000000003C6A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 00000000.00000002.489676903.0000000003D04000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 0000000C.00000002.538565739.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 12.2.bVsKNuwn30.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 0.2.bVsKNuwn30.exe.3b961c0.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 12.0.bVsKNuwn30.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 12.0.bVsKNuwn30.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
                  Source: 12.2.bVsKNuwn30.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
                  Source: bVsKNuwn30.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: bVsKNuwn30.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@0/0
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bVsKNuwn30.exe.logJump to behavior
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_01
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeFile created: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeJump to behavior
                  Source: bVsKNuwn30.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: bVsKNuwn30.exeVirustotal: Detection: 51%
                  Source: bVsKNuwn30.exeMetadefender: Detection: 20%
                  Source: bVsKNuwn30.exeReversingLabs: Detection: 55%
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeFile read: C:\Users\user\Desktop\bVsKNuwn30.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\bVsKNuwn30.exe 'C:\Users\user\Desktop\bVsKNuwn30.exe'
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess created: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe
                  Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess created: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe'Jump to behavior
                  Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: bVsKNuwn30.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: bVsKNuwn30.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Source: bVsKNuwn30.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: msiexec.pdb source: bVsKNuwn30.exe, 0000000C.00000002.542351925.0000000000E20000.00000040.00000001.sdmp
                  Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.506028471.0000000007BA0000.00000002.00000001.sdmp
                  Source: Binary string: msiexec.pdbGCTL source: bVsKNuwn30.exe, 0000000C.00000002.542351925.0000000000E20000.00000040.00000001.sdmp
                  Source: Binary string: wntdll.pdbUGP source: bVsKNuwn30.exe, 0000000C.00000002.542439174.0000000001140000.00000040.00000001.sdmp, msiexec.exe, 00000013.00000002.599901876.0000000004ADF000.00000040.00000001.sdmp
                  Source: Binary string: wntdll.pdb source: bVsKNuwn30.exe, msiexec.exe
                  Source: Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.506028471.0000000007BA0000.00000002.00000001.sdmp

                  Data Obfuscation:

                  barindex
                  Yara detected Costura Assembly LoaderShow sources
                  Source: Yara matchFile source: bVsKNuwn30.exe, type: SAMPLE
                  Source: Yara matchFile source: 0000000C.00000000.482709799.0000000000662000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000000.484079723.0000000000662000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000003.481505916.0000000000CB7000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.601052355.0000000004EEF000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.331883063.00000000006F2000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.484632271.00000000006F2000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000013.00000002.599515980.000000000469F000.00000004.00000001.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.539491426.0000000000662000.00000002.00020000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: bVsKNuwn30.exe PID: 5612, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: bVsKNuwn30.exe PID: 6700, type: MEMORY
                  Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exe, type: DROPPED
                  Source: Yara matchFile source: 12.2.bVsKNuwn30.exe.660000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 19.2.msiexec.exe.4eef834.4.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.bVsKNuwn30.exe.6f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.660000.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 12.0.bVsKNuwn30.exe.660000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.0.bVsKNuwn30.exe.6f0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 19.2.msiexec.exe.4eef834.4.unpack, type: UNPACKEDPE
                  Source: bVsKNuwn30.exeStatic PE information: 0xD669075E [Tue Dec 28 08:16:30 2083 UTC]
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F962B5 push 8BFFFFFEh; retf 0_2_00F962BB
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F95265 push ecx; retf 0_2_00F9526C
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F94E5C pushad ; iretd 0_2_00F94E5D
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00417B68 push ebx; ret 12_2_00417B69
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041CEB5 push eax; ret 12_2_0041CF08
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041CF6C push eax; ret 12_2_0041CF72
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041CF02 push eax; ret 12_2_0041CF08
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0041CF0B push eax; ret 12_2_0041CF72
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_004167E2 push esi; retf 12_2_004167F5
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0040C78D push ecx; iretd 12_2_0040C78E
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011BD0D1 push ecx; ret 12_2_011BD0E4
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_04A3D0D1 push ecx; ret 19_2_04A3D0E4
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C7B68 push ebx; ret 19_2_007C7B69
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007CCEB5 push eax; ret 19_2_007CCF08
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007CCF6C push eax; ret 19_2_007CCF72
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007CCF0B push eax; ret 19_2_007CCF72
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007CCF02 push eax; ret 19_2_007CCF08
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007C67E2 push esi; retf 19_2_007C67F5
                  Source: C:\Windows\SysWOW64\msiexec.exeCode function: 19_2_007BC78D push ecx; iretd 19_2_007BC78E
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.99300765862
                  Source: initial sampleStatic PE information: section name: .text entropy: 7.99300765862
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeFile created: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeJump to dropped file

                  Hooking and other Techniques for Hiding and Protection:

                  barindex
                  Modifies the prolog of user mode functions (user mode inline hooks)Show sources
                  Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xE8
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion:

                  barindex
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                  Source: bVsKNuwn30.exe, 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
                  Tries to detect virtualization through RDTSC time measurementsShow sources
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                  Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 00000000007B98E4 second address: 00000000007B98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                  Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 00000000007B9B5E second address: 00000000007B9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00409A90 rdtsc 12_2_00409A90
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exe TID: 6732Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: explorer.exe, 0000000E.00000000.506523200.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
                  Source: explorer.exe, 0000000E.00000000.506479476.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
                  Source: bVsKNuwn30.exe, 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmpBinary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
                  Source: explorer.exe, 0000000E.00000000.509250519.000000000D462000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}`1
                  Source: bVsKNuwn30.exe, 00000000.00000002.491304602.0000000004FE0000.00000002.00000001.sdmp, explorer.exe, 0000000E.00000000.525625235.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                  Source: explorer.exe, 0000000E.00000000.527417475.000000000641D000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: bVsKNuwn30.exe, 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmpBinary or memory string: vmware
                  Source: explorer.exe, 0000000E.00000000.506479476.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
                  Source: explorer.exe, 0000000E.00000000.527417475.000000000641D000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: explorer.exe, 0000000E.00000000.506355991.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
                  Source: explorer.exe, 0000000E.00000000.509250519.000000000D462000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P1
                  Source: bVsKNuwn30.exe, 00000000.00000002.486485678.0000000002A41000.00000004.00000001.sdmpBinary or memory string: model0Microsoft|VMWare|Virtual
                  Source: bVsKNuwn30.exe, 00000000.00000002.491304602.0000000004FE0000.00000002.00000001.sdmp, explorer.exe, 0000000E.00000000.525625235.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                  Source: bVsKNuwn30.exe, 00000000.00000002.491304602.0000000004FE0000.00000002.00000001.sdmp, explorer.exe, 0000000E.00000000.525625235.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                  Source: explorer.exe, 0000000E.00000000.509250519.000000000D462000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}82eb45d9c96749644b820
                  Source: explorer.exe, 0000000E.00000000.506355991.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
                  Source: explorer.exe, 0000000E.00000000.506523200.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
                  Source: explorer.exe, 0000000E.00000000.509250519.000000000D462000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.Microsoft.WBT
                  Source: bVsKNuwn30.exe, 00000000.00000002.491304602.0000000004FE0000.00000002.00000001.sdmp, explorer.exe, 0000000E.00000000.525625235.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                  Source: explorer.exe, 0000000E.00000000.514555681.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_00409A90 rdtsc 12_2_00409A90
                  Source: C:\Users\user\Desktop\bVsKNuwn30.exeCode function: 0_2_00F91120 LdrInitializeThunk,0_2_00F91120
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01169100 mov eax, dword ptr fs:[00000030h]12_2_01169100
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01169100 mov eax, dword ptr fs:[00000030h]12_2_01169100
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01169100 mov eax, dword ptr fs:[00000030h]12_2_01169100
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01238D34 mov eax, dword ptr fs:[00000030h]12_2_01238D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01194D3B mov eax, dword ptr fs:[00000030h]12_2_01194D3B
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01194D3B mov eax, dword ptr fs:[00000030h]12_2_01194D3B
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01194D3B mov eax, dword ptr fs:[00000030h]12_2_01194D3B
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119513A mov eax, dword ptr fs:[00000030h]12_2_0119513A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119513A mov eax, dword ptr fs:[00000030h]12_2_0119513A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01173D34 mov eax, dword ptr fs:[00000030h]12_2_01173D34
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116AD30 mov eax, dword ptr fs:[00000030h]12_2_0116AD30
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01184120 mov eax, dword ptr fs:[00000030h]12_2_01184120
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01184120 mov eax, dword ptr fs:[00000030h]12_2_01184120
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01184120 mov eax, dword ptr fs:[00000030h]12_2_01184120
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01184120 mov eax, dword ptr fs:[00000030h]12_2_01184120
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01184120 mov ecx, dword ptr fs:[00000030h]12_2_01184120
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01187D50 mov eax, dword ptr fs:[00000030h]12_2_01187D50
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A3D43 mov eax, dword ptr fs:[00000030h]12_2_011A3D43
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0118B944 mov eax, dword ptr fs:[00000030h]12_2_0118B944
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0118B944 mov eax, dword ptr fs:[00000030h]12_2_0118B944
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E3540 mov eax, dword ptr fs:[00000030h]12_2_011E3540
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116B171 mov eax, dword ptr fs:[00000030h]12_2_0116B171
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116B171 mov eax, dword ptr fs:[00000030h]12_2_0116B171
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0118C577 mov eax, dword ptr fs:[00000030h]12_2_0118C577
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0118C577 mov eax, dword ptr fs:[00000030h]12_2_0118C577
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119FD9B mov eax, dword ptr fs:[00000030h]12_2_0119FD9B
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119FD9B mov eax, dword ptr fs:[00000030h]12_2_0119FD9B
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0118C182 mov eax, dword ptr fs:[00000030h]12_2_0118C182
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119A185 mov eax, dword ptr fs:[00000030h]12_2_0119A185
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01162D8A mov eax, dword ptr fs:[00000030h]12_2_01162D8A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01162D8A mov eax, dword ptr fs:[00000030h]12_2_01162D8A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01162D8A mov eax, dword ptr fs:[00000030h]12_2_01162D8A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01162D8A mov eax, dword ptr fs:[00000030h]12_2_01162D8A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01162D8A mov eax, dword ptr fs:[00000030h]12_2_01162D8A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011935A1 mov eax, dword ptr fs:[00000030h]12_2_011935A1
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01218DF1 mov eax, dword ptr fs:[00000030h]12_2_01218DF1
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116B1E1 mov eax, dword ptr fs:[00000030h]12_2_0116B1E1
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116B1E1 mov eax, dword ptr fs:[00000030h]12_2_0116B1E1
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116B1E1 mov eax, dword ptr fs:[00000030h]12_2_0116B1E1
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E7016 mov eax, dword ptr fs:[00000030h]12_2_011E7016
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E7016 mov eax, dword ptr fs:[00000030h]12_2_011E7016
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E7016 mov eax, dword ptr fs:[00000030h]12_2_011E7016
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E6C0A mov eax, dword ptr fs:[00000030h]12_2_011E6C0A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E6C0A mov eax, dword ptr fs:[00000030h]12_2_011E6C0A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E6C0A mov eax, dword ptr fs:[00000030h]12_2_011E6C0A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E6C0A mov eax, dword ptr fs:[00000030h]12_2_011E6C0A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01221C06 mov eax, dword ptr fs:[00000030h]12_2_01221C06
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0123740D mov eax, dword ptr fs:[00000030h]12_2_0123740D
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0123740D mov eax, dword ptr fs:[00000030h]12_2_0123740D
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0123740D mov eax, dword ptr fs:[00000030h]12_2_0123740D
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119BC2C mov eax, dword ptr fs:[00000030h]12_2_0119BC2C
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01234015 mov eax, dword ptr fs:[00000030h]12_2_01234015
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01234015 mov eax, dword ptr fs:[00000030h]12_2_01234015
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117B02A mov eax, dword ptr fs:[00000030h]12_2_0117B02A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117B02A mov eax, dword ptr fs:[00000030h]12_2_0117B02A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117B02A mov eax, dword ptr fs:[00000030h]12_2_0117B02A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117B02A mov eax, dword ptr fs:[00000030h]12_2_0117B02A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01180050 mov eax, dword ptr fs:[00000030h]12_2_01180050
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01180050 mov eax, dword ptr fs:[00000030h]12_2_01180050
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FC450 mov eax, dword ptr fs:[00000030h]12_2_011FC450
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FC450 mov eax, dword ptr fs:[00000030h]12_2_011FC450
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01222073 mov eax, dword ptr fs:[00000030h]12_2_01222073
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01231074 mov eax, dword ptr fs:[00000030h]12_2_01231074
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0118746D mov eax, dword ptr fs:[00000030h]12_2_0118746D
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01169080 mov eax, dword ptr fs:[00000030h]12_2_01169080
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E3884 mov eax, dword ptr fs:[00000030h]12_2_011E3884
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011E3884 mov eax, dword ptr fs:[00000030h]12_2_011E3884
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119F0BF mov ecx, dword ptr fs:[00000030h]12_2_0119F0BF
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119F0BF mov eax, dword ptr fs:[00000030h]12_2_0119F0BF
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119F0BF mov eax, dword ptr fs:[00000030h]12_2_0119F0BF
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011A90AF mov eax, dword ptr fs:[00000030h]12_2_011A90AF
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FB8D0 mov eax, dword ptr fs:[00000030h]12_2_011FB8D0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FB8D0 mov ecx, dword ptr fs:[00000030h]12_2_011FB8D0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FB8D0 mov eax, dword ptr fs:[00000030h]12_2_011FB8D0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FB8D0 mov eax, dword ptr fs:[00000030h]12_2_011FB8D0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FB8D0 mov eax, dword ptr fs:[00000030h]12_2_011FB8D0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FB8D0 mov eax, dword ptr fs:[00000030h]12_2_011FB8D0
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_012214FB mov eax, dword ptr fs:[00000030h]12_2_012214FB
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01238CD6 mov eax, dword ptr fs:[00000030h]12_2_01238CD6
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FFF10 mov eax, dword ptr fs:[00000030h]12_2_011FFF10
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_011FFF10 mov eax, dword ptr fs:[00000030h]12_2_011FFF10
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0119E730 mov eax, dword ptr fs:[00000030h]12_2_0119E730
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0123070D mov eax, dword ptr fs:[00000030h]12_2_0123070D
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0123070D mov eax, dword ptr fs:[00000030h]12_2_0123070D
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01164F2E mov eax, dword ptr fs:[00000030h]12_2_01164F2E
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01164F2E mov eax, dword ptr fs:[00000030h]12_2_01164F2E
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0122131B mov eax, dword ptr fs:[00000030h]12_2_0122131B
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01238F6A mov eax, dword ptr fs:[00000030h]12_2_01238F6A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116F358 mov eax, dword ptr fs:[00000030h]12_2_0116F358
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116DB40 mov eax, dword ptr fs:[00000030h]12_2_0116DB40
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117EF40 mov eax, dword ptr fs:[00000030h]12_2_0117EF40
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01193B7A mov eax, dword ptr fs:[00000030h]12_2_01193B7A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01193B7A mov eax, dword ptr fs:[00000030h]12_2_01193B7A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116DB60 mov ecx, dword ptr fs:[00000030h]12_2_0116DB60
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0117FF60 mov eax, dword ptr fs:[00000030h]12_2_0117FF60
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01238B58 mov eax, dword ptr fs:[00000030h]12_2_01238B58
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01235BA5 mov eax, dword ptr fs:[00000030h]12_2_01235BA5
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01171B8F mov eax, dword ptr fs:[00000030h]12_2_01171B8F
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01171B8F mov eax, dword ptr fs:[00000030h]12_2_01171B8F
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0121D380 mov ecx, dword ptr fs:[00000030h]12_2_0121D380
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0122138A mov eax, dword ptr fs:[00000030h]12_2_0122138A
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116C600 mov eax, dword ptr fs:[00000030h]12_2_0116C600
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116C600 mov eax, dword ptr fs:[00000030h]12_2_0116C600
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116C600 mov eax, dword ptr fs:[00000030h]12_2_0116C600
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0121FE3F mov eax, dword ptr fs:[00000030h]12_2_0121FE3F
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0116E620 mov eax, dword ptr fs:[00000030h]12_2_0116E620
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0121B260 mov eax, dword ptr fs:[00000030h]12_2_0121B260
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_0121B260 mov eax, dword ptr fs:[00000030h]12_2_0121B260
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01238A62 mov eax, dword ptr fs:[00000030h]12_2_01238A62
                  Source: C:\Users\user\AppData\Local\Temp\bVsKNuwn30.exeCode function: 12_2_01169240 mov eax, dword ptr fs:[00000030h]