Windows Analysis Report STATEMENT Oct-Nov 25-11-2021.com

Overview

General Information

Sample Name: STATEMENT Oct-Nov 25-11-2021.com (renamed file extension from com to exe)
Analysis ID: 528718
MD5: 02e738dd13974ab64a472f6aa2f065a8
SHA1: 6134aee9ceffce4d6ed1777739493def77b62533
SHA256: 9acf8fb51cab55a01a74cb84ca9958862b29b8909408e87412700e63a4f578ae
Tags: exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.davanamays.com/unzn/"], "decoy": ["xiulf.com", "highcountrymortar.com", "523561.com", "marketingagency.tools", "ganmovie.net", "nationaalcontactpunt.com", "sirrbter.com", "begizas.xyz", "missimi-fashion.com", "munixc.info", "daas.support", "spaceworbc.com", "faithtruthresolve.com", "gymkub.com", "thegrayverse.xyz", "artisanmakefurniture.com", "029tryy.com", "ijuubx.biz", "iphone13promax.club", "techuniversus.com", "samrgov.xyz", "grownupcurl.com", "sj0755.net", "beekeeperkit.com", "richessesabondantes.com", "xclgjgjh.net", "webworkscork.com", "vedepviet365.com", "bretabeameven.com", "cdzsmhw.com", "clearperspective.biz", "tigrg5g784sh.biz", "bbezan011.xyz", "mycar.store", "mansooralobeidli.com", "ascensionmemberszoom.com", "unlimitedrehab.com", "wozka.top", "askylarkgoods.com", "rj793.com", "prosvalor.com", "primetimeexpress.com", "boixosnoisperu.com", "mmasportgear.com", "concertiranian.net", "hyponymys.info", "maila.one", "yti0fyic.xyz", "shashiprayag.com", "speedprosmotorsports.com", "westchestercountyjunkcars.com", "patienceinmypocket.com", "rausachbaoloc.com", "plexregroup.com", "outsydercs.com", "foodandflour.com", "lenacrypto.xyz", "homeservicetoday.net", "marthaperry.com", "vmtcyd4q8.com", "shamefulguys.com", "loccssol.store", "gnarledportra.xyz", "042atk.xyz"]}
Yara detected FormBook
Source: Yara match File source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Multi AV Scanner detection for domain / URL
Source: www.davanamays.com/unzn/ Virustotal: Detection: 7% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nsiE1DF.tmp\ncpszgn.dll Avira: detection malicious, Label: HEUR/AGEN.1120891
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\nsiE1DF.tmp\ncpszgn.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack Avira: Label: TR/Patched.Ren.Gen2
Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 23.0.explorer.exe.760796c.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 23.0.explorer.exe.760796c.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 35.0.explorer.exe.82f796c.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.2.help.exe.39a796c.4.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 13.2.help.exe.41d8a8.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 23.0.explorer.exe.760796c.1.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 35.2.explorer.exe.82f796c.0.unpack Avira: Label: TR/Patched.Ren.Gen

Compliance:

barindex
Uses 32bit PE files
Source: STATEMENT Oct-Nov 25-11-2021.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: wntdll.pdbUGP source: STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.256363211.0000000002B10000.00000004.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.252733019.0000000002980000.00000004.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310930504.0000000000A90000.00000040.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311294977.0000000000BAF000.00000040.00000001.sdmp, help.exe, 0000000D.00000002.546712152.00000000033EF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: STATEMENT Oct-Nov 25-11-2021.exe, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310930504.0000000000A90000.00000040.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311294977.0000000000BAF000.00000040.00000001.sdmp, help.exe, 0000000D.00000002.546712152.00000000033EF000.00000040.00000001.sdmp
Source: Binary string: help.pdbGCTL source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310903133.0000000000A50000.00000040.00020000.sdmp
Source: Binary string: help.pdb source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310903133.0000000000A50000.00000040.00020000.sdmp
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 1_2_00405250
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_00405C22 FindFirstFileA,FindClose, 1_2_00405C22
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_00402630 FindFirstFileA, 1_2_00402630

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 4x nop then pop ebx 2_2_00406AC1
Source: C:\Windows\SysWOW64\help.exe Code function: 4x nop then pop ebx 13_2_03226AC1

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.davanamays.com/unzn/
Source: explorer.exe, 00000017.00000003.461333401.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.472114944.000000000704F000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.443415910.000000000702F000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.458553479.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.460429522.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.453265813.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.459390840.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.460026206.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.472080818.000000000702F000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.454273557.000000000702F000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: STATEMENT Oct-Nov 25-11-2021.exe, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000002.257876081.0000000000409000.00000004.00020000.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000000.247284292.0000000000409000.00000008.00020000.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000000.251921584.0000000000409000.00000008.00020000.sdmp, help.exe, 0000000D.00000002.547156305.00000000039A7000.00000004.00020000.sdmp, explorer.exe, 00000017.00000000.416516639.0000000007607000.00000004.00020000.sdmp, explorer.exe, 00000023.00000000.498368505.00000000082F7000.00000004.00020000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000002.257876081.0000000000409000.00000004.00020000.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000000.247284292.0000000000409000.00000008.00020000.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000000.251921584.0000000000409000.00000008.00020000.sdmp, help.exe, 0000000D.00000002.547156305.00000000039A7000.00000004.00020000.sdmp, explorer.exe, 00000017.00000000.416516639.0000000007607000.00000004.00020000.sdmp, explorer.exe, 00000023.00000000.498368505.00000000082F7000.00000004.00020000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000005.00000000.293121693.0000000006840000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.277038334.0000000006840000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.263876532.0000000006840000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 1_2_00404E07

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: STATEMENT Oct-Nov 25-11-2021.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 1_2_004030E3
Detected potential crypto function
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_00406043 1_2_00406043
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_00404618 1_2_00404618
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_0040681A 1_2_0040681A
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_100010E0 1_2_100010E0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_1000E21C 1_2_1000E21C
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_1000C094 1_2_1000C094
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_1000D301 1_2_1000D301
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_1000BB22 1_2_1000BB22
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_1000B5B0 1_2_1000B5B0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_100071CD 1_2_100071CD
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_0041CB44 2_2_0041CB44
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00408C6C 2_2_00408C6C
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00408C70 2_2_00408C70
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_0041BEDF 2_2_0041BEDF
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE20A0 2_2_00AE20A0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B820A8 2_2_00B820A8
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ACB090 2_2_00ACB090
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B828EC 2_2_00B828EC
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B8E824 2_2_00B8E824
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B71002 2_2_00B71002
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AD4120 2_2_00AD4120
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ABF900 2_2_00ABF900
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B822AE 2_2_00B822AE
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AEEBB0 2_2_00AEEBB0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B7DBD2 2_2_00B7DBD2
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B703DA 2_2_00B703DA
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B82B28 2_2_00B82B28
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC841F 2_2_00AC841F
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B7D466 2_2_00B7D466
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE2581 2_2_00AE2581
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ACD5E0 2_2_00ACD5E0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B825DD 2_2_00B825DD
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB0D20 2_2_00AB0D20
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B82D07 2_2_00B82D07
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B81D55 2_2_00B81D55
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B82EF7 2_2_00B82EF7
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AD6E30 2_2_00AD6E30
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B7D616 2_2_00B7D616
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B81FF1 2_2_00B81FF1
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B8DFCE 2_2_00B8DFCE
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_1_00401030 2_1_00401030
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_0323CB44 13_2_0323CB44
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_03222FB0 13_2_03222FB0
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_03222D90 13_2_03222D90
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_03228C6C 13_2_03228C6C
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_03228C70 13_2_03228C70
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: String function: 00ABB150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_004185D0 NtCreateFile, 2_2_004185D0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00418680 NtReadFile, 2_2_00418680
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00418700 NtClose, 2_2_00418700
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_004187B0 NtAllocateVirtualMemory, 2_2_004187B0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_004185CA NtCreateFile, 2_2_004185CA
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_0041867E NtReadFile, 2_2_0041867E
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00418622 NtCreateFile, 2_2_00418622
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_004186FD NtClose, 2_2_004186FD
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_004187AA NtAllocateVirtualMemory, 2_2_004187AA
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF98F0 NtReadVirtualMemory,LdrInitializeThunk, 2_2_00AF98F0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_00AF9860
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9840 NtDelayExecution,LdrInitializeThunk, 2_2_00AF9840
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF99A0 NtCreateSection,LdrInitializeThunk, 2_2_00AF99A0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_00AF9910
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9A20 NtResumeThread,LdrInitializeThunk, 2_2_00AF9A20
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9A00 NtProtectVirtualMemory,LdrInitializeThunk, 2_2_00AF9A00
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9A50 NtCreateFile,LdrInitializeThunk, 2_2_00AF9A50
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF95D0 NtClose,LdrInitializeThunk, 2_2_00AF95D0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9540 NtReadFile,LdrInitializeThunk, 2_2_00AF9540
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF96E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_00AF96E0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9660 NtAllocateVirtualMemory,LdrInitializeThunk, 2_2_00AF9660
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF97A0 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_00AF97A0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9780 NtMapViewOfSection,LdrInitializeThunk, 2_2_00AF9780
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9FE0 NtCreateMutant,LdrInitializeThunk, 2_2_00AF9FE0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9710 NtQueryInformationToken,LdrInitializeThunk, 2_2_00AF9710
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF98A0 NtWriteVirtualMemory, 2_2_00AF98A0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9820 NtEnumerateKey, 2_2_00AF9820
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AFB040 NtSuspendThread, 2_2_00AFB040
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF99D0 NtCreateProcessEx, 2_2_00AF99D0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9950 NtQueueApcThread, 2_2_00AF9950
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9A80 NtOpenDirectoryObject, 2_2_00AF9A80
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9A10 NtQuerySection, 2_2_00AF9A10
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AFA3B0 NtGetContextThread, 2_2_00AFA3B0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9B00 NtSetValueKey, 2_2_00AF9B00
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF95F0 NtQueryInformationFile, 2_2_00AF95F0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9520 NtWaitForSingleObject, 2_2_00AF9520
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AFAD30 NtSetContextThread, 2_2_00AFAD30
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9560 NtWriteFile, 2_2_00AF9560
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF96D0 NtCreateKey, 2_2_00AF96D0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9610 NtEnumerateValueKey, 2_2_00AF9610
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9670 NtQueryInformationProcess, 2_2_00AF9670
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9650 NtQueryValueKey, 2_2_00AF9650
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9730 NtQueryVirtualMemory, 2_2_00AF9730
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AFA710 NtOpenProcessToken, 2_2_00AFA710
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9760 NtOpenProcess, 2_2_00AF9760
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF9770 NtSetInformationFile, 2_2_00AF9770
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AFA770 NtOpenThread, 2_2_00AFA770
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_1_004185D0 NtCreateFile, 2_1_004185D0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_1_00418680 NtReadFile, 2_1_00418680
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_1_00418700 NtClose, 2_1_00418700
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_1_004187B0 NtAllocateVirtualMemory, 2_1_004187B0
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_03238700 NtClose, 13_2_03238700
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_032387B0 NtAllocateVirtualMemory, 13_2_032387B0
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_03238680 NtReadFile, 13_2_03238680
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_032385D0 NtCreateFile, 13_2_032385D0
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_032387AA NtAllocateVirtualMemory, 13_2_032387AA
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_03238622 NtCreateFile, 13_2_03238622
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_0323867E NtReadFile, 13_2_0323867E
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_032386FD NtClose, 13_2_032386FD
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_032385CA NtCreateFile, 13_2_032385CA
Sample file is different than original file name gathered from version info
Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.255722333.0000000002C2F000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs STATEMENT Oct-Nov 25-11-2021.exe
Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.252085756.0000000002A96000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs STATEMENT Oct-Nov 25-11-2021.exe
Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311812321.0000000000D3F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs STATEMENT Oct-Nov 25-11-2021.exe
Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311294977.0000000000BAF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs STATEMENT Oct-Nov 25-11-2021.exe
Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310919643.0000000000A54000.00000040.00020000.sdmp Binary or memory string: OriginalFilenameHelp.Exej% vs STATEMENT Oct-Nov 25-11-2021.exe
PE file contains strange resources
Source: STATEMENT Oct-Nov 25-11-2021.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe File read: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Jump to behavior
Source: STATEMENT Oct-Nov 25-11-2021.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Process created: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Process created: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe" Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe" Jump to behavior
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.db Jump to behavior
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe File created: C:\Users\user~1\AppData\Local\Temp\nsnE1AF.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/2@0/0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_00402012 CoCreateInstance,MultiByteToWideChar, 1_2_00402012
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 1_2_0040411B
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:668:120:WilError_01
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\explorer.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: wntdll.pdbUGP source: STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.256363211.0000000002B10000.00000004.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.252733019.0000000002980000.00000004.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310930504.0000000000A90000.00000040.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311294977.0000000000BAF000.00000040.00000001.sdmp, help.exe, 0000000D.00000002.546712152.00000000033EF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: STATEMENT Oct-Nov 25-11-2021.exe, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310930504.0000000000A90000.00000040.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311294977.0000000000BAF000.00000040.00000001.sdmp, help.exe, 0000000D.00000002.546712152.00000000033EF000.00000040.00000001.sdmp
Source: Binary string: help.pdbGCTL source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310903133.0000000000A50000.00000040.00020000.sdmp
Source: Binary string: help.pdb source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310903133.0000000000A50000.00000040.00020000.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_10009585 push ecx; ret 1_2_10009598
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00415053 push edx; iretd 2_2_004150E3
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_0041B87C push eax; ret 2_2_0041B882
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_0041B812 push eax; ret 2_2_0041B818
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_0041B81B push eax; ret 2_2_0041B882
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_0041C932 push dword ptr [5E13B061h]; ret 2_2_0041C953
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_0041D32B pushfd ; retf 2_2_0041D32C
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00415F0C push eax; iretd 2_2_00415F0D
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_0041B7C5 push eax; ret 2_2_0041B818
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B0D0D1 push ecx; ret 2_2_00B0D0E4
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_1_00415053 push edx; iretd 2_1_004150E3
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_1_0041B87C push eax; ret 2_1_0041B882
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_1_0041B812 push eax; ret 2_1_0041B818
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_1_0041B81B push eax; ret 2_1_0041B882
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_0323D32B pushfd ; retf 13_2_0323D32C
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_0323C3D3 pushad ; iretd 13_2_0323C3D4
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_0323C932 push dword ptr [5E13B061h]; ret 13_2_0323C953
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_0323B812 push eax; ret 13_2_0323B818
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_0323B81B push eax; ret 13_2_0323B882
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_0323B87C push eax; ret 13_2_0323B882
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_03235053 push edx; iretd 13_2_032350E3
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_03235F0C push eax; iretd 13_2_03235F0D
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_0323B7C5 push eax; ret 13_2_0323B818
Source: C:\Windows\SysWOW64\help.exe Code function: 13_2_0323BC2B push ds; iretd 13_2_0323BC31
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress, 1_2_00405C49

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe File created: C:\Users\user\AppData\Local\Temp\nsiE1DF.tmp\ncpszgn.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\help.exe Process created: /c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
Source: C:\Windows\SysWOW64\help.exe Process created: /c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe" Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe RDTSC instruction interceptor: First address: 0000000003228604 second address: 000000000322860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe RDTSC instruction interceptor: First address: 000000000322898E second address: 0000000003228994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_004088C0 rdtsc 2_2_004088C0
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 1_2_00405250
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_00405C22 FindFirstFileA,FindClose, 1_2_00405C22
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_00402630 FindFirstFileA, 1_2_00402630
Source: explorer.exe, 00000017.00000000.453456484.0000000006E67000.00000004.00000010.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000017.00000000.453456484.0000000006E67000.00000004.00000010.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000017.00000000.471628012.0000000006DF7000.00000004.00000010.sdmp Binary or memory string: NECVMWarVMware SATA CD001.00
Source: explorer.exe, 00000017.00000003.411651567.000000000587E000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000017.00000000.407458850.0000000000887000.00000004.00000020.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000T
Source: explorer.exe, 00000005.00000000.284595003.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000017.00000000.471628012.0000000006DF7000.00000004.00000010.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000023.00000000.487876979.0000000000FAF000.00000004.00000020.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000017.00000003.411651567.000000000587E000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000017.00000003.443121603.0000000007017000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00al
Source: explorer.exe, 00000017.00000003.411762107.0000000005883000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000017.00000000.471628012.0000000006DF7000.00000004.00000010.sdmp Binary or memory string: NECVMWarVMware SATA CD001.009
Source: explorer.exe, 00000017.00000003.440383163.0000000006F2E000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000@v
Source: explorer.exe, 00000017.00000000.444700622.00000000042A8000.00000004.00000001.sdmp Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000017.00000003.411651567.000000000587E000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000017.00000000.471885262.0000000006F2E000.00000004.00000010.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000017.00000000.446994329.00000000057DB000.00000004.00000001.sdmp Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000017.00000003.443296390.000000000709B000.00000004.00000001.sdmp Binary or memory string: ecvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}=
Source: explorer.exe, 00000005.00000000.291481228.00000000048E0000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000017.00000000.446994329.00000000057DB000.00000004.00000001.sdmp Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000017.00000000.471628012.0000000006DF7000.00000004.00000010.sdmp Binary or memory string: NECVMWarVMware SATA CD001.00'9
Source: explorer.exe, 00000005.00000000.284490598.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000005.00000000.284595003.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000017.00000000.471885262.0000000006F2E000.00000004.00000010.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}pi
Source: explorer.exe, 00000017.00000000.446540581.0000000005750000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P
Source: explorer.exe, 00000017.00000000.444700622.00000000042A8000.00000004.00000001.sdmp Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}es.
Source: explorer.exe, 00000017.00000000.412011276.0000000005750000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}tv
Source: explorer.exe, 00000005.00000000.293302322.00000000069DA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD002
Source: explorer.exe, 00000017.00000000.407458850.0000000000887000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}N
Source: explorer.exe, 00000017.00000000.471885262.0000000006F2E000.00000004.00000010.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000023.00000003.507879759.00000000047CE000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@U-bx*JBU)&R{xjQ981bR+$Q^+o
Source: explorer.exe, 00000017.00000003.443296390.000000000709B000.00000004.00000001.sdmp Binary or memory string: #cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_10008C55 IsDebuggerPresent, 1_2_10008C55
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_1000B110 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_1000B110
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress, 1_2_00405C49
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_10001000 GetProcessHeap,HeapAlloc,GetUserDefaultLCID, 1_2_10001000
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_004088C0 rdtsc 2_2_004088C0
Enables debug privileges
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF90AF mov eax, dword ptr fs:[00000030h] 2_2_00AF90AF
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 2_2_00AE20A0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 2_2_00AE20A0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 2_2_00AE20A0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 2_2_00AE20A0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 2_2_00AE20A0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h] 2_2_00AE20A0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AEF0BF mov ecx, dword ptr fs:[00000030h] 2_2_00AEF0BF
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AEF0BF mov eax, dword ptr fs:[00000030h] 2_2_00AEF0BF
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AEF0BF mov eax, dword ptr fs:[00000030h] 2_2_00AEF0BF
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB9080 mov eax, dword ptr fs:[00000030h] 2_2_00AB9080
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B33884 mov eax, dword ptr fs:[00000030h] 2_2_00B33884
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B33884 mov eax, dword ptr fs:[00000030h] 2_2_00B33884
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB58EC mov eax, dword ptr fs:[00000030h] 2_2_00AB58EC
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00B4B8D0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B4B8D0 mov ecx, dword ptr fs:[00000030h] 2_2_00B4B8D0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00B4B8D0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00B4B8D0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00B4B8D0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h] 2_2_00B4B8D0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h] 2_2_00AE002D
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h] 2_2_00AE002D
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h] 2_2_00AE002D
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h] 2_2_00AE002D
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h] 2_2_00AE002D
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ACB02A mov eax, dword ptr fs:[00000030h] 2_2_00ACB02A
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ACB02A mov eax, dword ptr fs:[00000030h] 2_2_00ACB02A
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ACB02A mov eax, dword ptr fs:[00000030h] 2_2_00ACB02A
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ACB02A mov eax, dword ptr fs:[00000030h] 2_2_00ACB02A
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B37016 mov eax, dword ptr fs:[00000030h] 2_2_00B37016
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B37016 mov eax, dword ptr fs:[00000030h] 2_2_00B37016
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B37016 mov eax, dword ptr fs:[00000030h] 2_2_00B37016
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B84015 mov eax, dword ptr fs:[00000030h] 2_2_00B84015
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B84015 mov eax, dword ptr fs:[00000030h] 2_2_00B84015
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B72073 mov eax, dword ptr fs:[00000030h] 2_2_00B72073
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B81074 mov eax, dword ptr fs:[00000030h] 2_2_00B81074
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AD0050 mov eax, dword ptr fs:[00000030h] 2_2_00AD0050
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AD0050 mov eax, dword ptr fs:[00000030h] 2_2_00AD0050
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B351BE mov eax, dword ptr fs:[00000030h] 2_2_00B351BE
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B351BE mov eax, dword ptr fs:[00000030h] 2_2_00B351BE
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B351BE mov eax, dword ptr fs:[00000030h] 2_2_00B351BE
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B351BE mov eax, dword ptr fs:[00000030h] 2_2_00B351BE
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE61A0 mov eax, dword ptr fs:[00000030h] 2_2_00AE61A0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE61A0 mov eax, dword ptr fs:[00000030h] 2_2_00AE61A0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B369A6 mov eax, dword ptr fs:[00000030h] 2_2_00B369A6
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AEA185 mov eax, dword ptr fs:[00000030h] 2_2_00AEA185
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ADC182 mov eax, dword ptr fs:[00000030h] 2_2_00ADC182
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE2990 mov eax, dword ptr fs:[00000030h] 2_2_00AE2990
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ABB1E1 mov eax, dword ptr fs:[00000030h] 2_2_00ABB1E1
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ABB1E1 mov eax, dword ptr fs:[00000030h] 2_2_00ABB1E1
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ABB1E1 mov eax, dword ptr fs:[00000030h] 2_2_00ABB1E1
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B441E8 mov eax, dword ptr fs:[00000030h] 2_2_00B441E8
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AD4120 mov eax, dword ptr fs:[00000030h] 2_2_00AD4120
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AD4120 mov eax, dword ptr fs:[00000030h] 2_2_00AD4120
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AD4120 mov eax, dword ptr fs:[00000030h] 2_2_00AD4120
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AD4120 mov eax, dword ptr fs:[00000030h] 2_2_00AD4120
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AD4120 mov ecx, dword ptr fs:[00000030h] 2_2_00AD4120
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE513A mov eax, dword ptr fs:[00000030h] 2_2_00AE513A
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE513A mov eax, dword ptr fs:[00000030h] 2_2_00AE513A
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB9100 mov eax, dword ptr fs:[00000030h] 2_2_00AB9100
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB9100 mov eax, dword ptr fs:[00000030h] 2_2_00AB9100
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB9100 mov eax, dword ptr fs:[00000030h] 2_2_00AB9100
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ABC962 mov eax, dword ptr fs:[00000030h] 2_2_00ABC962
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ABB171 mov eax, dword ptr fs:[00000030h] 2_2_00ABB171
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ABB171 mov eax, dword ptr fs:[00000030h] 2_2_00ABB171
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ADB944 mov eax, dword ptr fs:[00000030h] 2_2_00ADB944
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ADB944 mov eax, dword ptr fs:[00000030h] 2_2_00ADB944
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB52A5 mov eax, dword ptr fs:[00000030h] 2_2_00AB52A5
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB52A5 mov eax, dword ptr fs:[00000030h] 2_2_00AB52A5
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB52A5 mov eax, dword ptr fs:[00000030h] 2_2_00AB52A5
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB52A5 mov eax, dword ptr fs:[00000030h] 2_2_00AB52A5
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB52A5 mov eax, dword ptr fs:[00000030h] 2_2_00AB52A5
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ACAAB0 mov eax, dword ptr fs:[00000030h] 2_2_00ACAAB0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ACAAB0 mov eax, dword ptr fs:[00000030h] 2_2_00ACAAB0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AEFAB0 mov eax, dword ptr fs:[00000030h] 2_2_00AEFAB0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AED294 mov eax, dword ptr fs:[00000030h] 2_2_00AED294
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AED294 mov eax, dword ptr fs:[00000030h] 2_2_00AED294
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE2AE4 mov eax, dword ptr fs:[00000030h] 2_2_00AE2AE4
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE2ACB mov eax, dword ptr fs:[00000030h] 2_2_00AE2ACB
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF4A2C mov eax, dword ptr fs:[00000030h] 2_2_00AF4A2C
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF4A2C mov eax, dword ptr fs:[00000030h] 2_2_00AF4A2C
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B7AA16 mov eax, dword ptr fs:[00000030h] 2_2_00B7AA16
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B7AA16 mov eax, dword ptr fs:[00000030h] 2_2_00B7AA16
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC8A0A mov eax, dword ptr fs:[00000030h] 2_2_00AC8A0A
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AD3A1C mov eax, dword ptr fs:[00000030h] 2_2_00AD3A1C
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB5210 mov eax, dword ptr fs:[00000030h] 2_2_00AB5210
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB5210 mov ecx, dword ptr fs:[00000030h] 2_2_00AB5210
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB5210 mov eax, dword ptr fs:[00000030h] 2_2_00AB5210
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB5210 mov eax, dword ptr fs:[00000030h] 2_2_00AB5210
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ABAA16 mov eax, dword ptr fs:[00000030h] 2_2_00ABAA16
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ABAA16 mov eax, dword ptr fs:[00000030h] 2_2_00ABAA16
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF927A mov eax, dword ptr fs:[00000030h] 2_2_00AF927A
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B6B260 mov eax, dword ptr fs:[00000030h] 2_2_00B6B260
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B6B260 mov eax, dword ptr fs:[00000030h] 2_2_00B6B260
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B88A62 mov eax, dword ptr fs:[00000030h] 2_2_00B88A62
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B7EA55 mov eax, dword ptr fs:[00000030h] 2_2_00B7EA55
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B44257 mov eax, dword ptr fs:[00000030h] 2_2_00B44257
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB9240 mov eax, dword ptr fs:[00000030h] 2_2_00AB9240
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB9240 mov eax, dword ptr fs:[00000030h] 2_2_00AB9240
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB9240 mov eax, dword ptr fs:[00000030h] 2_2_00AB9240
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB9240 mov eax, dword ptr fs:[00000030h] 2_2_00AB9240
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE4BAD mov eax, dword ptr fs:[00000030h] 2_2_00AE4BAD
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE4BAD mov eax, dword ptr fs:[00000030h] 2_2_00AE4BAD
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE4BAD mov eax, dword ptr fs:[00000030h] 2_2_00AE4BAD
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B85BA5 mov eax, dword ptr fs:[00000030h] 2_2_00B85BA5
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC1B8F mov eax, dword ptr fs:[00000030h] 2_2_00AC1B8F
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC1B8F mov eax, dword ptr fs:[00000030h] 2_2_00AC1B8F
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B6D380 mov ecx, dword ptr fs:[00000030h] 2_2_00B6D380
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE2397 mov eax, dword ptr fs:[00000030h] 2_2_00AE2397
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B7138A mov eax, dword ptr fs:[00000030h] 2_2_00B7138A
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AEB390 mov eax, dword ptr fs:[00000030h] 2_2_00AEB390
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ADDBE9 mov eax, dword ptr fs:[00000030h] 2_2_00ADDBE9
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 2_2_00AE03E2
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 2_2_00AE03E2
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 2_2_00AE03E2
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 2_2_00AE03E2
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 2_2_00AE03E2
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h] 2_2_00AE03E2
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B353CA mov eax, dword ptr fs:[00000030h] 2_2_00B353CA
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B353CA mov eax, dword ptr fs:[00000030h] 2_2_00B353CA
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B7131B mov eax, dword ptr fs:[00000030h] 2_2_00B7131B
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ABDB60 mov ecx, dword ptr fs:[00000030h] 2_2_00ABDB60
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE3B7A mov eax, dword ptr fs:[00000030h] 2_2_00AE3B7A
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE3B7A mov eax, dword ptr fs:[00000030h] 2_2_00AE3B7A
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B88B58 mov eax, dword ptr fs:[00000030h] 2_2_00B88B58
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ABDB40 mov eax, dword ptr fs:[00000030h] 2_2_00ABDB40
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ABF358 mov eax, dword ptr fs:[00000030h] 2_2_00ABF358
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC849B mov eax, dword ptr fs:[00000030h] 2_2_00AC849B
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B36CF0 mov eax, dword ptr fs:[00000030h] 2_2_00B36CF0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B36CF0 mov eax, dword ptr fs:[00000030h] 2_2_00B36CF0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B36CF0 mov eax, dword ptr fs:[00000030h] 2_2_00B36CF0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B714FB mov eax, dword ptr fs:[00000030h] 2_2_00B714FB
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B88CD6 mov eax, dword ptr fs:[00000030h] 2_2_00B88CD6
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AEBC2C mov eax, dword ptr fs:[00000030h] 2_2_00AEBC2C
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h] 2_2_00B71C06
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h] 2_2_00B71C06
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h] 2_2_00B71C06
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h] 2_2_00B71C06
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h] 2_2_00B71C06
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h] 2_2_00B71C06
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h] 2_2_00B71C06
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h] 2_2_00B71C06
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h] 2_2_00B71C06
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h] 2_2_00B71C06
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h] 2_2_00B71C06
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h] 2_2_00B71C06
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h] 2_2_00B71C06
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h] 2_2_00B71C06
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B8740D mov eax, dword ptr fs:[00000030h] 2_2_00B8740D
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B8740D mov eax, dword ptr fs:[00000030h] 2_2_00B8740D
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B8740D mov eax, dword ptr fs:[00000030h] 2_2_00B8740D
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B36C0A mov eax, dword ptr fs:[00000030h] 2_2_00B36C0A
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B36C0A mov eax, dword ptr fs:[00000030h] 2_2_00B36C0A
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B36C0A mov eax, dword ptr fs:[00000030h] 2_2_00B36C0A
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B36C0A mov eax, dword ptr fs:[00000030h] 2_2_00B36C0A
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AD746D mov eax, dword ptr fs:[00000030h] 2_2_00AD746D
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B4C450 mov eax, dword ptr fs:[00000030h] 2_2_00B4C450
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B4C450 mov eax, dword ptr fs:[00000030h] 2_2_00B4C450
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AEA44B mov eax, dword ptr fs:[00000030h] 2_2_00AEA44B
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE35A1 mov eax, dword ptr fs:[00000030h] 2_2_00AE35A1
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B805AC mov eax, dword ptr fs:[00000030h] 2_2_00B805AC
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B805AC mov eax, dword ptr fs:[00000030h] 2_2_00B805AC
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE1DB5 mov eax, dword ptr fs:[00000030h] 2_2_00AE1DB5
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE1DB5 mov eax, dword ptr fs:[00000030h] 2_2_00AE1DB5
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE1DB5 mov eax, dword ptr fs:[00000030h] 2_2_00AE1DB5
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB2D8A mov eax, dword ptr fs:[00000030h] 2_2_00AB2D8A
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB2D8A mov eax, dword ptr fs:[00000030h] 2_2_00AB2D8A
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB2D8A mov eax, dword ptr fs:[00000030h] 2_2_00AB2D8A
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB2D8A mov eax, dword ptr fs:[00000030h] 2_2_00AB2D8A
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB2D8A mov eax, dword ptr fs:[00000030h] 2_2_00AB2D8A
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE2581 mov eax, dword ptr fs:[00000030h] 2_2_00AE2581
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE2581 mov eax, dword ptr fs:[00000030h] 2_2_00AE2581
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE2581 mov eax, dword ptr fs:[00000030h] 2_2_00AE2581
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE2581 mov eax, dword ptr fs:[00000030h] 2_2_00AE2581
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AEFD9B mov eax, dword ptr fs:[00000030h] 2_2_00AEFD9B
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AEFD9B mov eax, dword ptr fs:[00000030h] 2_2_00AEFD9B
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B68DF1 mov eax, dword ptr fs:[00000030h] 2_2_00B68DF1
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ACD5E0 mov eax, dword ptr fs:[00000030h] 2_2_00ACD5E0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ACD5E0 mov eax, dword ptr fs:[00000030h] 2_2_00ACD5E0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B7FDE2 mov eax, dword ptr fs:[00000030h] 2_2_00B7FDE2
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B7FDE2 mov eax, dword ptr fs:[00000030h] 2_2_00B7FDE2
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B7FDE2 mov eax, dword ptr fs:[00000030h] 2_2_00B7FDE2
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B7FDE2 mov eax, dword ptr fs:[00000030h] 2_2_00B7FDE2
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B36DC9 mov eax, dword ptr fs:[00000030h] 2_2_00B36DC9
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B36DC9 mov eax, dword ptr fs:[00000030h] 2_2_00B36DC9
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B36DC9 mov eax, dword ptr fs:[00000030h] 2_2_00B36DC9
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B36DC9 mov ecx, dword ptr fs:[00000030h] 2_2_00B36DC9
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B36DC9 mov eax, dword ptr fs:[00000030h] 2_2_00B36DC9
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B36DC9 mov eax, dword ptr fs:[00000030h] 2_2_00B36DC9
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B3A537 mov eax, dword ptr fs:[00000030h] 2_2_00B3A537
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B88D34 mov eax, dword ptr fs:[00000030h] 2_2_00B88D34
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B7E539 mov eax, dword ptr fs:[00000030h] 2_2_00B7E539
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE4D3B mov eax, dword ptr fs:[00000030h] 2_2_00AE4D3B
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE4D3B mov eax, dword ptr fs:[00000030h] 2_2_00AE4D3B
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE4D3B mov eax, dword ptr fs:[00000030h] 2_2_00AE4D3B
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AC3D34
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AC3D34
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AC3D34
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AC3D34
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AC3D34
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AC3D34
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AC3D34
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AC3D34
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AC3D34
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AC3D34
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AC3D34
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AC3D34
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h] 2_2_00AC3D34
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ABAD30 mov eax, dword ptr fs:[00000030h] 2_2_00ABAD30
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ADC577 mov eax, dword ptr fs:[00000030h] 2_2_00ADC577
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ADC577 mov eax, dword ptr fs:[00000030h] 2_2_00ADC577
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF3D43 mov eax, dword ptr fs:[00000030h] 2_2_00AF3D43
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B33540 mov eax, dword ptr fs:[00000030h] 2_2_00B33540
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AD7D50 mov eax, dword ptr fs:[00000030h] 2_2_00AD7D50
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B346A7 mov eax, dword ptr fs:[00000030h] 2_2_00B346A7
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B80EA5 mov eax, dword ptr fs:[00000030h] 2_2_00B80EA5
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B80EA5 mov eax, dword ptr fs:[00000030h] 2_2_00B80EA5
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B80EA5 mov eax, dword ptr fs:[00000030h] 2_2_00B80EA5
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B4FE87 mov eax, dword ptr fs:[00000030h] 2_2_00B4FE87
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE16E0 mov ecx, dword ptr fs:[00000030h] 2_2_00AE16E0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC76E2 mov eax, dword ptr fs:[00000030h] 2_2_00AC76E2
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE36CC mov eax, dword ptr fs:[00000030h] 2_2_00AE36CC
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF8EC7 mov eax, dword ptr fs:[00000030h] 2_2_00AF8EC7
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B88ED6 mov eax, dword ptr fs:[00000030h] 2_2_00B88ED6
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B6FEC0 mov eax, dword ptr fs:[00000030h] 2_2_00B6FEC0
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B6FE3F mov eax, dword ptr fs:[00000030h] 2_2_00B6FE3F
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ABE620 mov eax, dword ptr fs:[00000030h] 2_2_00ABE620
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ABC600 mov eax, dword ptr fs:[00000030h] 2_2_00ABC600
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ABC600 mov eax, dword ptr fs:[00000030h] 2_2_00ABC600
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ABC600 mov eax, dword ptr fs:[00000030h] 2_2_00ABC600
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AE8E00 mov eax, dword ptr fs:[00000030h] 2_2_00AE8E00
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AEA61C mov eax, dword ptr fs:[00000030h] 2_2_00AEA61C
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AEA61C mov eax, dword ptr fs:[00000030h] 2_2_00AEA61C
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B71608 mov eax, dword ptr fs:[00000030h] 2_2_00B71608
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC766D mov eax, dword ptr fs:[00000030h] 2_2_00AC766D
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ADAE73 mov eax, dword ptr fs:[00000030h] 2_2_00ADAE73
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ADAE73 mov eax, dword ptr fs:[00000030h] 2_2_00ADAE73
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ADAE73 mov eax, dword ptr fs:[00000030h] 2_2_00ADAE73
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ADAE73 mov eax, dword ptr fs:[00000030h] 2_2_00ADAE73
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ADAE73 mov eax, dword ptr fs:[00000030h] 2_2_00ADAE73
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 2_2_00AC7E41
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 2_2_00AC7E41
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 2_2_00AC7E41
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 2_2_00AC7E41
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 2_2_00AC7E41
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC7E41 mov eax, dword ptr fs:[00000030h] 2_2_00AC7E41
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B7AE44 mov eax, dword ptr fs:[00000030h] 2_2_00B7AE44
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B7AE44 mov eax, dword ptr fs:[00000030h] 2_2_00B7AE44
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B37794 mov eax, dword ptr fs:[00000030h] 2_2_00B37794
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B37794 mov eax, dword ptr fs:[00000030h] 2_2_00B37794
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B37794 mov eax, dword ptr fs:[00000030h] 2_2_00B37794
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AC8794 mov eax, dword ptr fs:[00000030h] 2_2_00AC8794
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AF37F5 mov eax, dword ptr fs:[00000030h] 2_2_00AF37F5
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB4F2E mov eax, dword ptr fs:[00000030h] 2_2_00AB4F2E
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AB4F2E mov eax, dword ptr fs:[00000030h] 2_2_00AB4F2E
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AEE730 mov eax, dword ptr fs:[00000030h] 2_2_00AEE730
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AEA70E mov eax, dword ptr fs:[00000030h] 2_2_00AEA70E
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00AEA70E mov eax, dword ptr fs:[00000030h] 2_2_00AEA70E
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B4FF10 mov eax, dword ptr fs:[00000030h] 2_2_00B4FF10
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B4FF10 mov eax, dword ptr fs:[00000030h] 2_2_00B4FF10
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B8070D mov eax, dword ptr fs:[00000030h] 2_2_00B8070D
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B8070D mov eax, dword ptr fs:[00000030h] 2_2_00B8070D
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ADF716 mov eax, dword ptr fs:[00000030h] 2_2_00ADF716
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ACFF60 mov eax, dword ptr fs:[00000030h] 2_2_00ACFF60
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00B88F6A mov eax, dword ptr fs:[00000030h] 2_2_00B88F6A
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00ACEF40 mov eax, dword ptr fs:[00000030h] 2_2_00ACEF40
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 2_2_00409B30 LdrLoadDll, 2_2_00409B30
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_10006D99 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_10006D99

HIPS / PFW / Operating System Protection Evasion:

barindex
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Section unmapped: C:\Windows\SysWOW64\help.exe base address: 3A0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: unknown target: unknown protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Memory written: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Thread register set: target process: 3292 Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Thread register set: target process: 3292 Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Thread register set: target process: 7028 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Process created: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe" Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe" Jump to behavior
Source: explorer.exe, 00000005.00000000.274601938.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.261201759.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.290127542.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.342182465.0000000001400000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: help.exe, 0000000D.00000002.547567671.0000000005510000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.443357542.0000000001060000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.408592376.0000000001060000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.466112223.0000000001060000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.293113383.0000000005F40000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.274601938.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.261201759.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.290127542.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.342182465.0000000001400000.00000002.00020000.sdmp, help.exe, 0000000D.00000002.547567671.0000000005510000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.444592093.0000000004230000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.443357542.0000000001060000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.467294757.0000000004230000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.408592376.0000000001060000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.411884481.0000000004DD0000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.410820687.0000000004230000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.468933160.0000000004DD0000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.466112223.0000000001060000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.446314521.0000000004DD0000.00000004.00000001.sdmp, explorer.exe, 00000023.00000000.491152975.0000000004E10000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000017.00000000.466112223.0000000001060000.00000002.00020000.sdmp Binary or memory string: Program Manager (Not Responding)
Source: explorer.exe, 00000005.00000000.274601938.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.261201759.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.290127542.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.342182465.0000000001400000.00000002.00020000.sdmp, help.exe, 0000000D.00000002.547567671.0000000005510000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.444592093.0000000004230000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.443357542.0000000001060000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.467294757.0000000004230000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.408592376.0000000001060000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.411884481.0000000004DD0000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.410820687.0000000004230000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.468933160.0000000004DD0000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.466112223.0000000001060000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.446314521.0000000004DD0000.00000004.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.341894835.0000000000EB8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.289851390.0000000000EB8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.274337539.0000000000EB8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.260760431.0000000000EB8000.00000004.00000020.sdmp, explorer.exe, 00000017.00000000.465523095.0000000000887000.00000004.00000020.sdmp, explorer.exe, 00000017.00000000.407458850.0000000000887000.00000004.00000020.sdmp, explorer.exe, 00000017.00000000.437214765.0000000000887000.00000004.00000020.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 00000005.00000000.274601938.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.261201759.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.290127542.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.342182465.0000000001400000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.267309100.0000000008ACF000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.295958042.0000000008ACF000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.284490598.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_10005A74 cpuid 1_2_10005A74
Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe Code function: 1_2_0040594D GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,StrCmpNIW,lstrlenA, 1_2_0040594D

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: explorer.exe, 00000017.00000000.471727245.0000000006E67000.00000004.00000010.sdmp, explorer.exe, 00000017.00000000.453456484.0000000006E67000.00000004.00000010.sdmp, explorer.exe, 00000023.00000002.528983579.00000000048B9000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Windows Defender\MSASCui.exe

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528718 Sample: STATEMENT Oct-Nov 25-11-2021.com Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 32 Multi AV Scanner detection for domain / URL 2->32 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 5 other signatures 2->38 10 STATEMENT Oct-Nov 25-11-2021.exe 17 2->10         started        process3 file4 30 C:\Users\user\AppData\Local\...\ncpszgn.dll, PE32 10->30 dropped 48 Injects a PE file into a foreign processes 10->48 14 STATEMENT Oct-Nov 25-11-2021.exe 10->14         started        signatures5 process6 signatures7 50 Modifies the context of a thread in another process (thread injection) 14->50 52 Maps a DLL or memory area into another process 14->52 54 Sample uses process hollowing technique 14->54 56 Queues an APC in another process (thread injection) 14->56 17 explorer.exe 14->17 injected process8 process9 19 help.exe 17->19         started        signatures10 40 Self deletion via cmd delete 19->40 42 Modifies the context of a thread in another process (thread injection) 19->42 44 Maps a DLL or memory area into another process 19->44 46 Tries to detect virtualization through RDTSC time measurements 19->46 22 cmd.exe 1 19->22         started        24 explorer.exe 142 19->24         started        26 explorer.exe 1 148 19->26         started        process11 process12 28 conhost.exe 22->28         started       
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.davanamays.com/unzn/ true
  • 8%, Virustotal, Browse
  • Avira URL Cloud: safe
 low