Loading ...

Play interactive tourEdit tour

Windows Analysis Report STATEMENT Oct-Nov 25-11-2021.com

Overview

General Information

Sample Name:STATEMENT Oct-Nov 25-11-2021.com (renamed file extension from com to exe)
Analysis ID:528718
MD5:02e738dd13974ab64a472f6aa2f065a8
SHA1:6134aee9ceffce4d6ed1777739493def77b62533
SHA256:9acf8fb51cab55a01a74cb84ca9958862b29b8909408e87412700e63a4f578ae
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • STATEMENT Oct-Nov 25-11-2021.exe (PID: 6448 cmdline: "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe" MD5: 02E738DD13974AB64A472F6AA2F065A8)
    • STATEMENT Oct-Nov 25-11-2021.exe (PID: 6484 cmdline: "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe" MD5: 02E738DD13974AB64A472F6AA2F065A8)
      • explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • help.exe (PID: 3516 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
          • cmd.exe (PID: 5748 cmdline: /c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • explorer.exe (PID: 7028 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • explorer.exe (PID: 2268 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.davanamays.com/unzn/"], "decoy": ["xiulf.com", "highcountrymortar.com", "523561.com", "marketingagency.tools", "ganmovie.net", "nationaalcontactpunt.com", "sirrbter.com", "begizas.xyz", "missimi-fashion.com", "munixc.info", "daas.support", "spaceworbc.com", "faithtruthresolve.com", "gymkub.com", "thegrayverse.xyz", "artisanmakefurniture.com", "029tryy.com", "ijuubx.biz", "iphone13promax.club", "techuniversus.com", "samrgov.xyz", "grownupcurl.com", "sj0755.net", "beekeeperkit.com", "richessesabondantes.com", "xclgjgjh.net", "webworkscork.com", "vedepviet365.com", "bretabeameven.com", "cdzsmhw.com", "clearperspective.biz", "tigrg5g784sh.biz", "bbezan011.xyz", "mycar.store", "mansooralobeidli.com", "ascensionmemberszoom.com", "unlimitedrehab.com", "wozka.top", "askylarkgoods.com", "rj793.com", "prosvalor.com", "primetimeexpress.com", "boixosnoisperu.com", "mmasportgear.com", "concertiranian.net", "hyponymys.info", "maila.one", "yti0fyic.xyz", "shashiprayag.com", "speedprosmotorsports.com", "westchestercountyjunkcars.com", "patienceinmypocket.com", "rausachbaoloc.com", "plexregroup.com", "outsydercs.com", "foodandflour.com", "lenacrypto.xyz", "homeservicetoday.net", "marthaperry.com", "vmtcyd4q8.com", "shamefulguys.com", "loccssol.store", "gnarledportra.xyz", "042atk.xyz"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cc9:$sqlite3step: 68 34 1C 7B E1
        • 0x15ddc:$sqlite3step: 68 34 1C 7B E1
        • 0x15cf8:$sqlite3text: 68 38 2A 90 C5
        • 0x15e1d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
        2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 28 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.davanamays.com/unzn/"], "decoy": ["xiulf.com", "highcountrymortar.com", "523561.com", "marketingagency.tools", "ganmovie.net", "nationaalcontactpunt.com", "sirrbter.com", "begizas.xyz", "missimi-fashion.com", "munixc.info", "daas.support", "spaceworbc.com", "faithtruthresolve.com", "gymkub.com", "thegrayverse.xyz", "artisanmakefurniture.com", "029tryy.com", "ijuubx.biz", "iphone13promax.club", "techuniversus.com", "samrgov.xyz", "grownupcurl.com", "sj0755.net", "beekeeperkit.com", "richessesabondantes.com", "xclgjgjh.net", "webworkscork.com", "vedepviet365.com", "bretabeameven.com", "cdzsmhw.com", "clearperspective.biz", "tigrg5g784sh.biz", "bbezan011.xyz", "mycar.store", "mansooralobeidli.com", "ascensionmemberszoom.com", "unlimitedrehab.com", "wozka.top", "askylarkgoods.com", "rj793.com", "prosvalor.com", "primetimeexpress.com", "boixosnoisperu.com", "mmasportgear.com", "concertiranian.net", "hyponymys.info", "maila.one", "yti0fyic.xyz", "shashiprayag.com", "speedprosmotorsports.com", "westchestercountyjunkcars.com", "patienceinmypocket.com", "rausachbaoloc.com", "plexregroup.com", "outsydercs.com", "foodandflour.com", "lenacrypto.xyz", "homeservicetoday.net", "marthaperry.com", "vmtcyd4q8.com", "shamefulguys.com", "loccssol.store", "gnarledportra.xyz", "042atk.xyz"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Multi AV Scanner detection for domain / URLShow sources
          Source: www.davanamays.com/unzn/Virustotal: Detection: 7%Perma Link
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsiE1DF.tmp\ncpszgn.dllAvira: detection malicious, Label: HEUR/AGEN.1120891
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsiE1DF.tmp\ncpszgn.dllJoe Sandbox ML: detected
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 23.0.explorer.exe.760796c.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 23.0.explorer.exe.760796c.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 35.0.explorer.exe.82f796c.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 13.2.help.exe.39a796c.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 13.2.help.exe.41d8a8.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 23.0.explorer.exe.760796c.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 35.2.explorer.exe.82f796c.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: STATEMENT Oct-Nov 25-11-2021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.256363211.0000000002B10000.00000004.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.252733019.0000000002980000.00000004.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310930504.0000000000A90000.00000040.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311294977.0000000000BAF000.00000040.00000001.sdmp, help.exe, 0000000D.00000002.546712152.00000000033EF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: STATEMENT Oct-Nov 25-11-2021.exe, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310930504.0000000000A90000.00000040.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311294977.0000000000BAF000.00000040.00000001.sdmp, help.exe, 0000000D.00000002.546712152.00000000033EF000.00000040.00000001.sdmp
          Source: Binary string: help.pdbGCTL source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310903133.0000000000A50000.00000040.00020000.sdmp
          Source: Binary string: help.pdb source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310903133.0000000000A50000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_00405250
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00405C22 FindFirstFileA,FindClose,1_2_00405C22
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00402630 FindFirstFileA,1_2_00402630
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 4x nop then pop ebx2_2_00406AC1
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop ebx13_2_03226AC1

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.davanamays.com/unzn/
          Source: explorer.exe, 00000017.00000003.461333401.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.472114944.000000000704F000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.443415910.000000000702F000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.458553479.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.460429522.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.453265813.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.459390840.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.460026206.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.472080818.000000000702F000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.454273557.000000000702F000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: STATEMENT Oct-Nov 25-11-2021.exe, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000002.257876081.0000000000409000.00000004.00020000.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000000.247284292.0000000000409000.00000008.00020000.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000000.251921584.0000000000409000.00000008.00020000.sdmp, help.exe, 0000000D.00000002.547156305.00000000039A7000.00000004.00020000.sdmp, explorer.exe, 00000017.00000000.416516639.0000000007607000.00000004.00020000.sdmp, explorer.exe, 00000023.00000000.498368505.00000000082F7000.00000004.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000002.257876081.0000000000409000.00000004.00020000.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000000.247284292.0000000000409000.00000008.00020000.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000000.251921584.0000000000409000.00000008.00020000.sdmp, help.exe, 0000000D.00000002.547156305.00000000039A7000.00000004.00020000.sdmp, explorer.exe, 00000017.00000000.416516639.0000000007607000.00000004.00020000.sdmp, explorer.exe, 00000023.00000000.498368505.00000000082F7000.00000004.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000005.00000000.293121693.0000000006840000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.277038334.0000000006840000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.263876532.0000000006840000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_00404E07

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: STATEMENT Oct-Nov 25-11-2021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,1_2_004030E3
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_004060431_2_00406043
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_004046181_2_00404618
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_0040681A1_2_0040681A
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_100010E01_2_100010E0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_1000E21C1_2_1000E21C
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_1000C0941_2_1000C094
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_1000D3011_2_1000D301
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_1000BB221_2_1000BB22
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_1000B5B01_2_1000B5B0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_100071CD1_2_100071CD
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041CB442_2_0041CB44
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00408C6C2_2_00408C6C
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00408C702_2_00408C70
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041BEDF2_2_0041BEDF
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE20A02_2_00AE20A0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B820A82_2_00B820A8
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACB0902_2_00ACB090
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B828EC2_2_00B828EC
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B8E8242_2_00B8E824
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B710022_2_00B71002
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD41202_2_00AD4120
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABF9002_2_00ABF900
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B822AE2_2_00B822AE
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEEBB02_2_00AEEBB0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7DBD22_2_00B7DBD2
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B703DA2_2_00B703DA
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B82B282_2_00B82B28
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC841F2_2_00AC841F
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7D4662_2_00B7D466
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE25812_2_00AE2581
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACD5E02_2_00ACD5E0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B825DD2_2_00B825DD
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB0D202_2_00AB0D20
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B82D072_2_00B82D07
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B81D552_2_00B81D55
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B82EF72_2_00B82EF7
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD6E302_2_00AD6E30
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7D6162_2_00B7D616
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B81FF12_2_00B81FF1
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B8DFCE2_2_00B8DFCE
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_004010302_1_00401030
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323CB4413_2_0323CB44
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03222FB013_2_03222FB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03222D9013_2_03222D90
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03228C6C13_2_03228C6C
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03228C7013_2_03228C70
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: String function: 00ABB150 appears 35 times
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_004185D0 NtCreateFile,2_2_004185D0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00418680 NtReadFile,2_2_00418680
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00418700 NtClose,2_2_00418700
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_004187B0 NtAllocateVirtualMemory,2_2_004187B0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_004185CA NtCreateFile,2_2_004185CA
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041867E NtReadFile,2_2_0041867E
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00418622 NtCreateFile,2_2_00418622
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_004186FD NtClose,2_2_004186FD
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_004187AA NtAllocateVirtualMemory,2_2_004187AA
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF98F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_00AF98F0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9860 NtQuerySystemInformation,LdrInitializeThunk,2_2_00AF9860
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9840 NtDelayExecution,LdrInitializeThunk,2_2_00AF9840
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF99A0 NtCreateSection,LdrInitializeThunk,2_2_00AF99A0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_00AF9910
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9A20 NtResumeThread,LdrInitializeThunk,2_2_00AF9A20
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_00AF9A00
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9A50 NtCreateFile,LdrInitializeThunk,2_2_00AF9A50
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF95D0 NtClose,LdrInitializeThunk,2_2_00AF95D0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9540 NtReadFile,LdrInitializeThunk,2_2_00AF9540
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF96E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_00AF96E0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_00AF9660
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF97A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_00AF97A0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9780 NtMapViewOfSection,LdrInitializeThunk,2_2_00AF9780
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9FE0 NtCreateMutant,LdrInitializeThunk,2_2_00AF9FE0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9710 NtQueryInformationToken,LdrInitializeThunk,2_2_00AF9710
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF98A0 NtWriteVirtualMemory,2_2_00AF98A0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9820 NtEnumerateKey,2_2_00AF9820
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AFB040 NtSuspendThread,2_2_00AFB040
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF99D0 NtCreateProcessEx,2_2_00AF99D0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9950 NtQueueApcThread,2_2_00AF9950
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9A80 NtOpenDirectoryObject,2_2_00AF9A80
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9A10 NtQuerySection,2_2_00AF9A10
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AFA3B0 NtGetContextThread,2_2_00AFA3B0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9B00 NtSetValueKey,2_2_00AF9B00
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF95F0 NtQueryInformationFile,2_2_00AF95F0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9520 NtWaitForSingleObject,2_2_00AF9520
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AFAD30 NtSetContextThread,2_2_00AFAD30
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9560 NtWriteFile,2_2_00AF9560
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF96D0 NtCreateKey,2_2_00AF96D0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9610 NtEnumerateValueKey,2_2_00AF9610
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9670 NtQueryInformationProcess,2_2_00AF9670
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9650 NtQueryValueKey,2_2_00AF9650
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9730 NtQueryVirtualMemory,2_2_00AF9730
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AFA710 NtOpenProcessToken,2_2_00AFA710
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9760 NtOpenProcess,2_2_00AF9760
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9770 NtSetInformationFile,2_2_00AF9770
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AFA770 NtOpenThread,2_2_00AFA770
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_004185D0 NtCreateFile,2_1_004185D0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_00418680 NtReadFile,2_1_00418680
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_00418700 NtClose,2_1_00418700
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_004187B0 NtAllocateVirtualMemory,2_1_004187B0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03238700 NtClose,13_2_03238700
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032387B0 NtAllocateVirtualMemory,13_2_032387B0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03238680 NtReadFile,13_2_03238680
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032385D0 NtCreateFile,13_2_032385D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032387AA NtAllocateVirtualMemory,13_2_032387AA
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03238622 NtCreateFile,13_2_03238622
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323867E NtReadFile,13_2_0323867E
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032386FD NtClose,13_2_032386FD
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032385CA NtCreateFile,13_2_032385CA
          Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.255722333.0000000002C2F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs STATEMENT Oct-Nov 25-11-2021.exe
          Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.252085756.0000000002A96000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs STATEMENT Oct-Nov 25-11-2021.exe
          Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311812321.0000000000D3F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs STATEMENT Oct-Nov 25-11-2021.exe
          Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311294977.0000000000BAF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs STATEMENT Oct-Nov 25-11-2021.exe
          Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310919643.0000000000A54000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs STATEMENT Oct-Nov 25-11-2021.exe
          Source: STATEMENT Oct-Nov 25-11-2021.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeFile read: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeJump to behavior
          Source: STATEMENT Oct-Nov 25-11-2021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeProcess created: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeProcess created: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe" Jump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"Jump to behavior
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.dbJump to behavior
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsnE1AF.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/2@0/0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00402012 CoCreateInstance,MultiByteToWideChar,1_2_00402012
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,1_2_0040411B
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:668:120:WilError_01
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\explorer.exe
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\explorer.exe
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: Binary string: wntdll.pdbUGP source: STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.256363211.0000000002B10000.00000004.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.252733019.0000000002980000.00000004.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310930504.0000000000A90000.00000040.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311294977.0000000000BAF000.00000040.00000001.sdmp, help.exe, 0000000D.00000002.546712152.00000000033EF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: STATEMENT Oct-Nov 25-11-2021.exe, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310930504.0000000000A90000.00000040.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311294977.0000000000BAF000.00000040.00000001.sdmp, help.exe, 0000000D.00000002.546712152.00000000033EF000.00000040.00000001.sdmp
          Source: Binary string: help.pdbGCTL source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310903133.0000000000A50000.00000040.00020000.sdmp
          Source: Binary string: help.pdb source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310903133.0000000000A50000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_10009585 push ecx; ret 1_2_10009598
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00415053 push edx; iretd 2_2_004150E3
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041B87C push eax; ret 2_2_0041B882
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041B812 push eax; ret 2_2_0041B818
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041B81B push eax; ret 2_2_0041B882
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041C932 push dword ptr [5E13B061h]; ret 2_2_0041C953
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041D32B pushfd ; retf 2_2_0041D32C
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00415F0C push eax; iretd 2_2_00415F0D
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041B7C5 push eax; ret 2_2_0041B818
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B0D0D1 push ecx; ret 2_2_00B0D0E4
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_00415053 push edx; iretd 2_1_004150E3
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_0041B87C push eax; ret 2_1_0041B882
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_0041B812 push eax; ret 2_1_0041B818
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_0041B81B push eax; ret 2_1_0041B882
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323D32B pushfd ; retf 13_2_0323D32C
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323C3D3 pushad ; iretd 13_2_0323C3D4
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323C932 push dword ptr [5E13B061h]; ret 13_2_0323C953
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323B812 push eax; ret 13_2_0323B818
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323B81B push eax; ret 13_2_0323B882
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323B87C push eax; ret 13_2_0323B882
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03235053 push edx; iretd 13_2_032350E3
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03235F0C push eax; iretd 13_2_03235F0D
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323B7C5 push eax; ret 13_2_0323B818
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323BC2B push ds; iretd 13_2_0323BC31
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,1_2_00405C49
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeFile created: C:\Users\user\AppData\Local\Temp\nsiE1DF.tmp\ncpszgn.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\help.exeProcess created: /c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
          Source: C:\Windows\SysWOW64\help.exeProcess created: /c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"Jump to behavior
          Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 0000000003228604 second address: 000000000322860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 000000000322898E second address: 0000000003228994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_004088C0 rdtsc 2_2_004088C0
          Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_00405250
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00405C22 FindFirstFileA,FindClose,1_2_00405C22
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00402630 FindFirstFileA,1_2_00402630
          Source: explorer.exe, 00000017.00000000.453456484.0000000006E67000.00000004.00000010.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000017.00000000.453456484.0000000006E67000.00000004.00000010.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000017.00000000.471628012.0000000006DF7000.00000004.00000010.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00
          Source: explorer.exe, 00000017.00000003.411651567.000000000587E000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000017.00000000.407458850.0000000000887000.00000004.00000020.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000T
          Source: explorer.exe, 00000005.00000000.284595003.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: explorer.exe, 00000017.00000000.471628012.0000000006DF7000.00000004.00000010.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000023.00000000.487876979.0000000000FAF000.00000004.00000020.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000017.00000003.411651567.000000000587E000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 00000017.00000003.443121603.0000000007017000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00al
          Source: explorer.exe, 00000017.00000003.411762107.0000000005883000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000017.00000000.471628012.0000000006DF7000.00000004.00000010.sdmpBinary or memory string: NECVMWarVMware SATA CD001.009
          Source: explorer.exe, 00000017.00000003.440383163.0000000006F2E000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000@v
          Source: explorer.exe, 00000017.00000000.444700622.00000000042A8000.00000004.00000001.sdmpBinary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000017.00000003.411651567.000000000587E000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 00000017.00000000.471885262.0000000006F2E000.00000004.00000010.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000017.00000000.446994329.00000000057DB000.00000004.00000001.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000017.00000003.443296390.000000000709B000.00000004.00000001.sdmpBinary or memory string: ecvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}=
          Source: explorer.exe, 00000005.00000000.291481228.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000017.00000000.446994329.00000000057DB000.00000004.00000001.sdmpBinary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000017.00000000.471628012.0000000006DF7000.00000004.00000010.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00'9
          Source: explorer.exe, 00000005.00000000.284490598.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: explorer.exe, 00000005.00000000.284595003.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: explorer.exe, 00000017.00000000.471885262.0000000006F2E000.00000004.00000010.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}pi
          Source: explorer.exe, 00000017.00000000.446540581.0000000005750000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P
          Source: explorer.exe, 00000017.00000000.444700622.00000000042A8000.00000004.00000001.sdmpBinary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}es.
          Source: explorer.exe, 00000017.00000000.412011276.0000000005750000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}tv
          Source: explorer.exe, 00000005.00000000.293302322.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
          Source: explorer.exe, 00000017.00000000.407458850.0000000000887000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}N
          Source: explorer.exe, 00000017.00000000.471885262.0000000006F2E000.00000004.00000010.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000023.00000003.507879759.00000000047CE000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@U-bx*JBU)&R{xjQ981bR+$Q^+o
          Source: explorer.exe, 00000017.00000003.443296390.000000000709B000.00000004.00000001.sdmpBinary or memory string: #cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_10008C55 IsDebuggerPresent,1_2_10008C55
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_1000B110 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_1000B110
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,1_2_00405C49
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_10001000 GetProcessHeap,HeapAlloc,GetUserDefaultLCID,1_2_10001000
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_004088C0 rdtsc 2_2_004088C0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\help.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF90AF mov eax, dword ptr fs:[00000030h]2_2_00AF90AF
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]2_2_00AE20A0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]2_2_00AE20A0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]2_2_00AE20A0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]2_2_00AE20A0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]2_2_00AE20A0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]2_2_00AE20A0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEF0BF mov ecx, dword ptr fs:[00000030h]2_2_00AEF0BF
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEF0BF mov eax, dword ptr fs:[00000030h]2_2_00AEF0BF
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEF0BF mov eax, dword ptr fs:[00000030h]2_2_00AEF0BF
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB9080 mov eax, dword ptr fs:[00000030h]2_2_00AB9080
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B33884 mov eax, dword ptr fs:[00000030h]2_2_00B33884
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B33884 mov eax, dword ptr fs:[00000030h]2_2_00B33884
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB58EC mov eax, dword ptr fs:[00000030h]2_2_00AB58EC
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]2_2_00B4B8D0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4B8D0 mov ecx, dword ptr fs:[00000030h]2_2_00B4B8D0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]2_2_00B4B8D0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]2_2_00B4B8D0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]2_2_00B4B8D0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]2_2_00B4B8D0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h]2_2_00AE002D
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h]2_2_00AE002D
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h]2_2_00AE002D
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h]2_2_00AE002D
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h]2_2_00AE002D
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACB02A mov eax, dword ptr fs:[00000030h]2_2_00ACB02A
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACB02A mov eax, dword ptr fs:[00000030h]2_2_00ACB02A
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACB02A mov eax, dword ptr fs:[00000030h]2_2_00ACB02A
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACB02A mov eax, dword ptr fs:[00000030h]2_2_00ACB02A
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B37016 mov eax, dword ptr fs:[00000030h]2_2_00B37016
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B37016 mov eax, dword ptr fs:[00000030h]2_2_00B37016
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B37016 mov eax, dword ptr fs:[00000030h]2_2_00B37016
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B84015 mov eax, dword ptr fs:[00000030h]2_2_00B84015
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B84015 mov eax, dword ptr fs:[00000030h]2_2_00B84015
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B72073 mov eax, dword ptr fs:[00000030h]2_2_00B72073
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B81074 mov eax, dword ptr fs:[00000030h]2_2_00B81074
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD0050 mov eax, dword ptr fs:[00000030h]2_2_00AD0050
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD0050 mov eax, dword ptr fs:[00000030h]2_2_00AD0050
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B351BE mov eax, dword ptr fs:[00000030h]2_2_00B351BE
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B351BE mov eax, dword ptr fs:[00000030h]2_2_00B351BE
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B351BE mov eax, dword ptr fs:[00000030h]2_2_00B351BE
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B351BE mov eax, dword ptr fs:[00000030h]2_2_00B351BE
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE61A0 mov eax, dword ptr fs:[00000030h]2_2_00AE61A0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE61A0 mov eax, dword ptr fs:[00000030h]2_2_00AE61A0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B369A6 mov eax, dword ptr fs:[00000030h]2_2_00B369A6
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEA185 mov eax, dword ptr fs:[00000030h]2_2_00AEA185
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ADC182 mov eax, dword ptr fs:[00000030h]2_2_00ADC182
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE2990 mov eax, dword ptr fs:[00000030h]2_2_00AE2990
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABB1E1 mov eax, dword ptr fs:[00000030h]2_2_00ABB1E1
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABB1E1 mov eax, dword ptr fs:[00000030h]2_2_00ABB1E1
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABB1E1 mov eax, dword ptr fs:[00000030h]2_2_00ABB1E1
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B441E8 mov eax, dword ptr fs:[00000030h]2_2_00B441E8
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD4120 mov eax, dword ptr fs:[00000030h]2_2_00AD4120
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD4120 mov eax, dword ptr fs:[00000030h]2_2_00AD4120
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD4120 mov eax, dword ptr fs:[00000030h]2_2_00AD4120
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD4120 mov eax, dword ptr fs:[00000030h]2_2_00AD4120
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD4120 mov ecx, dword ptr fs:[00000030h]2_2_00AD4120
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE513A mov eax, dword ptr fs:[00000030h]2_2_00AE513A
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE513A mov eax, dword ptr fs:[00000030h]2_2_00AE513A
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB9100 mov eax, dword ptr fs:[00000030h]2_2_00AB9100
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB9100 mov eax, dword ptr fs:[00000030h]2_2_00AB9100
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB9100 mov eax, dword ptr fs:[00000030h]2_2_00AB9100
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABC962 mov eax, dword ptr fs:[00000030h]2_2_00ABC962
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABB171 mov eax, dword ptr fs:[00000030h]2_2_00ABB171
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABB171 mov eax, dword ptr fs:[00000030h]2_2_00ABB171
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ADB944 mov eax, dword ptr fs:[00000030h]2_2_00ADB944
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov