Loading ...

Play interactive tourEdit tour

Windows Analysis Report STATEMENT Oct-Nov 25-11-2021.com

Overview

General Information

Sample Name:STATEMENT Oct-Nov 25-11-2021.com (renamed file extension from com to exe)
Analysis ID:528718
MD5:02e738dd13974ab64a472f6aa2f065a8
SHA1:6134aee9ceffce4d6ed1777739493def77b62533
SHA256:9acf8fb51cab55a01a74cb84ca9958862b29b8909408e87412700e63a4f578ae
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • STATEMENT Oct-Nov 25-11-2021.exe (PID: 6448 cmdline: "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe" MD5: 02E738DD13974AB64A472F6AA2F065A8)
    • STATEMENT Oct-Nov 25-11-2021.exe (PID: 6484 cmdline: "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe" MD5: 02E738DD13974AB64A472F6AA2F065A8)
      • explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • help.exe (PID: 3516 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
          • cmd.exe (PID: 5748 cmdline: /c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • explorer.exe (PID: 7028 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • explorer.exe (PID: 2268 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.davanamays.com/unzn/"], "decoy": ["xiulf.com", "highcountrymortar.com", "523561.com", "marketingagency.tools", "ganmovie.net", "nationaalcontactpunt.com", "sirrbter.com", "begizas.xyz", "missimi-fashion.com", "munixc.info", "daas.support", "spaceworbc.com", "faithtruthresolve.com", "gymkub.com", "thegrayverse.xyz", "artisanmakefurniture.com", "029tryy.com", "ijuubx.biz", "iphone13promax.club", "techuniversus.com", "samrgov.xyz", "grownupcurl.com", "sj0755.net", "beekeeperkit.com", "richessesabondantes.com", "xclgjgjh.net", "webworkscork.com", "vedepviet365.com", "bretabeameven.com", "cdzsmhw.com", "clearperspective.biz", "tigrg5g784sh.biz", "bbezan011.xyz", "mycar.store", "mansooralobeidli.com", "ascensionmemberszoom.com", "unlimitedrehab.com", "wozka.top", "askylarkgoods.com", "rj793.com", "prosvalor.com", "primetimeexpress.com", "boixosnoisperu.com", "mmasportgear.com", "concertiranian.net", "hyponymys.info", "maila.one", "yti0fyic.xyz", "shashiprayag.com", "speedprosmotorsports.com", "westchestercountyjunkcars.com", "patienceinmypocket.com", "rausachbaoloc.com", "plexregroup.com", "outsydercs.com", "foodandflour.com", "lenacrypto.xyz", "homeservicetoday.net", "marthaperry.com", "vmtcyd4q8.com", "shamefulguys.com", "loccssol.store", "gnarledportra.xyz", "042atk.xyz"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cc9:$sqlite3step: 68 34 1C 7B E1
        • 0x15ddc:$sqlite3step: 68 34 1C 7B E1
        • 0x15cf8:$sqlite3text: 68 38 2A 90 C5
        • 0x15e1d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
        2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 28 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.davanamays.com/unzn/"], "decoy": ["xiulf.com", "highcountrymortar.com", "523561.com", "marketingagency.tools", "ganmovie.net", "nationaalcontactpunt.com", "sirrbter.com", "begizas.xyz", "missimi-fashion.com", "munixc.info", "daas.support", "spaceworbc.com", "faithtruthresolve.com", "gymkub.com", "thegrayverse.xyz", "artisanmakefurniture.com", "029tryy.com", "ijuubx.biz", "iphone13promax.club", "techuniversus.com", "samrgov.xyz", "grownupcurl.com", "sj0755.net", "beekeeperkit.com", "richessesabondantes.com", "xclgjgjh.net", "webworkscork.com", "vedepviet365.com", "bretabeameven.com", "cdzsmhw.com", "clearperspective.biz", "tigrg5g784sh.biz", "bbezan011.xyz", "mycar.store", "mansooralobeidli.com", "ascensionmemberszoom.com", "unlimitedrehab.com", "wozka.top", "askylarkgoods.com", "rj793.com", "prosvalor.com", "primetimeexpress.com", "boixosnoisperu.com", "mmasportgear.com", "concertiranian.net", "hyponymys.info", "maila.one", "yti0fyic.xyz", "shashiprayag.com", "speedprosmotorsports.com", "westchestercountyjunkcars.com", "patienceinmypocket.com", "rausachbaoloc.com", "plexregroup.com", "outsydercs.com", "foodandflour.com", "lenacrypto.xyz", "homeservicetoday.net", "marthaperry.com", "vmtcyd4q8.com", "shamefulguys.com", "loccssol.store", "gnarledportra.xyz", "042atk.xyz"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Multi AV Scanner detection for domain / URLShow sources
          Source: www.davanamays.com/unzn/Virustotal: Detection: 7%Perma Link
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsiE1DF.tmp\ncpszgn.dllAvira: detection malicious, Label: HEUR/AGEN.1120891
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsiE1DF.tmp\ncpszgn.dllJoe Sandbox ML: detected
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 23.0.explorer.exe.760796c.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 23.0.explorer.exe.760796c.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 35.0.explorer.exe.82f796c.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 13.2.help.exe.39a796c.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 13.2.help.exe.41d8a8.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 23.0.explorer.exe.760796c.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 35.2.explorer.exe.82f796c.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: STATEMENT Oct-Nov 25-11-2021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.256363211.0000000002B10000.00000004.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.252733019.0000000002980000.00000004.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310930504.0000000000A90000.00000040.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311294977.0000000000BAF000.00000040.00000001.sdmp, help.exe, 0000000D.00000002.546712152.00000000033EF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: STATEMENT Oct-Nov 25-11-2021.exe, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310930504.0000000000A90000.00000040.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311294977.0000000000BAF000.00000040.00000001.sdmp, help.exe, 0000000D.00000002.546712152.00000000033EF000.00000040.00000001.sdmp
          Source: Binary string: help.pdbGCTL source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310903133.0000000000A50000.00000040.00020000.sdmp
          Source: Binary string: help.pdb source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310903133.0000000000A50000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00405C22 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00402630 FindFirstFileA,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.davanamays.com/unzn/
          Source: explorer.exe, 00000017.00000003.461333401.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.472114944.000000000704F000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.443415910.000000000702F000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.458553479.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.460429522.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.453265813.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.459390840.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.460026206.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.472080818.000000000702F000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.454273557.000000000702F000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: STATEMENT Oct-Nov 25-11-2021.exe, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000002.257876081.0000000000409000.00000004.00020000.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000000.247284292.0000000000409000.00000008.00020000.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000000.251921584.0000000000409000.00000008.00020000.sdmp, help.exe, 0000000D.00000002.547156305.00000000039A7000.00000004.00020000.sdmp, explorer.exe, 00000017.00000000.416516639.0000000007607000.00000004.00020000.sdmp, explorer.exe, 00000023.00000000.498368505.00000000082F7000.00000004.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000002.257876081.0000000000409000.00000004.00020000.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000000.247284292.0000000000409000.00000008.00020000.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000000.251921584.0000000000409000.00000008.00020000.sdmp, help.exe, 0000000D.00000002.547156305.00000000039A7000.00000004.00020000.sdmp, explorer.exe, 00000017.00000000.416516639.0000000007607000.00000004.00020000.sdmp, explorer.exe, 00000023.00000000.498368505.00000000082F7000.00000004.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000005.00000000.293121693.0000000006840000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.277038334.0000000006840000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.263876532.0000000006840000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: STATEMENT Oct-Nov 25-11-2021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00406043
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00404618
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_0040681A
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_100010E0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_1000E21C
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_1000C094
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_1000D301
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_1000BB22
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_1000B5B0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_100071CD
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041CB44
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00408C6C
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00408C70
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041BEDF
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE20A0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B820A8
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACB090
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B828EC
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B8E824
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71002
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD4120
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABF900
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B822AE
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEEBB0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7DBD2
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B703DA
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B82B28
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC841F
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7D466
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE2581
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACD5E0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B825DD
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB0D20
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B82D07
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B81D55
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B82EF7
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD6E30
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7D616
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B81FF1
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B8DFCE
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_00401030
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323CB44
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03222FB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03222D90
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03228C6C
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03228C70
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: String function: 00ABB150 appears 35 times
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_004185D0 NtCreateFile,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00418680 NtReadFile,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00418700 NtClose,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_004187B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_004185CA NtCreateFile,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041867E NtReadFile,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00418622 NtCreateFile,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_004186FD NtClose,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_004187AA NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AFB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AFA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AFAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9560 NtWriteFile,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AFA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AFA770 NtOpenThread,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_004185D0 NtCreateFile,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_00418680 NtReadFile,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_00418700 NtClose,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_004187B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03238700 NtClose,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032387B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03238680 NtReadFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032385D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032387AA NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03238622 NtCreateFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323867E NtReadFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032386FD NtClose,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032385CA NtCreateFile,
          Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.255722333.0000000002C2F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs STATEMENT Oct-Nov 25-11-2021.exe
          Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.252085756.0000000002A96000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs STATEMENT Oct-Nov 25-11-2021.exe
          Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311812321.0000000000D3F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs STATEMENT Oct-Nov 25-11-2021.exe
          Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311294977.0000000000BAF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs STATEMENT Oct-Nov 25-11-2021.exe
          Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310919643.0000000000A54000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs STATEMENT Oct-Nov 25-11-2021.exe
          Source: STATEMENT Oct-Nov 25-11-2021.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeFile read: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeJump to behavior
          Source: STATEMENT Oct-Nov 25-11-2021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeProcess created: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeProcess created: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.dbJump to behavior
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsnE1AF.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/2@0/0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00402012 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:668:120:WilError_01
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\explorer.exe
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\explorer.exe
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: Binary string: wntdll.pdbUGP source: STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.256363211.0000000002B10000.00000004.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.252733019.0000000002980000.00000004.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310930504.0000000000A90000.00000040.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311294977.0000000000BAF000.00000040.00000001.sdmp, help.exe, 0000000D.00000002.546712152.00000000033EF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: STATEMENT Oct-Nov 25-11-2021.exe, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310930504.0000000000A90000.00000040.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311294977.0000000000BAF000.00000040.00000001.sdmp, help.exe, 0000000D.00000002.546712152.00000000033EF000.00000040.00000001.sdmp
          Source: Binary string: help.pdbGCTL source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310903133.0000000000A50000.00000040.00020000.sdmp
          Source: Binary string: help.pdb source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310903133.0000000000A50000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_10009585 push ecx; ret
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00415053 push edx; iretd
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041B87C push eax; ret
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041B812 push eax; ret
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041B81B push eax; ret
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041C932 push dword ptr [5E13B061h]; ret
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041D32B pushfd ; retf
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00415F0C push eax; iretd
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041B7C5 push eax; ret
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B0D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_00415053 push edx; iretd
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_0041B87C push eax; ret
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_0041B812 push eax; ret
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_0041B81B push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323D32B pushfd ; retf
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323C3D3 pushad ; iretd
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323C932 push dword ptr [5E13B061h]; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323B812 push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323B81B push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323B87C push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03235053 push edx; iretd
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03235F0C push eax; iretd
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323B7C5 push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323BC2B push ds; iretd
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeFile created: C:\Users\user\AppData\Local\Temp\nsiE1DF.tmp\ncpszgn.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\help.exeProcess created: /c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
          Source: C:\Windows\SysWOW64\help.exeProcess created: /c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
          Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 0000000003228604 second address: 000000000322860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 000000000322898E second address: 0000000003228994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_004088C0 rdtsc
          Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00405C22 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00402630 FindFirstFileA,
          Source: explorer.exe, 00000017.00000000.453456484.0000000006E67000.00000004.00000010.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000017.00000000.453456484.0000000006E67000.00000004.00000010.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000017.00000000.471628012.0000000006DF7000.00000004.00000010.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00
          Source: explorer.exe, 00000017.00000003.411651567.000000000587E000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000017.00000000.407458850.0000000000887000.00000004.00000020.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000T
          Source: explorer.exe, 00000005.00000000.284595003.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: explorer.exe, 00000017.00000000.471628012.0000000006DF7000.00000004.00000010.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000023.00000000.487876979.0000000000FAF000.00000004.00000020.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000017.00000003.411651567.000000000587E000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 00000017.00000003.443121603.0000000007017000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00al
          Source: explorer.exe, 00000017.00000003.411762107.0000000005883000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000017.00000000.471628012.0000000006DF7000.00000004.00000010.sdmpBinary or memory string: NECVMWarVMware SATA CD001.009
          Source: explorer.exe, 00000017.00000003.440383163.0000000006F2E000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000@v
          Source: explorer.exe, 00000017.00000000.444700622.00000000042A8000.00000004.00000001.sdmpBinary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000017.00000003.411651567.000000000587E000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 00000017.00000000.471885262.0000000006F2E000.00000004.00000010.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000017.00000000.446994329.00000000057DB000.00000004.00000001.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000017.00000003.443296390.000000000709B000.00000004.00000001.sdmpBinary or memory string: ecvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}=
          Source: explorer.exe, 00000005.00000000.291481228.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000017.00000000.446994329.00000000057DB000.00000004.00000001.sdmpBinary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000017.00000000.471628012.0000000006DF7000.00000004.00000010.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00'9
          Source: explorer.exe, 00000005.00000000.284490598.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: explorer.exe, 00000005.00000000.284595003.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: explorer.exe, 00000017.00000000.471885262.0000000006F2E000.00000004.00000010.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}pi
          Source: explorer.exe, 00000017.00000000.446540581.0000000005750000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P
          Source: explorer.exe, 00000017.00000000.444700622.00000000042A8000.00000004.00000001.sdmpBinary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}es.
          Source: explorer.exe, 00000017.00000000.412011276.0000000005750000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}tv
          Source: explorer.exe, 00000005.00000000.293302322.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
          Source: explorer.exe, 00000017.00000000.407458850.0000000000887000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}N
          Source: explorer.exe, 00000017.00000000.471885262.0000000006F2E000.00000004.00000010.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000023.00000003.507879759.00000000047CE000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@U-bx*JBU)&R{xjQ981bR+$Q^+o
          Source: explorer.exe, 00000017.00000003.443296390.000000000709B000.00000004.00000001.sdmpBinary or memory string: #cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_10008C55 IsDebuggerPresent,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_1000B110 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_10001000 GetProcessHeap,HeapAlloc,GetUserDefaultLCID,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\help.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B33884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B33884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B37016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B37016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B37016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B84015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B84015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B72073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B81074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B369A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ADC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B441E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ADB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ADB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AED294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AED294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B6B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B6B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B88A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B44257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B85BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B6D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ADDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B88B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B714FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B88CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B8740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B8740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B8740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B68DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B3A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B88D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ADC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ADC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B33540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B346A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B80EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B80EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B80EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B88ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B6FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B6FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ADAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ADAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ADAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ADAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ADAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B37794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B37794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B37794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B8070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B8070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ADF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B88F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\help.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00409B30 LdrLoadDll,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_10006D99 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeSection unmapped: C:\Windows\SysWOW64\help.exe base address: 3A0000
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeSection loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: unknown protection: read write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\help.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeMemory written: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeThread register set: target process: 3292
          Source: C:\Windows\SysWOW64\help.exeThread register set: target process: 3292
          Source: C:\Windows\SysWOW64\help.exeThread register set: target process: 7028
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeProcess created: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
          Source: explorer.exe, 00000005.00000000.274601938.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.261201759.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.290127542.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.342182465.0000000001400000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
          Source: help.exe, 0000000D.00000002.547567671.0000000005510000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.443357542.0000000001060000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.408592376.0000000001060000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.466112223.0000000001060000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000005.00000000.293113383.0000000005F40000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.274601938.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.261201759.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.290127542.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.342182465.0000000001400000.00000002.00020000.sdmp, help.exe, 0000000D.00000002.547567671.0000000005510000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.444592093.0000000004230000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.443357542.0000000001060000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.467294757.0000000004230000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.408592376.0000000001060000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.411884481.0000000004DD0000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.410820687.0000000004230000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.468933160.0000000004DD0000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.466112223.0000000001060000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.446314521.0000000004DD0000.00000004.00000001.sdmp, explorer.exe, 00000023.00000000.491152975.0000000004E10000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000017.00000000.466112223.0000000001060000.00000002.00020000.sdmpBinary or memory string: Program Manager (Not Responding)
          Source: explorer.exe, 00000005.00000000.274601938.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.261201759.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.290127542.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.342182465.0000000001400000.00000002.00020000.sdmp, help.exe, 0000000D.00000002.547567671.0000000005510000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.444592093.0000000004230000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.443357542.0000000001060000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.467294757.0000000004230000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.408592376.0000000001060000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.411884481.0000000004DD0000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.410820687.0000000004230000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.468933160.0000000004DD0000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.466112223.0000000001060000.00000002.00020000.sdmp, explorer.exe, 00000017.00000000.446314521.0000000004DD0000.00000004.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.341894835.0000000000EB8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.289851390.0000000000EB8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.274337539.0000000000EB8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.260760431.0000000000EB8000.00000004.00000020.sdmp, explorer.exe, 00000017.00000000.465523095.0000000000887000.00000004.00000020.sdmp, explorer.exe, 00000017.00000000.407458850.0000000000887000.00000004.00000020.sdmp, explorer.exe, 00000017.00000000.437214765.0000000000887000.00000004.00000020.sdmpBinary or memory string: ProgmanX
          Source: explorer.exe, 00000005.00000000.274601938.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.261201759.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.290127542.0000000001400000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.342182465.0000000001400000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000005.00000000.267309100.0000000008ACF000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.295958042.0000000008ACF000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.284490598.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndAj
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_10005A74 cpuid
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_0040594D GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,StrCmpNIW,lstrlenA,
          Source: explorer.exe, 00000017.00000000.471727245.0000000006E67000.00000004.00000010.sdmp, explorer.exe, 00000017.00000000.453456484.0000000006E67000.00000004.00000010.sdmp, explorer.exe, 00000023.00000002.528983579.00000000048B9000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Windows Defender\MSASCui.exe

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Masquerading1OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemorySecurity Software Discovery171Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsFile Deletion1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 528718 Sample: STATEMENT Oct-Nov 25-11-2021.com Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 32 Multi AV Scanner detection for domain / URL 2->32 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 5 other signatures 2->38 10 STATEMENT Oct-Nov 25-11-2021.exe 17 2->10         started        process3 file4 30 C:\Users\user\AppData\Local\...\ncpszgn.dll, PE32 10->30 dropped 48 Injects a PE file into a foreign processes 10->48 14 STATEMENT Oct-Nov 25-11-2021.exe 10->14         started        signatures5 process6 signatures7 50 Modifies the context of a thread in another process (thread injection) 14->50 52 Maps a DLL or memory area into another process 14->52 54 Sample uses process hollowing technique 14->54 56 Queues an APC in another process (thread injection) 14->56 17 explorer.exe 14->17 injected process8 process9 19 help.exe 17->19         started        signatures10 40 Self deletion via cmd delete 19->40 42 Modifies the context of a thread in another process (thread injection) 19->42 44 Maps a DLL or memory area into another process 19->44 46 Tries to detect virtualization through RDTSC time measurements 19->46 22 cmd.exe 1 19->22         started        24 explorer.exe 142 19->24         started        26 explorer.exe 1 148 19->26         started        process11 process12 28 conhost.exe 22->28         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          No Antivirus matches

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsiE1DF.tmp\ncpszgn.dll100%AviraHEUR/AGEN.1120891
          C:\Users\user\AppData\Local\Temp\nsiE1DF.tmp\ncpszgn.dll100%Joe Sandbox ML

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
          2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          23.0.explorer.exe.760796c.0.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          23.0.explorer.exe.760796c.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.2.STATEMENT Oct-Nov 25-11-2021.exe.10000000.2.unpack100%AviraHEUR/AGEN.1120891Download File
          35.0.explorer.exe.82f796c.0.unpack100%AviraTR/Patched.Ren.GenDownload File
          13.2.help.exe.39a796c.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          13.2.help.exe.41d8a8.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          23.0.explorer.exe.760796c.1.unpack100%AviraTR/Patched.Ren.GenDownload File
          2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          35.2.explorer.exe.82f796c.0.unpack100%AviraTR/Patched.Ren.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.davanamays.com/unzn/8%VirustotalBrowse
          www.davanamays.com/unzn/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          www.davanamays.com/unzn/true
          • 8%, Virustotal, Browse
          • Avira URL Cloud: safe
          low

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000005.00000000.293121693.0000000006840000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.277038334.0000000006840000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.263876532.0000000006840000.00000004.00000001.sdmpfalse
            high
            http://nsis.sf.net/NSIS_ErrorSTATEMENT Oct-Nov 25-11-2021.exe, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000002.257876081.0000000000409000.00000004.00020000.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000000.247284292.0000000000409000.00000008.00020000.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000000.251921584.0000000000409000.00000008.00020000.sdmp, help.exe, 0000000D.00000002.547156305.00000000039A7000.00000004.00020000.sdmp, explorer.exe, 00000017.00000000.416516639.0000000007607000.00000004.00020000.sdmp, explorer.exe, 00000023.00000000.498368505.00000000082F7000.00000004.00020000.sdmpfalse
              high
              http://nsis.sf.net/NSIS_ErrorErrorSTATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000002.257876081.0000000000409000.00000004.00020000.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000000.247284292.0000000000409000.00000008.00020000.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000000.251921584.0000000000409000.00000008.00020000.sdmp, help.exe, 0000000D.00000002.547156305.00000000039A7000.00000004.00020000.sdmp, explorer.exe, 00000017.00000000.416516639.0000000007607000.00000004.00020000.sdmp, explorer.exe, 00000023.00000000.498368505.00000000082F7000.00000004.00020000.sdmpfalse
                high

                Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox Version:34.0.0 Boulder Opal
                Analysis ID:528718
                Start date:25.11.2021
                Start time:17:48:31
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 10m 32s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:STATEMENT Oct-Nov 25-11-2021.com (renamed file extension from com to exe)
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:38
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:1
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@9/2@0/0
                EGA Information:Failed
                HDC Information:
                • Successful, ratio: 26.7% (good quality ratio 24.1%)
                • Quality average: 73.8%
                • Quality standard deviation: 32.2%
                HCA Information:
                • Successful, ratio: 91%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                Warnings:
                Show All
                • Exclude process from analysis (whitelisted): MpCmdRun.exe, SearchUI.exe, BackgroundTransferHost.exe, WerFault.exe, ShellExperienceHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, mobsync.exe, wuapihost.exe
                • Excluded IPs from analysis (whitelisted): 20.42.65.92
                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, client.wns.windows.com, fs.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, arc.msn.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                • Report size getting too big, too many NtEnumerateKey calls found.
                • Report size getting too big, too many NtEnumerateValueKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryAttributesFile calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                17:50:39API Interceptor149x Sleep call for process: explorer.exe modified

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASN

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Temp\a66g5g72a86y4s
                Process:C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe
                File Type:data
                Category:dropped
                Size (bytes):217921
                Entropy (8bit):7.993006258714848
                Encrypted:true
                SSDEEP:3072:PFMHlejS23l+iJRw6Sq5C9O1qTNCY3ZR4YPaFnqAv8SGoFC8SwGDxIB11y7N+ElY:PFslU/JRwEEIsxCcR4xgQ3C87lBuk5
                MD5:1D70B490556922498B42E9CE56CB8D8A
                SHA1:884D47ED8FD75C8F68655D94DE2C2B3AA858A5D8
                SHA-256:F23DAAC89A555B61A44CBE1CFCD9373E2478E7B29AF8F97F176C91EED9084B76
                SHA-512:B2B811F1A727EF0D407EA8FC2317966444BE0B4FE87C274D2FD9D592CA8F8820B97FD383B7F1392EA4FA2C63207C3807E7B405EA3B2AACEBD971ABE799337E71
                Malicious:false
                Reputation:low
                Preview: 3....}....z....g.EH?rH....?.^.1.%.n.......j..8.:a?......|.R.0...a.i.[.c."..........U'....7.a......+..t.Y...].{u.&...F.. .\lz.dS.@s..l.#q.j{N.5}.t.T4..df.p....o.(E.oP...p...6j.B..g....... ..|.Ac..."'7;....|.@a..k.@......};.5.......8.4.H.`.. ..l.......}......,+...Ep1....<\jW^.1..n..........8.:a?......|..R.?...a79>*."-....,Y..I\5...h.....'.F........>.S"...mA.....F.. ..|L.@4&.A...?g.....x.H......e.d1P7&.H\...{..P..B.3...x...... ..|.Ac.9.R....m..@a..k.@_....9};.........{.4.H.:.> ..l...;...}.....w+...E.1.....\j.^.1.%.n.......j..8.:a?......|..R.?...a79>*."-....,Y..I\5...h.....'.F........>.S"...mA.....F.. ..|L.@4&.A...?g.....x.H......e.d1P7&.H\......6j.B....G....a. ..|.Ac.9.R.....m|.@a..k.@_....9};.........{.4.H.:.> ..l...;...}.....w+...E.1.....\j.^.1.%.n.......j..8.:a?......|..R.?...a79>*."-....,Y..I\5...h.....'.F........>.S"...mA.....F.. ..|L.@4&.A...?g.....x.H......e.d1P7&.H\......6j.B....G....a. ..|.Ac.9.R.....m|.@a..k.@_....9};
                C:\Users\user\AppData\Local\Temp\nsiE1DF.tmp\ncpszgn.dll
                Process:C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe
                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                Category:modified
                Size (bytes):89088
                Entropy (8bit):6.404549025482599
                Encrypted:false
                SSDEEP:1536:jrgK7figbwJzpTzjgANnndassDD/7AQRMtLXhtLbUfs2IExJ:jrf7igb69hZnLQOLxtL+x
                MD5:C3678C74295FF18273F177D3058BCC9D
                SHA1:619A2FBFB1F1512E96AF74733345E5539786E789
                SHA-256:D6CB2032B903D1820CC840659D655877CBA6D1E6746EBF366696AED3D9DC0C65
                SHA-512:3542B7DFEEA67460F52FD40F212831EBC33A7831B3B05770CE619C0E25F030129028E5E96C3291FC578D39075107E7EF8BF5883EA79A38C69A0EDEE9DF72056C
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                Reputation:low
                Preview: MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......a...........!.........v.......................................................................................R..L....S......................................................................./..H............U...............................text............................... ..`.rdata...a.......b..................@..@.data...(....p.......H..............@....rsrc................Z..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                Entropy (8bit):7.865250344327481
                TrID:
                • Win32 Executable (generic) a (10002005/4) 92.16%
                • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:STATEMENT Oct-Nov 25-11-2021.exe
                File size:309066
                MD5:02e738dd13974ab64a472f6aa2f065a8
                SHA1:6134aee9ceffce4d6ed1777739493def77b62533
                SHA256:9acf8fb51cab55a01a74cb84ca9958862b29b8909408e87412700e63a4f578ae
                SHA512:90ce5711d1f3abd07398c38706f5dc48da02676a86331115b5c7724fd98b1b41606f3d80763d3c03663c1c1bf7864609d65eae183b73f5df2db8e73a49bccf09
                SSDEEP:6144:jGiOxrmz8TDb8POk87FSITkQ3nWFdYhBukErhH:6Fmz8TDbLkcoM742DsrhH
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................\...........0.....

                File Icon

                Icon Hash:0d32b232f3c8c453

                Static PE Info

                General

                Entrypoint:0x4030e3
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                DLL Characteristics:
                Time Stamp:0x48EFCDCD [Fri Oct 10 21:49:01 2008 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:7fa974366048f9c551ef45714595665e

                Entrypoint Preview

                Instruction
                sub esp, 00000180h
                push ebx
                push ebp
                push esi
                xor ebx, ebx
                push edi
                mov dword ptr [esp+18h], ebx
                mov dword ptr [esp+10h], 00409158h
                xor esi, esi
                mov byte ptr [esp+14h], 00000020h
                call dword ptr [00407030h]
                push 00008001h
                call dword ptr [004070B0h]
                push ebx
                call dword ptr [0040727Ch]
                push 00000008h
                mov dword ptr [0042EC18h], eax
                call 00007F178CD63628h
                mov dword ptr [0042EB64h], eax
                push ebx
                lea eax, dword ptr [esp+34h]
                push 00000160h
                push eax
                push ebx
                push 00428F90h
                call dword ptr [00407158h]
                push 0040914Ch
                push 0042E360h
                call 00007F178CD632DFh
                call dword ptr [004070ACh]
                mov edi, 00434000h
                push eax
                push edi
                call 00007F178CD632CDh
                push ebx
                call dword ptr [0040710Ch]
                cmp byte ptr [00434000h], 00000022h
                mov dword ptr [0042EB60h], eax
                mov eax, edi
                jne 00007F178CD60B0Ch
                mov byte ptr [esp+14h], 00000022h
                mov eax, 00434001h
                push dword ptr [esp+14h]
                push eax
                call 00007F178CD62DC0h
                push eax
                call dword ptr [0040721Ch]
                mov dword ptr [esp+1Ch], eax
                jmp 00007F178CD60B65h
                cmp cl, 00000020h
                jne 00007F178CD60B08h
                inc eax
                cmp byte ptr [eax], 00000020h
                je 00007F178CD60AFCh
                cmp byte ptr [eax], 00000022h
                mov byte ptr [eax+eax+00h], 00000000h

                Rich Headers

                Programming Language:
                • [EXP] VC++ 6.0 SP5 build 8804

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x74b00xb4.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x370000x4148.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x5b680x5c00False0.67722486413data6.48746502716IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                .rdata0x70000x129c0x1400False0.4337890625data5.04904254867IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x90000x25c580x400False0.58203125data4.76995537906IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                .ndata0x2f0000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .rsrc0x370000x41480x4200False0.218039772727data4.00493607489IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                RT_ICON0x371f00x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4291519581, next used block 4291519581EnglishUnited States
                RT_ICON0x397980x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4290724409, next used block 4290724409EnglishUnited States
                RT_ICON0x3a8400x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                RT_DIALOG0x3aca80x100dataEnglishUnited States
                RT_DIALOG0x3ada80x11cdataEnglishUnited States
                RT_DIALOG0x3aec80x60dataEnglishUnited States
                RT_GROUP_ICON0x3af280x30dataEnglishUnited States
                RT_MANIFEST0x3af580x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                Imports

                DLLImport
                KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
                USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States

                Network Behavior

                No network behavior found

                Code Manipulations

                Statistics

                Behavior

                Click to jump to process

                System Behavior

                General

                Start time:17:49:30
                Start date:25/11/2021
                Path:C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
                Imagebase:0x400000
                File size:309066 bytes
                MD5 hash:02E738DD13974AB64A472F6AA2F065A8
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:low

                General

                Start time:17:49:32
                Start date:25/11/2021
                Path:C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
                Imagebase:0x400000
                File size:309066 bytes
                MD5 hash:02E738DD13974AB64A472F6AA2F065A8
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:low

                General

                Start time:17:49:36
                Start date:25/11/2021
                Path:C:\Windows\explorer.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\Explorer.EXE
                Imagebase:0x7ff662bf0000
                File size:3933184 bytes
                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:high

                General

                Start time:17:49:56
                Start date:25/11/2021
                Path:C:\Windows\SysWOW64\help.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\help.exe
                Imagebase:0x3a0000
                File size:10240 bytes
                MD5 hash:09A715036F14D3632AD03B52D1DA6BFF
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:moderate

                General

                Start time:17:50:00
                Start date:25/11/2021
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:/c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
                Imagebase:0x870000
                File size:232960 bytes
                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:17:50:01
                Start date:25/11/2021
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff774ee0000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:17:50:37
                Start date:25/11/2021
                Path:C:\Windows\explorer.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
                Imagebase:0x7ff662bf0000
                File size:3933184 bytes
                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:17:51:16
                Start date:25/11/2021
                Path:C:\Windows\explorer.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
                Imagebase:0x7ff662bf0000
                File size:3933184 bytes
                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Disassembly

                Code Analysis

                Reset < >