Loading ...

Play interactive tourEdit tour

Windows Analysis Report STATEMENT Oct-Nov 25-11-2021.com

Overview

General Information

Sample Name:STATEMENT Oct-Nov 25-11-2021.com (renamed file extension from com to exe)
Analysis ID:528718
MD5:02e738dd13974ab64a472f6aa2f065a8
SHA1:6134aee9ceffce4d6ed1777739493def77b62533
SHA256:9acf8fb51cab55a01a74cb84ca9958862b29b8909408e87412700e63a4f578ae
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • STATEMENT Oct-Nov 25-11-2021.exe (PID: 6448 cmdline: "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe" MD5: 02E738DD13974AB64A472F6AA2F065A8)
    • STATEMENT Oct-Nov 25-11-2021.exe (PID: 6484 cmdline: "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe" MD5: 02E738DD13974AB64A472F6AA2F065A8)
      • explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • help.exe (PID: 3516 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
          • cmd.exe (PID: 5748 cmdline: /c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • explorer.exe (PID: 7028 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • explorer.exe (PID: 2268 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.davanamays.com/unzn/"], "decoy": ["xiulf.com", "highcountrymortar.com", "523561.com", "marketingagency.tools", "ganmovie.net", "nationaalcontactpunt.com", "sirrbter.com", "begizas.xyz", "missimi-fashion.com", "munixc.info", "daas.support", "spaceworbc.com", "faithtruthresolve.com", "gymkub.com", "thegrayverse.xyz", "artisanmakefurniture.com", "029tryy.com", "ijuubx.biz", "iphone13promax.club", "techuniversus.com", "samrgov.xyz", "grownupcurl.com", "sj0755.net", "beekeeperkit.com", "richessesabondantes.com", "xclgjgjh.net", "webworkscork.com", "vedepviet365.com", "bretabeameven.com", "cdzsmhw.com", "clearperspective.biz", "tigrg5g784sh.biz", "bbezan011.xyz", "mycar.store", "mansooralobeidli.com", "ascensionmemberszoom.com", "unlimitedrehab.com", "wozka.top", "askylarkgoods.com", "rj793.com", "prosvalor.com", "primetimeexpress.com", "boixosnoisperu.com", "mmasportgear.com", "concertiranian.net", "hyponymys.info", "maila.one", "yti0fyic.xyz", "shashiprayag.com", "speedprosmotorsports.com", "westchestercountyjunkcars.com", "patienceinmypocket.com", "rausachbaoloc.com", "plexregroup.com", "outsydercs.com", "foodandflour.com", "lenacrypto.xyz", "homeservicetoday.net", "marthaperry.com", "vmtcyd4q8.com", "shamefulguys.com", "loccssol.store", "gnarledportra.xyz", "042atk.xyz"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cc9:$sqlite3step: 68 34 1C 7B E1
        • 0x15ddc:$sqlite3step: 68 34 1C 7B E1
        • 0x15cf8:$sqlite3text: 68 38 2A 90 C5
        • 0x15e1d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
        2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 28 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.davanamays.com/unzn/"], "decoy": ["xiulf.com", "highcountrymortar.com", "523561.com", "marketingagency.tools", "ganmovie.net", "nationaalcontactpunt.com", "sirrbter.com", "begizas.xyz", "missimi-fashion.com", "munixc.info", "daas.support", "spaceworbc.com", "faithtruthresolve.com", "gymkub.com", "thegrayverse.xyz", "artisanmakefurniture.com", "029tryy.com", "ijuubx.biz", "iphone13promax.club", "techuniversus.com", "samrgov.xyz", "grownupcurl.com", "sj0755.net", "beekeeperkit.com", "richessesabondantes.com", "xclgjgjh.net", "webworkscork.com", "vedepviet365.com", "bretabeameven.com", "cdzsmhw.com", "clearperspective.biz", "tigrg5g784sh.biz", "bbezan011.xyz", "mycar.store", "mansooralobeidli.com", "ascensionmemberszoom.com", "unlimitedrehab.com", "wozka.top", "askylarkgoods.com", "rj793.com", "prosvalor.com", "primetimeexpress.com", "boixosnoisperu.com", "mmasportgear.com", "concertiranian.net", "hyponymys.info", "maila.one", "yti0fyic.xyz", "shashiprayag.com", "speedprosmotorsports.com", "westchestercountyjunkcars.com", "patienceinmypocket.com", "rausachbaoloc.com", "plexregroup.com", "outsydercs.com", "foodandflour.com", "lenacrypto.xyz", "homeservicetoday.net", "marthaperry.com", "vmtcyd4q8.com", "shamefulguys.com", "loccssol.store", "gnarledportra.xyz", "042atk.xyz"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Multi AV Scanner detection for domain / URLShow sources
          Source: www.davanamays.com/unzn/Virustotal: Detection: 7%Perma Link
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsiE1DF.tmp\ncpszgn.dllAvira: detection malicious, Label: HEUR/AGEN.1120891
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsiE1DF.tmp\ncpszgn.dllJoe Sandbox ML: detected
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 23.0.explorer.exe.760796c.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 23.0.explorer.exe.760796c.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 35.0.explorer.exe.82f796c.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 13.2.help.exe.39a796c.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 13.2.help.exe.41d8a8.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 23.0.explorer.exe.760796c.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 35.2.explorer.exe.82f796c.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: STATEMENT Oct-Nov 25-11-2021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.256363211.0000000002B10000.00000004.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.252733019.0000000002980000.00000004.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310930504.0000000000A90000.00000040.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311294977.0000000000BAF000.00000040.00000001.sdmp, help.exe, 0000000D.00000002.546712152.00000000033EF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: STATEMENT Oct-Nov 25-11-2021.exe, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310930504.0000000000A90000.00000040.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311294977.0000000000BAF000.00000040.00000001.sdmp, help.exe, 0000000D.00000002.546712152.00000000033EF000.00000040.00000001.sdmp
          Source: Binary string: help.pdbGCTL source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310903133.0000000000A50000.00000040.00020000.sdmp
          Source: Binary string: help.pdb source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310903133.0000000000A50000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00405C22 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00402630 FindFirstFileA,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop ebx

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.davanamays.com/unzn/
          Source: explorer.exe, 00000017.00000003.461333401.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.472114944.000000000704F000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.443415910.000000000702F000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.458553479.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.460429522.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.453265813.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.459390840.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000003.460026206.000000000702C000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.472080818.000000000702F000.00000004.00000001.sdmp, explorer.exe, 00000017.00000000.454273557.000000000702F000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: STATEMENT Oct-Nov 25-11-2021.exe, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000002.257876081.0000000000409000.00000004.00020000.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000000.247284292.0000000000409000.00000008.00020000.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000000.251921584.0000000000409000.00000008.00020000.sdmp, help.exe, 0000000D.00000002.547156305.00000000039A7000.00000004.00020000.sdmp, explorer.exe, 00000017.00000000.416516639.0000000007607000.00000004.00020000.sdmp, explorer.exe, 00000023.00000000.498368505.00000000082F7000.00000004.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000002.257876081.0000000000409000.00000004.00020000.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000000.247284292.0000000000409000.00000008.00020000.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000000.251921584.0000000000409000.00000008.00020000.sdmp, help.exe, 0000000D.00000002.547156305.00000000039A7000.00000004.00020000.sdmp, explorer.exe, 00000017.00000000.416516639.0000000007607000.00000004.00020000.sdmp, explorer.exe, 00000023.00000000.498368505.00000000082F7000.00000004.00020000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000005.00000000.293121693.0000000006840000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.277038334.0000000006840000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.263876532.0000000006840000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00404E07 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: STATEMENT Oct-Nov 25-11-2021.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.STATEMENT Oct-Nov 25-11-2021.exe.2940000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.STATEMENT Oct-Nov 25-11-2021.exe.400000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.STATEMENT Oct-Nov 25-11-2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.310494411.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.257390266.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.310637175.00000000005C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.310690464.00000000005F0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.546085020.0000000002F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.298278377.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.546402750.0000000003220000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.259654857.0000000002940000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.256870202.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.545597108.0000000000700000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.285449444.000000000EA41000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.256084055.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_004030E3 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00406043
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00404618
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_0040681A
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_100010E0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_1000E21C
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_1000C094
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_1000D301
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_1000BB22
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_1000B5B0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_100071CD
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041CB44
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00408C6C
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00408C70
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041BEDF
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE20A0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B820A8
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACB090
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B828EC
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B8E824
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71002
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD4120
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABF900
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B822AE
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEEBB0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7DBD2
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B703DA
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B82B28
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC841F
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7D466
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE2581
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACD5E0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B825DD
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB0D20
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B82D07
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B81D55
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B82EF7
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD6E30
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7D616
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B81FF1
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B8DFCE
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_00401030
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323CB44
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03222FB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03222D90
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03228C6C
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03228C70
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: String function: 00ABB150 appears 35 times
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_004185D0 NtCreateFile,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00418680 NtReadFile,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00418700 NtClose,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_004187B0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_004185CA NtCreateFile,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041867E NtReadFile,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00418622 NtCreateFile,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_004186FD NtClose,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_004187AA NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AFB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AFA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AFAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9560 NtWriteFile,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF96D0 NtCreateKey,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AFA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AFA770 NtOpenThread,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_004185D0 NtCreateFile,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_00418680 NtReadFile,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_00418700 NtClose,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_004187B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03238700 NtClose,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032387B0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03238680 NtReadFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032385D0 NtCreateFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032387AA NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03238622 NtCreateFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323867E NtReadFile,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032386FD NtClose,
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032385CA NtCreateFile,
          Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.255722333.0000000002C2F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs STATEMENT Oct-Nov 25-11-2021.exe
          Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.252085756.0000000002A96000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs STATEMENT Oct-Nov 25-11-2021.exe
          Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311812321.0000000000D3F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs STATEMENT Oct-Nov 25-11-2021.exe
          Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311294977.0000000000BAF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs STATEMENT Oct-Nov 25-11-2021.exe
          Source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310919643.0000000000A54000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs STATEMENT Oct-Nov 25-11-2021.exe
          Source: STATEMENT Oct-Nov 25-11-2021.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeFile read: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeJump to behavior
          Source: STATEMENT Oct-Nov 25-11-2021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeProcess created: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeProcess created: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000015.dbJump to behavior
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsnE1AF.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/2@0/0
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00402012 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_0040411B GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:668:120:WilError_01
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\explorer.exe
          Source: C:\Windows\SysWOW64\help.exeProcess created: C:\Windows\explorer.exe
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: Binary string: wntdll.pdbUGP source: STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.256363211.0000000002B10000.00000004.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000001.00000003.252733019.0000000002980000.00000004.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310930504.0000000000A90000.00000040.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311294977.0000000000BAF000.00000040.00000001.sdmp, help.exe, 0000000D.00000002.546712152.00000000033EF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: STATEMENT Oct-Nov 25-11-2021.exe, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310930504.0000000000A90000.00000040.00000001.sdmp, STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.311294977.0000000000BAF000.00000040.00000001.sdmp, help.exe, 0000000D.00000002.546712152.00000000033EF000.00000040.00000001.sdmp
          Source: Binary string: help.pdbGCTL source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310903133.0000000000A50000.00000040.00020000.sdmp
          Source: Binary string: help.pdb source: STATEMENT Oct-Nov 25-11-2021.exe, 00000002.00000002.310903133.0000000000A50000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_10009585 push ecx; ret
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00415053 push edx; iretd
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041B87C push eax; ret
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041B812 push eax; ret
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041B81B push eax; ret
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041C932 push dword ptr [5E13B061h]; ret
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041D32B pushfd ; retf
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00415F0C push eax; iretd
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_0041B7C5 push eax; ret
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B0D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_00415053 push edx; iretd
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_0041B87C push eax; ret
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_0041B812 push eax; ret
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_1_0041B81B push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323D32B pushfd ; retf
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323C3D3 pushad ; iretd
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323C932 push dword ptr [5E13B061h]; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323B812 push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323B81B push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323B87C push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03235053 push edx; iretd
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03235F0C push eax; iretd
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323B7C5 push eax; ret
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_0323BC2B push ds; iretd
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeFile created: C:\Users\user\AppData\Local\Temp\nsiE1DF.tmp\ncpszgn.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\help.exeProcess created: /c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
          Source: C:\Windows\SysWOW64\help.exeProcess created: /c del "C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe"
          Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\help.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeRDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 0000000003228604 second address: 000000000322860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\help.exeRDTSC instruction interceptor: First address: 000000000322898E second address: 0000000003228994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_004088C0 rdtsc
          Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00405250 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00405C22 FindFirstFileA,FindClose,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00402630 FindFirstFileA,
          Source: explorer.exe, 00000017.00000000.453456484.0000000006E67000.00000004.00000010.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000017.00000000.453456484.0000000006E67000.00000004.00000010.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000017.00000000.471628012.0000000006DF7000.00000004.00000010.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00
          Source: explorer.exe, 00000017.00000003.411651567.000000000587E000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000017.00000000.407458850.0000000000887000.00000004.00000020.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000T
          Source: explorer.exe, 00000005.00000000.284595003.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: explorer.exe, 00000017.00000000.471628012.0000000006DF7000.00000004.00000010.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000023.00000000.487876979.0000000000FAF000.00000004.00000020.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000017.00000003.411651567.000000000587E000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 00000017.00000003.443121603.0000000007017000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00al
          Source: explorer.exe, 00000017.00000003.411762107.0000000005883000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000017.00000000.471628012.0000000006DF7000.00000004.00000010.sdmpBinary or memory string: NECVMWarVMware SATA CD001.009
          Source: explorer.exe, 00000017.00000003.440383163.0000000006F2E000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000@v
          Source: explorer.exe, 00000017.00000000.444700622.00000000042A8000.00000004.00000001.sdmpBinary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000017.00000003.411651567.000000000587E000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 00000017.00000000.471885262.0000000006F2E000.00000004.00000010.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000017.00000000.446994329.00000000057DB000.00000004.00000001.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000017.00000003.443296390.000000000709B000.00000004.00000001.sdmpBinary or memory string: ecvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}=
          Source: explorer.exe, 00000005.00000000.291481228.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000017.00000000.446994329.00000000057DB000.00000004.00000001.sdmpBinary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000017.00000000.471628012.0000000006DF7000.00000004.00000010.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00'9
          Source: explorer.exe, 00000005.00000000.284490598.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: explorer.exe, 00000005.00000000.284595003.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: explorer.exe, 00000017.00000000.471885262.0000000006F2E000.00000004.00000010.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}pi
          Source: explorer.exe, 00000017.00000000.446540581.0000000005750000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P
          Source: explorer.exe, 00000017.00000000.444700622.00000000042A8000.00000004.00000001.sdmpBinary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}es.
          Source: explorer.exe, 00000017.00000000.412011276.0000000005750000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}tv
          Source: explorer.exe, 00000005.00000000.293302322.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
          Source: explorer.exe, 00000017.00000000.407458850.0000000000887000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}N
          Source: explorer.exe, 00000017.00000000.471885262.0000000006F2E000.00000004.00000010.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000023.00000003.507879759.00000000047CE000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@U-bx*JBU)&R{xjQ981bR+$Q^+o
          Source: explorer.exe, 00000017.00000003.443296390.000000000709B000.00000004.00000001.sdmpBinary or memory string: #cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_10008C55 IsDebuggerPresent,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_1000B110 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_00405C49 GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 1_2_10001000 GetProcessHeap,HeapAlloc,GetUserDefaultLCID,
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_004088C0 rdtsc
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\help.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B33884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B33884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B37016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B37016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B37016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B84015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B84015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B72073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B81074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B351BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B369A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ADC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B441E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ADB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ADB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AED294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AED294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B6B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B6B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B88A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B44257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B85BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B6D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ADDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B353CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B88B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B714FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B88CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B71C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B8740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B8740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B8740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AB2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AEFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B68DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ACD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B36DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B3A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B88D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B7E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ABAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ADC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00ADC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B33540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AD7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B346A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B80EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B80EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B80EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00B4FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AC76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AE36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exeCode function: 2_2_00AF8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\STATEMENT Oct-Nov 25-11-2021.exe