Loading ...

Play interactive tourEdit tour

Windows Analysis Report O53TFikPkp

Overview

General Information

Sample Name:O53TFikPkp (renamed file extension from none to exe)
Analysis ID:552998
MD5:be56d049ee926fbccec623695d12a5c6
SHA1:1fa7ea2d0e348b7e1d79a7e6426e6f10376238e4
SHA256:626213dec6f5f7c552974fc4d9fe954cb70b94f03588aa4550cd545789034167
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Multi AV Scanner detection for dropped file
Detected unpacking (creates a PE file in dynamic memory)
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal ftp login credentials
Machine Learning detection for sample
Injects a PE file into a foreign processes
.NET source code contains very large array initializations
Moves itself to temp directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • O53TFikPkp.exe (PID: 6712 cmdline: "C:\Users\user\Desktop\O53TFikPkp.exe" MD5: BE56D049EE926FBCCEC623695D12A5C6)
    • O53TFikPkp.exe (PID: 6892 cmdline: "C:\Users\user\Desktop\O53TFikPkp.exe" MD5: BE56D049EE926FBCCEC623695D12A5C6)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "mailfilter247@yandex.com", "Password": "daddyhandsome@1234", "Host": "smtp.yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.665781318.0000000000414000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000000.665781318.0000000000414000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000002.00000002.924721394.0000000003631000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000002.00000002.924721394.0000000003631000.00000004.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000002.00000002.923015296.0000000000549000.00000004.00000020.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.O53TFikPkp.exe.25e0000.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              2.2.O53TFikPkp.exe.25e0000.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                2.1.O53TFikPkp.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.1.O53TFikPkp.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    2.0.O53TFikPkp.exe.415058.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 53 entries

                      Sigma Overview

                      No Sigma rule has matched

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 2.0.O53TFikPkp.exe.400000.6.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "mailfilter247@yandex.com", "Password": "daddyhandsome@1234", "Host": "smtp.yandex.com"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: O53TFikPkp.exeVirustotal: Detection: 51%Perma Link
                      Source: O53TFikPkp.exeReversingLabs: Detection: 53%
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Temp\nsr28EF.tmp\eqbaypenr.dllReversingLabs: Detection: 40%
                      Machine Learning detection for sampleShow sources
                      Source: O53TFikPkp.exeJoe Sandbox ML: detected
                      Source: 2.0.O53TFikPkp.exe.400000.6.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.2.O53TFikPkp.exe.4970000.5.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.2.O53TFikPkp.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.O53TFikPkp.exe.400000.2.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.O53TFikPkp.exe.400000.5.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.1.O53TFikPkp.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.O53TFikPkp.exe.400000.3.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.O53TFikPkp.exe.400000.1.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.O53TFikPkp.exe.400000.4.unpackAvira: Label: TR/Spy.Gen8
                      Source: 2.0.O53TFikPkp.exe.400000.8.unpackAvira: Label: TR/Spy.Gen8

                      Compliance:

                      barindex
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeUnpacked PE file: 2.2.O53TFikPkp.exe.4970000.5.unpack
                      Source: O53TFikPkp.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: Binary string: wntdll.pdbUGP source: O53TFikPkp.exe, 00000001.00000003.660492913.00000000032F0000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000001.00000003.658708230.0000000003160000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: O53TFikPkp.exe, 00000001.00000003.660492913.00000000032F0000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000001.00000003.658708230.0000000003160000.00000004.00000001.sdmp
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 1_2_00405D7C FindFirstFileA,FindClose,1_2_00405D7C
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_004053AA
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 1_2_00402630 FindFirstFileA,1_2_00402630
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_00404A29 FindFirstFileExW,2_2_00404A29
                      Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                      Source: global trafficTCP traffic: 192.168.2.4:49803 -> 77.88.21.158:587
                      Source: global trafficTCP traffic: 192.168.2.4:49803 -> 77.88.21.158:587
                      Source: O53TFikPkp.exe, 00000002.00000002.923951407.0000000002631000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: O53TFikPkp.exe, 00000002.00000002.923951407.0000000002631000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: O53TFikPkp.exe, 00000002.00000002.923951407.0000000002631000.00000004.00000001.sdmpString found in binary or memory: http://UbQjJM.com
                      Source: O53TFikPkp.exe, 00000002.00000002.925666483.0000000005AC2000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum
                      Source: O53TFikPkp.exe, 00000002.00000003.906856475.0000000005AD6000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905948236.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.925666483.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924286996.0000000002981000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905834271.0000000005AD4000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924446366.00000000029C3000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ca.crl0h
                      Source: O53TFikPkp.exe, 00000002.00000003.906856475.0000000005AD6000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905948236.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.925666483.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924286996.0000000002981000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905834271.0000000005AD4000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924446366.00000000029C3000.00000004.00000001.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
                      Source: O53TFikPkp.exe, 00000002.00000003.906856475.0000000005AD6000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905948236.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.925666483.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.925621657.0000000005A90000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924286996.0000000002981000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905834271.0000000005AD4000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924446366.00000000029C3000.00000004.00000001.sdmpString found in binary or memory: http://crls.yandex.net/certum/ycasha2.crl0-
                      Source: O53TFikPkp.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
                      Source: O53TFikPkp.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                      Source: O53TFikPkp.exe, 00000002.00000003.906856475.0000000005AD6000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905948236.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.925666483.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924286996.0000000002981000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905834271.0000000005AD4000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924446366.00000000029C3000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ca.cer09
                      Source: O53TFikPkp.exe, 00000002.00000003.906856475.0000000005AD6000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905948236.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.925666483.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924286996.0000000002981000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905834271.0000000005AD4000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924446366.00000000029C3000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
                      Source: O53TFikPkp.exe, 00000002.00000003.906856475.0000000005AD6000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905948236.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.925666483.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.925621657.0000000005A90000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924286996.0000000002981000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905834271.0000000005AD4000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924446366.00000000029C3000.00000004.00000001.sdmpString found in binary or memory: http://repository.certum.pl/ycasha2.cer0
                      Source: O53TFikPkp.exe, 00000002.00000002.924286996.0000000002981000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924446366.00000000029C3000.00000004.00000001.sdmpString found in binary or memory: http://smtp.yandex.com
                      Source: O53TFikPkp.exe, 00000002.00000002.925666483.0000000005AC2000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certu
                      Source: O53TFikPkp.exe, 00000002.00000003.906856475.0000000005AD6000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905948236.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.925666483.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924286996.0000000002981000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905834271.0000000005AD4000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924446366.00000000029C3000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com0.
                      Source: O53TFikPkp.exe, 00000002.00000003.906856475.0000000005AD6000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905948236.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.925666483.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924286996.0000000002981000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905834271.0000000005AD4000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924446366.00000000029C3000.00000004.00000001.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
                      Source: O53TFikPkp.exe, 00000002.00000003.906856475.0000000005AD6000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905948236.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.925666483.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924286996.0000000002981000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905834271.0000000005AD4000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924446366.00000000029C3000.00000004.00000001.sdmpString found in binary or memory: http://www.certum.pl/CPS0
                      Source: O53TFikPkp.exe, 00000002.00000003.906856475.0000000005AD6000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905948236.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.925666483.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.925621657.0000000005A90000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924286996.0000000002981000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905834271.0000000005AD4000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924446366.00000000029C3000.00000004.00000001.sdmpString found in binary or memory: http://yandex.crl.certum.pl/ycasha2.crl0q
                      Source: O53TFikPkp.exe, 00000002.00000003.906856475.0000000005AD6000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905948236.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.925666483.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.925621657.0000000005A90000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924286996.0000000002981000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905834271.0000000005AD4000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924446366.00000000029C3000.00000004.00000001.sdmpString found in binary or memory: http://yandex.ocsp-responder.com03
                      Source: O53TFikPkp.exe, 00000002.00000002.923951407.0000000002631000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: O53TFikPkp.exe, 00000002.00000002.923951407.0000000002631000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: O53TFikPkp.exe, 00000002.00000002.924375629.00000000029A5000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924396051.00000000029AD000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.888941433.0000000005151000.00000004.00000001.sdmpString found in binary or memory: https://bbTPeNUsMvT4JktW3MN.com
                      Source: O53TFikPkp.exe, 00000002.00000003.906856475.0000000005AD6000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905948236.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.925666483.0000000005AC2000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.925621657.0000000005A90000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924286996.0000000002981000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000003.905834271.0000000005AD4000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924446366.00000000029C3000.00000004.00000001.sdmpString found in binary or memory: https://www.certum.pl/CPS0
                      Source: O53TFikPkp.exe, O53TFikPkp.exe, 00000002.00000000.665781318.0000000000414000.00000040.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924721394.0000000003631000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.923912577.00000000025E0000.00000004.00020000.sdmp, O53TFikPkp.exe, 00000002.00000002.922818649.0000000000400000.00000040.00000001.sdmp, O53TFikPkp.exe, 00000002.00000002.924840687.0000000004972000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: O53TFikPkp.exe, 00000002.00000002.923951407.0000000002631000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: unknownDNS traffic detected: queries for: smtp.yandex.com
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 1_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_00404F61

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 2.2.O53TFikPkp.exe.4970000.5.unpack, u003cPrivateImplementationDetailsu003eu007b2A2AA767u002d7D90u002d43DEu002dACF4u002d870AEC55D6EBu007d/u003631AE4A7u002dA1C6u002d4422u002d8C60u002d7447CA07753B.csLarge array initialization: .cctor: array initializer size 11961
                      Source: O53TFikPkp.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 1_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,1_2_00403225
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 1_2_0040604C1_2_0040604C
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 1_2_004047721_2_00404772
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_0040A2A52_2_0040A2A5
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_004648402_2_00464840
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_00464C782_2_00464C78
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_00461DD82_2_00461DD8
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_0046EA602_2_0046EA60
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_0046AC202_2_0046AC20
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_00466CB02_2_00466CB0
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_0046C75F2_2_0046C75F
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_0046C7C02_2_0046C7C0
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_007161382_2_00716138
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_0071F1382_2_0071F138
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_00715B012_2_00715B01
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_0071D8582_2_0071D858
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_008CE2002_2_008CE200
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_008C04F62_2_008C04F6
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_008C89902_2_008C8990
                      Source: O53TFikPkp.exe, 00000001.00000003.658828325.0000000003276000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs O53TFikPkp.exe
                      Source: O53TFikPkp.exe, 00000001.00000003.662197259.000000000340F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs O53TFikPkp.exe
                      Source: O53TFikPkp.exe, 00000001.00000002.667167111.00000000022B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGHVfffxRlZmplFWkRRUtYKzwxFM.exe4 vs O53TFikPkp.exe
                      Source: O53TFikPkp.exeBinary or memory string: OriginalFilename vs O53TFikPkp.exe
                      Source: O53TFikPkp.exe, 00000002.00000000.665781318.0000000000414000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameGHVfffxRlZmplFWkRRUtYKzwxFM.exe4 vs O53TFikPkp.exe
                      Source: O53TFikPkp.exe, 00000002.00000002.924721394.0000000003631000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameGHVfffxRlZmplFWkRRUtYKzwxFM.exe4 vs O53TFikPkp.exe
                      Source: O53TFikPkp.exe, 00000002.00000002.923912577.00000000025E0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameGHVfffxRlZmplFWkRRUtYKzwxFM.exe4 vs O53TFikPkp.exe
                      Source: O53TFikPkp.exe, 00000002.00000002.922818649.0000000000400000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameGHVfffxRlZmplFWkRRUtYKzwxFM.exe4 vs O53TFikPkp.exe
                      Source: O53TFikPkp.exe, 00000002.00000002.924840687.0000000004972000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameGHVfffxRlZmplFWkRRUtYKzwxFM.exe4 vs O53TFikPkp.exe
                      Source: O53TFikPkp.exe, 00000002.00000002.922757502.0000000000199000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs O53TFikPkp.exe
                      Source: O53TFikPkp.exeVirustotal: Detection: 51%
                      Source: O53TFikPkp.exeReversingLabs: Detection: 53%
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeFile read: C:\Users\user\Desktop\O53TFikPkp.exeJump to behavior
                      Source: O53TFikPkp.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\O53TFikPkp.exe "C:\Users\user\Desktop\O53TFikPkp.exe"
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess created: C:\Users\user\Desktop\O53TFikPkp.exe "C:\Users\user\Desktop\O53TFikPkp.exe"
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess created: C:\Users\user\Desktop\O53TFikPkp.exe "C:\Users\user\Desktop\O53TFikPkp.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeFile created: C:\Users\user\AppData\Roaming\yf3kqygs.3juJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeFile created: C:\Users\user\AppData\Local\Temp\nsr28ED.tmpJump to behavior
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/5@4/1
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 1_2_00402012 CoCreateInstance,MultiByteToWideChar,1_2_00402012
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 1_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,1_2_00404275
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_00401489 GetModuleHandleW,GetModuleHandleW,FindResourceW,GetModuleHandleW,LoadResource,LockResource,GetModuleHandleW,SizeofResource,FreeResource,ExitProcess,2_2_00401489
                      Source: 2.2.O53TFikPkp.exe.4970000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 2.2.O53TFikPkp.exe.4970000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: Binary string: wntdll.pdbUGP source: O53TFikPkp.exe, 00000001.00000003.660492913.00000000032F0000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000001.00000003.658708230.0000000003160000.00000004.00000001.sdmp
                      Source: Binary string: wntdll.pdb source: O53TFikPkp.exe, 00000001.00000003.660492913.00000000032F0000.00000004.00000001.sdmp, O53TFikPkp.exe, 00000001.00000003.658708230.0000000003160000.00000004.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Detected unpacking (creates a PE file in dynamic memory)Show sources
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeUnpacked PE file: 2.2.O53TFikPkp.exe.4970000.5.unpack
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 1_2_72B21000 push eax; ret 1_2_72B2102E
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_00401F16 push ecx; ret 2_2_00401F29
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_00469848 push 000045CAh; retf 0045h2_2_0046984D
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_0071B557 push edi; retn 0000h2_2_0071B559
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_0071D2E9 push eax; retf 0071h2_2_0071D39D
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_0071D3A0 push eax; retf 0071h2_2_0071D3A1
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 1_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,1_2_00405DA3
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeFile created: C:\Users\user\AppData\Local\Temp\nsr28EF.tmp\eqbaypenr.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Moves itself to temp directoryShow sources
                      Source: c:\users\user\desktop\o53tfikpkp.exeFile moved: C:\Users\user\AppData\Local\Temp\tmpG377.tmpJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion:

                      barindex
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\O53TFikPkp.exe TID: 3144Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exe TID: 5528Thread sleep count: 8758 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exe TID: 5528Thread sleep count: 1093 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeWindow / User API: threadDelayed 8758Jump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeWindow / User API: threadDelayed 1093Jump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 1_2_00405D7C FindFirstFileA,FindClose,1_2_00405D7C
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,1_2_004053AA
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 1_2_00402630 FindFirstFileA,1_2_00402630
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_00404A29 FindFirstFileExW,2_2_00404A29
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeAPI call chain: ExitProcess graph end nodegraph_1-3617
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeAPI call chain: ExitProcess graph end nodegraph_1-3613
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeAPI call chain: ExitProcess graph end nodegraph_2-54460
                      Source: O53TFikPkp.exe, 00000002.00000002.925621657.0000000005A90000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_0040446F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0040446F
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 1_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,1_2_00405DA3
                      Source: C:\Users\user\Desktop\O53TFikPkp.exeCode function: 2_2_004067FE GetProcessHeap,2_2_004067FE