Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
dK0SRzWoPq

Overview

General Information

Sample Name:dK0SRzWoPq (renamed file extension from none to exe)
Analysis ID:620777
MD5:6f111b596da1ac7d71c4362b18309648
SHA1:e09f8065342a4c8664148bec4b0d9265e7e5842a
SHA256:285e772a15413afa15e86632327faebaa56ff23d0ca19249c228b2d531e19f96
Tags:32exeFormbooktrojan
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • dK0SRzWoPq.exe (PID: 772 cmdline: "C:\Users\user\Desktop\dK0SRzWoPq.exe" MD5: 6F111B596DA1AC7D71C4362B18309648)
    • pkypr.exe (PID: 1924 cmdline: C:\Users\user~1\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\zpcthwca MD5: 087998162F8FBD6E48CC5AB45BE63449)
      • pkypr.exe (PID: 6380 cmdline: C:\Users\user~1\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\zpcthwca MD5: 087998162F8FBD6E48CC5AB45BE63449)
        • explorer.exe (PID: 3808 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • autoconv.exe (PID: 5488 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
          • mstsc.exe (PID: 404 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)
            • cmd.exe (PID: 7084 cmdline: /c del "C:\Users\user~1\AppData\Local\Temp\pkypr.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 6884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.hsf777.com/m0d4/"], "decoy": ["prettyhairdivas.mobi", "cityblocksnft.com", "laraqiiz.com", "mubarakdigitalmedia.com", "perstockholm.com", "xn--imprio-dva.site", "baigouw.com", "support-client-video.com", "phomas.info", "dengedizayn.com", "zoommachone.xyz", "houseoflancasterhours.com", "petarungslot.website", "tyrs-it.com", "dalianzhuchiren.com", "tenthgenerationtorah.com", "portres.online", "1-minute.store", "shikakunazo.com", "veymes.store", "ruvedaj.xyz", "apremotesamsung.com", "palia.world", "you-sayso.com", "nftsofis.com", "arthamandirialkesindo.com", "bangkhacollections.com", "digitalfactoryinstitut.com", "aceites.info", "altcoinwatcher.com", "pearlsofgraceinc.com", "xianzyw.com", "gxclzs.com", "greenlighteams.com", "aavinya.com", "sans-gluten.store", "clanbeware.com", "protocolohfresco.site", "meredithlobrien.com", "cryoablation.xyz", "avicciibook.com", "toastpack.com", "linktosmutgoeshere.com", "38289.xyz", "xn--08s.com", "techkaisimi.com", "jllpx.com", "dubaicarclinic.com", "zhidao95.com", "aletterboxd.com", "warrantyglobe.com", "mindfeed.pro", "bhreselect.com", "sdfijsdjidf.xyz", "russetconstruction.com", "futternmitflo.com", "triumphgroup.xyz", "tn299td.com", "bulkheadsrestaurantgroup.com", "luvy.world", "h3s4.com", "gamewaycos.com", "totalbodyfit.online", "trendadler.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18839:$sqlite3step: 68 34 1C 7B E1
    • 0x1894c:$sqlite3step: 68 34 1C 7B E1
    • 0x18868:$sqlite3text: 68 38 2A 90 C5
    • 0x1898d:$sqlite3text: 68 38 2A 90 C5
    • 0x1887b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
    0000000D.00000002.625629256.00000000030F0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000D.00000002.625629256.00000000030F0000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.pkypr.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.pkypr.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.pkypr.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a39:$sqlite3step: 68 34 1C 7B E1
        • 0x17b4c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a68:$sqlite3text: 68 38 2A 90 C5
        • 0x17b8d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C
        2.2.pkypr.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.pkypr.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 22 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.hsf777.com/m0d4/"], "decoy": ["prettyhairdivas.mobi", "cityblocksnft.com", "laraqiiz.com", "mubarakdigitalmedia.com", "perstockholm.com", "xn--imprio-dva.site", "baigouw.com", "support-client-video.com", "phomas.info", "dengedizayn.com", "zoommachone.xyz", "houseoflancasterhours.com", "petarungslot.website", "tyrs-it.com", "dalianzhuchiren.com", "tenthgenerationtorah.com", "portres.online", "1-minute.store", "shikakunazo.com", "veymes.store", "ruvedaj.xyz", "apremotesamsung.com", "palia.world", "you-sayso.com", "nftsofis.com", "arthamandirialkesindo.com", "bangkhacollections.com", "digitalfactoryinstitut.com", "aceites.info", "altcoinwatcher.com", "pearlsofgraceinc.com", "xianzyw.com", "gxclzs.com", "greenlighteams.com", "aavinya.com", "sans-gluten.store", "clanbeware.com", "protocolohfresco.site", "meredithlobrien.com", "cryoablation.xyz", "avicciibook.com", "toastpack.com", "linktosmutgoeshere.com", "38289.xyz", "xn--08s.com", "techkaisimi.com", "jllpx.com", "dubaicarclinic.com", "zhidao95.com", "aletterboxd.com", "warrantyglobe.com", "mindfeed.pro", "bhreselect.com", "sdfijsdjidf.xyz", "russetconstruction.com", "futternmitflo.com", "triumphgroup.xyz", "tn299td.com", "bulkheadsrestaurantgroup.com", "luvy.world", "h3s4.com", "gamewaycos.com", "totalbodyfit.online", "trendadler.com"]}
          Multi AV Scanner detection for submitted file
          Source: dK0SRzWoPq.exeReversingLabs: Detection: 61%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.pkypr.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.pkypr.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.pkypr.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.pkypr.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pkypr.exe.2180000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.pkypr.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.pkypr.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pkypr.exe.2180000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.pkypr.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.625629256.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.372566518.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.367373235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.463016643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.443403408.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.463378064.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.625466489.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.416140599.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.625958951.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.463592351.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Antivirus detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeAvira: detection malicious, Label: TR/Crypt.XPACK.Gen
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeReversingLabs: Detection: 43%
          Machine Learning detection for sample
          Source: dK0SRzWoPq.exeJoe Sandbox ML: detected
          Source: 2.2.pkypr.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.pkypr.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.pkypr.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.pkypr.exe.2180000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.pkypr.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: dK0SRzWoPq.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: dK0SRzWoPq.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: pkypr.exe, 00000001.00000003.364787710.0000000002420000.00000004.00001000.00020000.00000000.sdmp, pkypr.exe, 00000001.00000003.365556459.0000000002290000.00000004.00001000.00020000.00000000.sdmp, pkypr.exe, 00000002.00000002.463986070.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, pkypr.exe, 00000002.00000002.464909831.0000000000B8F000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.627628219.000000000510F000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.627373845.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: pkypr.exe, pkypr.exe, 00000002.00000002.463986070.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, pkypr.exe, 00000002.00000002.464909831.0000000000B8F000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, mstsc.exe, 0000000D.00000002.627628219.000000000510F000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.627373845.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: mstsc.pdbGCTL source: pkypr.exe, 00000002.00000002.465895418.00000000028D0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: mstsc.pdb source: pkypr.exe, 00000002.00000002.465895418.00000000028D0000.00000040.10000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeCode function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeCode function: 0_2_0040683D FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeCode function: 0_2_0040290B FindFirstFileW,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then pop ebx

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.xianzyw.com
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.hsf777.com/m0d4/
          Source: unknownDNS traffic detected: query: www.baigouw.com replaycode: Server failure (2)
          Source: unknownDNS traffic detected: query: www.xianzyw.com replaycode: Server failure (2)
          Source: explorer.exe, 00000003.00000000.428243719.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.375813124.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.497440728.00000000026D0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobY
          Source: dK0SRzWoPq.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: unknownDNS traffic detected: queries for: www.xianzyw.com
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeCode function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.pkypr.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.pkypr.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.pkypr.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.pkypr.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pkypr.exe.2180000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.pkypr.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.pkypr.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pkypr.exe.2180000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.pkypr.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.625629256.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.372566518.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.367373235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.463016643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.443403408.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.463378064.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.625466489.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.416140599.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.625958951.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.463592351.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.pkypr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.pkypr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.pkypr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.pkypr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.pkypr.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.pkypr.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.pkypr.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.pkypr.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.pkypr.exe.2180000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.pkypr.exe.2180000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.pkypr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.pkypr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.pkypr.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.pkypr.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.pkypr.exe.2180000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.pkypr.exe.2180000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.pkypr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.pkypr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.625629256.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.625629256.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.372566518.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.372566518.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.367373235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.367373235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.463016643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.463016643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.443403408.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.443403408.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.463378064.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.463378064.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.625466489.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.625466489.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.416140599.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.416140599.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.625958951.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.625958951.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.463592351.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.463592351.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: dK0SRzWoPq.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 2.2.pkypr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.pkypr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.pkypr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.pkypr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.pkypr.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.pkypr.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.pkypr.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.pkypr.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.pkypr.exe.2180000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.pkypr.exe.2180000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.pkypr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.pkypr.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.pkypr.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.pkypr.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.pkypr.exe.2180000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.pkypr.exe.2180000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.pkypr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.pkypr.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.625629256.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.625629256.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.372566518.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.372566518.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.367373235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.367373235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.463016643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.463016643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.443403408.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.443403408.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.463378064.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.463378064.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.625466489.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.625466489.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.416140599.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.416140599.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.625958951.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.625958951.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.463592351.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.463592351.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeCode function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeCode function: 0_2_00406BFE
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 1_2_02170A56
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_0041D80F
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_0041D96E
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_0041E33E
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00409E50
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_0041DEDC
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC20A0
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B620A8
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AAB090
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B628EC
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B6E824
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABA830
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B51002
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB99BF
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB4120
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A9F900
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B622AE
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B4FA2B
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ACEBB0
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B5DBD2
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B503DA
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B62B28
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABAB40
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA841F
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B5D466
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC2581
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AAD5E0
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B625DD
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A90D20
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B62D07
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B61D55
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B62EF7
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB6E30
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B5D616
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B61FF1
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B6DFCE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E2D07
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05010D20
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E1D55
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05042581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E25DD
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0502D5E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0502841F
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050DD466
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050EDFCE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E1FF1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050DD616
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05036E30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E2EF7
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0501F900
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05034120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D1002
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050EE824
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0502B090
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050420A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E20A8
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E28EC
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E2B28
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0504EBB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D03DA
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050DDBD2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E22AE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0310D962
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_030F2FB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_030F9E50
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_030F2D87
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_030F2D90
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 0501B150 appears 45 times
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: String function: 00A9B150 appears 72 times
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_0041A350 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_0041A400 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_0041A480 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_0041A530 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_0041A34A NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_0041A3A2 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_0041A52A NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9820 NtEnumerateKey,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ADB040 NtSuspendThread,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD99D0 NtCreateProcessEx,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9950 NtQueueApcThread,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9A10 NtQuerySection,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ADA3B0 NtGetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9B00 NtSetValueKey,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD95F0 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9520 NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ADAD30 NtSetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9560 NtWriteFile,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD96D0 NtCreateKey,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9610 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9670 NtQueryInformationProcess,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9650 NtQueryValueKey,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9FE0 NtCreateMutant,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9730 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ADA710 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9760 NtOpenProcess,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD9770 NtSetInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ADA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050595D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050596D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050596E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050599A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0505AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059560 NtWriteFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050595F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0505A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0505A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050597A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050599D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0505B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050598A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050598F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0505A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05059A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0310A350 NtCreateFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0310A530 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0310A400 NtReadFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0310A480 NtClose,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0310A34A NtCreateFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0310A3A2 NtCreateFile,
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0310A52A NtAllocateVirtualMemory,
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\pkypr.exe 99B049D5615612C79DA226823C3B8D173E66E73BB1C99D0215282274685162ED
          Source: dK0SRzWoPq.exeReversingLabs: Detection: 61%
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeFile read: C:\Users\user\Desktop\dK0SRzWoPq.exeJump to behavior
          Source: dK0SRzWoPq.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\dK0SRzWoPq.exe "C:\Users\user\Desktop\dK0SRzWoPq.exe"
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeProcess created: C:\Users\user\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\zpcthwca
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeProcess created: C:\Users\user\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\zpcthwca
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user~1\AppData\Local\Temp\pkypr.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeProcess created: C:\Users\user\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\zpcthwca
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeProcess created: C:\Users\user\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\zpcthwca
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user~1\AppData\Local\Temp\pkypr.exe"
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeCode function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsa9F70.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/3@8/0
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeCode function: 0_2_004021AA CoCreateInstance,
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeCode function: 0_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6884:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: dK0SRzWoPq.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: pkypr.exe, 00000001.00000003.364787710.0000000002420000.00000004.00001000.00020000.00000000.sdmp, pkypr.exe, 00000001.00000003.365556459.0000000002290000.00000004.00001000.00020000.00000000.sdmp, pkypr.exe, 00000002.00000002.463986070.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, pkypr.exe, 00000002.00000002.464909831.0000000000B8F000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.627628219.000000000510F000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.627373845.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: pkypr.exe, pkypr.exe, 00000002.00000002.463986070.0000000000A70000.00000040.00000800.00020000.00000000.sdmp, pkypr.exe, 00000002.00000002.464909831.0000000000B8F000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, mstsc.exe, 0000000D.00000002.627628219.000000000510F000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 0000000D.00000002.627373845.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: mstsc.pdbGCTL source: pkypr.exe, 00000002.00000002.465895418.00000000028D0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: mstsc.pdb source: pkypr.exe, 00000002.00000002.465895418.00000000028D0000.00000040.10000000.00040000.00000000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_0040E26B push ds; ret
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_0040E270 push ds; ret
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00409BF3 push ebp; retf
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00416424 push ecx; iretd
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_0041642E push ecx; iretd
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_0041D4F2 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_0041D4FB push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00417CA2 push A91014B2h; retf
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_0041D4A5 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_0041D55C push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_004175C8 push edi; ret
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_004175D0 push edi; ret
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_0041761B push edi; ret
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AED0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0506D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_030F9BF3 push ebp; retf
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_030FE26B push ds; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_030FE270 push ds; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0310761B push edi; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0310D55C push eax; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_031075D0 push edi; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_031075C8 push edi; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_03106424 push ecx; iretd
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0310642E push ecx; iretd
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_03107CA2 push A91014B2h; retf
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0310D4A5 push eax; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0310D4F2 push eax; ret
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0310D4FB push eax; ret
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeFile created: C:\Users\user\AppData\Local\Temp\pkypr.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x86 0x6E 0xED
          Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeRDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 00000000030F9904 second address: 00000000030F990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 00000000030F9B6E second address: 00000000030F9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00409AA0 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeAPI coverage: 7.7 %
          Source: C:\Windows\SysWOW64\mstsc.exeAPI coverage: 8.9 %
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeCode function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeCode function: 0_2_0040683D FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeCode function: 0_2_0040290B FindFirstFileW,
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000003.00000000.440339588.0000000006389000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000000.416679586.0000000007C08000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i
          Source: explorer.exe, 00000003.00000000.416679586.0000000007C08000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.377017359.0000000004150000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}:
          Source: explorer.exe, 00000003.00000000.416679586.0000000007C08000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i&
          Source: explorer.exe, 00000003.00000000.391145511.0000000007D2A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000003.00000000.416679586.0000000007C08000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00Iy
          Source: explorer.exe, 00000003.00000000.416911177.0000000007CC2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000v
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00409AA0 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\mstsc.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 1_2_021703F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 1_2_0217061D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 1_2_021706F7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 1_2_02170736 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 1_2_02170772 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ACF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ACF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ACF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A99080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B13884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B13884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A958EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A940E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A940E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A940E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B2B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B2B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AAB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AAB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AAB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AAB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B64015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B64015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B17016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B17016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B17016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B61074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B52073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B151BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B549A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B549A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B549A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B549A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B169A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ACA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A9B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A9B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A9B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B241E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A99100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A99100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A99100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A9C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A9B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A9B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A952A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AAAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AAAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ACFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ACD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ACD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B5AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B5AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A95210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A95210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A95210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A95210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A9AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A9AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B4B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B4B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B68A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B5EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B24257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A99240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A99240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A99240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A99240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B65BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B4D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ACB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B5138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B153CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B153CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B5131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A9DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A9DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B68B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A9F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B16CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B16CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B16CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B514FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B68CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ACBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B51C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B6740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B6740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B6740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B16C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B2C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B2C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ACA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B605AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B605AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A92D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A92D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A92D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A92D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A92D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ACFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ACFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B48DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AAD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AAD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B5FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B5FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B5FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B5FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B16DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B16DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B68D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B1A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B5E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A9AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B13540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B43D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AB7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B60EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B60EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B60EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B146A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B2FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B68ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B4FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A9E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B4FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A9C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A9C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A9C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AC8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ACA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ACA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B51608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B5AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B5AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B17794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B17794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B17794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AA8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AD37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A94F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00A94F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ACE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B2FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B2FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ACA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ACA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B6070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B6070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00ABF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AAFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00B68F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_00AAEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0501AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050DE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05023D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0509A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05044D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05044D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05044D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05053D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05093540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050C3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05037D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0503C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0503C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05042581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05042581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05042581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05042581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05012D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05012D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05012D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05012D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05012D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0504FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0504FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050435A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05041DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05041DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05041DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05096DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05096DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05096DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05096DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05096DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05096DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0502D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0502D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050DFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050C8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05096C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05096C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05096C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05096C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0504BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0504A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050AC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050AC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0503746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0502849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05096CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05096CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05096CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0504A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0504A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0503F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050AFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050AFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05014F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05014F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0504E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0502EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0502FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05028794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05097794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05097794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05097794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050537F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0501C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0501C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0501C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05048E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0504A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0504A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0501E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050CFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05027E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05027E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05027E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05027E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05027E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05027E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050DAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050DAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0502766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0503AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0503AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0503AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0503AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0503AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050AFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050946A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05058EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050436CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050CFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050276E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050416E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05019100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05019100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05019100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05034120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05034120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05034120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05034120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05034120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0504513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0504513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0503B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0503B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0501C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0501B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0501B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0503C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0504A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05042990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050461A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050969A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050951BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0501B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0501B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0501B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050A41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05097016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05097016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05097016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0502B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0502B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0502B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0502B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0504002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0504002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0504002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0504002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_0504002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05030050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05030050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050E1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_050D2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 13_2_05019080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\mstsc.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeCode function: 2_2_0040ACE0 LdrLoadDll,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.xianzyw.com
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeSection unmapped: C:\Windows\SysWOW64\mstsc.exe base address: 820000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeSection loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeSection loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: unknown target: unknown protection: read write
          Injects a PE file into a foreign processes
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeMemory written: C:\Users\user\AppData\Local\Temp\pkypr.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeThread register set: target process: 3808
          Source: C:\Windows\SysWOW64\mstsc.exeThread register set: target process: 3808
          Source: C:\Users\user\AppData\Local\Temp\pkypr.exeProcess created: C:\Users\user\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\zpcthwca
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user~1\AppData\Local\Temp\pkypr.exe"
          Source: explorer.exe, 00000003.00000000.428100994.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.375616871.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.497183936.0000000000D00000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program ManagerG
          Source: explorer.exe, 00000003.00000000.428100994.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.380260326.0000000005920000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.387403754.0000000007C08000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000000.428100994.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.375616871.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.497183936.0000000000D00000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000000.428100994.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.375616871.0000000000D00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.497183936.0000000000D00000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000003.00000000.427555306.0000000000628000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.496570294.0000000000628000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.407103470.0000000000628000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanPV*
          Source: C:\Users\user\Desktop\dK0SRzWoPq.exeCode function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.pkypr.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.pkypr.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.pkypr.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.pkypr.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pkypr.exe.2180000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.pkypr.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.pkypr.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pkypr.exe.2180000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.pkypr.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.625629256.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.372566518.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.367373235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.463016643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.443403408.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.463378064.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.625466489.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.416140599.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.625958951.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.463592351.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.pkypr.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.pkypr.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.pkypr.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.pkypr.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pkypr.exe.2180000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.pkypr.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.pkypr.exe.400000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.pkypr.exe.2180000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.pkypr.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.625629256.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.372566518.0000000002180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.367373235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.463016643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.443403408.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.463378064.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.625466489.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.416140599.0000000007599000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.625958951.0000000003160000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.463592351.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Native API          		Path Interception1
          Access Token Manipulation          		1
          Rootkit          		1
          Credential API Hooking          		1
          Query Registry          		Remote Services1
          Credential API Hooking          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Shared Modules          		Boot or Logon Initialization Scripts612
          Process Injection          		1
          Virtualization/Sandbox Evasion          		LSASS Memory221
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		Exfiltration Over Bluetooth1
          Non-Application Layer Protocol          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
          Access Token Manipulation          		Security Account Manager1
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Clipboard Data          		Automated Exfiltration11
          Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)612
          Process Injection          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Remote System Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common3
          Obfuscated Files or Information          		Cached Domain Credentials2
          File and Directory Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Software Packing          		DCSync13
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 620777 Sample: dK0SRzWoPq Startdate: 05/05/2022 Architecture: WINDOWS Score: 100 36 www.baigouw.com 2->36 48 Found malware configuration 2->48 50 Malicious sample detected (through community Yara rule) 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 4 other signatures 2->54 12 dK0SRzWoPq.exe 18 2->12         started        signatures3 process4 file5 34 C:\Users\user\AppData\Local\Temp\pkypr.exe, PE32 12->34 dropped 15 pkypr.exe 12->15         started        process6 signatures7 64 Antivirus detection for dropped file 15->64 66 Multi AV Scanner detection for dropped file 15->66 68 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 15->68 70 2 other signatures 15->70 18 pkypr.exe 15->18         started        process8 signatures9 40 Modifies the context of a thread in another process (thread injection) 18->40 42 Maps a DLL or memory area into another process 18->42 44 Sample uses process hollowing technique 18->44 46 Queues an APC in another process (thread injection) 18->46 21 explorer.exe 18->21 injected process10 dnsIp11 38 www.xianzyw.com 21->38 56 System process connects to network (likely due to code injection or exploit) 21->56 25 mstsc.exe 21->25         started        28 autoconv.exe 21->28         started        signatures12 process13 signatures14 58 Modifies the context of a thread in another process (thread injection) 25->58 60 Maps a DLL or memory area into another process 25->60 62 Tries to detect virtualization through RDTSC time measurements 25->62 30 cmd.exe 1 25->30         started        process15 process16 32 conhost.exe 30->32         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          dK0SRzWoPq.exe11%MetadefenderBrowse
          dK0SRzWoPq.exe62%ReversingLabsWin32.Trojan.LokiBot
          dK0SRzWoPq.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\pkypr.exe100%AviraTR/Crypt.XPACK.Gen
          C:\Users\user\AppData\Local\Temp\pkypr.exe44%ReversingLabsWin32.Trojan.FormBook

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.2.pkypr.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.pkypr.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          2.0.pkypr.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.pkypr.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.0.pkypr.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.2.pkypr.exe.2180000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.pkypr.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.hsf777.com/m0d4/0%Avira URL Cloudsafe
          http://ns.adobY0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.baigouw.com
          		unknown
          		unknowntrue
            		unknown
            www.xianzyw.com
            		unknown
            		unknowntrue
              		unknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              www.hsf777.com/m0d4/true
              • Avira URL Cloud: safe
              		low

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://ns.adobYexplorer.exe, 00000003.00000000.428243719.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.375813124.00000000026D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.497440728.00000000026D0000.00000004.00000001.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://nsis.sf.net/NSIS_ErrorErrordK0SRzWoPq.exefalse
                		high

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox Version:34.0.0 Boulder Opal
                Analysis ID:620777
                Start date and time: 05/05/202208:11:012022-05-05 08:11:01 +02:00
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 9m 46s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:dK0SRzWoPq (renamed file extension from none to exe)
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:25
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:1
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@10/3@8/0
                EGA Information:
                • Successful, ratio: 100%
                HDC Information:
                • Successful, ratio: 61.7% (good quality ratio 56.2%)
                • Quality average: 73.3%
                • Quality standard deviation: 31.1%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 52.242.101.226, 40.125.122.176, 52.152.110.14, 20.54.89.106, 20.223.24.244
                • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, settings-win.data.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
                • Not all processes where analyzed, report is missing behavior information
                • VT rate limit hit for: dK0SRzWoPq.exe

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Temp\ow7v8lrfalu0lz3762

                Download File
                Process:C:\Users\user\Desktop\dK0SRzWoPq.exe
                File Type:data
                Category:dropped
                Size (bytes):189439
                Entropy (8bit):7.990856274194596
                Encrypted:true
                SSDEEP:3072:qjgrrRhrzo9SZLmQRZhGGa2S8nIpgjB7YwRMmcY/AoxGT4VWtKpZ6iejfz7nJ2v:q8rnrEwZCwZhGX4jB735cYLs484T8fze
                MD5:8E8024C9499E87104F27EA891A82C6A2
                SHA1:127BDF4C34CEB58C5562F86E83D1D2A085CDB5CF
                SHA-256:F11F0F6D81D98DD389B02D946FE8273591ADE4B3C7A6DA29820449EB392186FE
                SHA-512:95BE8BC870FDE8BA84728B2913B7B8A12999946DAFBE36D853662BD8D499783707F4EA1FC703D1489E244450FA1AC2BB7A93100F94794802C25B61C85FE332ED
                Malicious:false
                Reputation:low
                Preview:.(3...B.'{^......[7..r...Uu''...H:..&...".\.......-..f.........0....K....l.;I6]....|w.!..2."mX.......|......`...m^.....>.L.@..f._[?.0..+N.pJ.~..0f.Y.])..!c.}._..;......rSrl..F..YP.D..QSV.I.p.A....`.F.X<|S.\.T......q.[X2.\....i=../Wq..a.....DPBb...B.]...g...~...6l...fg..Xb...H:..&..E"........-..f.............`:B...z.6....?d.X..F..A...l@F.y .m.U.....Is'(..k..m^......7.....o..'j#.V..!ey.8d..$.y...}).]......n...n....rSr....t.YP....-.p..y..A]...`.FDX.d~.M........q.[X.u.....i=0w/Wq..a......DHB....B....g...c8..^l...fg..''...H:..&...".\.......-..f.............`:B...z.6....?d.X..F..A...l@F.y .m.U.....Is'(..k..m^......7.....o..'j#.V..!ey.8d..$.y...}).]......n...n....rSrl..F..YP4...-.p....A....`.FDX.d~.M.T......q.[X.u.....i=0w/Wq..a......DHB....B....g...c8..^l...fg..''...H:..&...".\.......-..f.............`:B...z.6....?d.X..F..A...l@F.y .m.U.....Is'(..k..m^......7.....o..'j#.V..!ey.8d..$.y...}).]......n...n....rSrl..F..YP4...-.p....A....`.FDX.d~.M.T......q.[X

                C:\Users\user\AppData\Local\Temp\pkypr.exe

                Download File
                Process:C:\Users\user\Desktop\dK0SRzWoPq.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Category:modified
                Size (bytes):5120
                Entropy (8bit):3.9183606087237455
                Encrypted:false
                SSDEEP:48:Sp9jcdkOF5gKcByqcQigXUgdSHgeUAZ+hRP2bv0D4LS0MK0w/fcefhrRVRuqS:Ut8gVBy1TgXUgdSHgxG2K0w/ke5rpx
                MD5:087998162F8FBD6E48CC5AB45BE63449
                SHA1:42A743C81B789EAF9B3283FFA8ADBB90A4519362
                SHA-256:99B049D5615612C79DA226823C3B8D173E66E73BB1C99D0215282274685162ED
                SHA-512:12759E3CCAFF2A3D78A5008E6F96C01322EE814F0568142E09DBE0DDF30DF84C0843CAF43C34377660103CACB636ABA68F60A6903A52EFD0EBC50AB5C419673D
                Malicious:true
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 44%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......;....l.J.l.J.l.J.s.J}l.J$..Kpl.J.l.JTl.J.2.K~l.J.2fJ~l.J.2.K~l.JRich.l.J................PE..L...4prb..................................... ....@..........................P...............................................!.......@............................... ............................................... ...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@........................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\zpcthwca

                Download File
                Process:C:\Users\user\Desktop\dK0SRzWoPq.exe
                File Type:data
                Category:dropped
                Size (bytes):4971
                Entropy (8bit):6.173518476087677
                Encrypted:false
                SSDEEP:96:FmmPpZ4KuDlgjOBPv4LSuhQB2DwXQH4xShcJbfP:FmrojsqBDjYEhij
                MD5:B1BAABAF50759D3CFC8D19D3D2E20F94
                SHA1:20983C521DB67C60E18A94D31C2B41CEB2A5D7F2
                SHA-256:1FBFC239148369ED5BD7713E21CF351A45F784CB79C71EC101CF31B037F58E9C
                SHA-512:47255B15D381F1C2DFFAB6FA561E758901116A115B73029CFFC15F3252B2843CA2517199968101BB816F4B89E4AA592A78B794108E85536603CE1F60456C96F2
                Malicious:false
                Preview:.....%....@/*+.U...+.Z..5..+.Z..5..U...5.(....U...E..E.}5.0......5..%..E..E.}5.0......5..%..E..E.}5.0......5.%..E..E.}5.0.....5..%..M..J.f.8g...5.q.5..%.5.......5.=.5.=.}....f.1..5..%.}...5.+*.U....f...........'U..E.1.E.6.E.Y8.E.Y1.E.3.E.2u.L.[H...[H.D. ...E..E.Y6.5....5..U.......<...........U.23.5.327....%..II.+.Z..5.5....5.O .5....=....<...%.5.5...@.=....5.%.....h..S.N....h......hZ.S.`....*......h.4wS.B....<......%....(.+.Z..5.5.....}5..5..M..L.5....5.@.5.5.H.5....H...u.L:.5.qf.1g...<...,..}5.qf.1....<...,..f.f.8g..}<..0hZ.S.....0....5...}5.0.E..F...5..M..L..U.....5......5.....%....@.+.Z..5.5.(...}5..5..M..L.5....5.@.5.5.H.5....q...u..|.....5.qf.1g...<...,...5.qf.1....<...,...5.qf.1...<...,...5...f.6g...<...D.}5.qf.1....<...,..f.f.8g..}<..0h..S.....0.....5..M..L..5.=......E..E..E..E..E......5..M..L..U.....5......5.....%......5.....}5.5..M..L.5....5.@.5.5.H.5.......u.L:.5.qf.1g...<..,..5.qf.1....<..,..f.f.8g..}<..0h.4wS.....0.$...5....E..E....

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                Entropy (8bit):7.887297413536421
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:dK0SRzWoPq.exe
                File size:219317
                MD5:6f111b596da1ac7d71c4362b18309648
                SHA1:e09f8065342a4c8664148bec4b0d9265e7e5842a
                SHA256:285e772a15413afa15e86632327faebaa56ff23d0ca19249c228b2d531e19f96
                SHA512:f3e1c725d4c0916a4856af17e272791f056595399e9970c58a4156fbd262e761b50b511cc422e41becfa86493f6248480f855df6718eeaac904d53e1ec8f1e88
                SSDEEP:6144:HNeZmLfHg6+reKq0Uzme51aUUTzC92gBE:HNlLvX+12auAVTzhg+
                TLSH:4F2412543A64C4B2D6A347722A7D43BF6B5FE21320A44B5F33182E98BD31781DA4E726
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................f...*.....

                File Icon

                Icon Hash:b2a88c96b2ca6a72

                Static PE Info

                General

                Entrypoint:0x4034f7
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Time Stamp:0x614F9AE5 [Sat Sep 25 21:55:49 2021 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:56a78d55f3f7af51443e58e0ce2fb5f6

                Entrypoint Preview

                Instruction
                push ebp
                mov ebp, esp
                sub esp, 000003F4h
                push ebx
                push esi
                push edi
                push 00000020h
                pop edi
                xor ebx, ebx
                push 00008001h
                mov dword ptr [ebp-14h], ebx
                mov dword ptr [ebp-04h], 0040A2E0h
                mov dword ptr [ebp-10h], ebx
                call dword ptr [004080CCh]
                mov esi, dword ptr [004080D0h]
                lea eax, dword ptr [ebp-00000140h]
                push eax
                mov dword ptr [ebp-0000012Ch], ebx
                mov dword ptr [ebp-2Ch], ebx
                mov dword ptr [ebp-28h], ebx
                mov dword ptr [ebp-00000140h], 0000011Ch
                call esi
                test eax, eax
                jne 00007EFCACB7597Ah
                lea eax, dword ptr [ebp-00000140h]
                mov dword ptr [ebp-00000140h], 00000114h
                push eax
                call esi
                mov ax, word ptr [ebp-0000012Ch]
                mov ecx, dword ptr [ebp-00000112h]
                sub ax, 00000053h
                add ecx, FFFFFFD0h
                neg ax
                sbb eax, eax
                mov byte ptr [ebp-26h], 00000004h
                not eax
                and eax, ecx
                mov word ptr [ebp-2Ch], ax
                cmp dword ptr [ebp-0000013Ch], 0Ah
                jnc 00007EFCACB7594Ah
                and word ptr [ebp-00000132h], 0000h
                mov eax, dword ptr [ebp-00000134h]
                movzx ecx, byte ptr [ebp-00000138h]
                mov dword ptr [0042A2D8h], eax
                xor eax, eax
                mov ah, byte ptr [ebp-0000013Ch]
                movzx eax, ax
                or eax, ecx
                xor ecx, ecx
                mov ch, byte ptr [ebp-2Ch]
                movzx ecx, cx
                shl eax, 10h
                or eax, ecx

                Rich Headers

                Programming Language:
                • [EXP] VC++ 6.0 SP5 build 8804

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b0000xa50.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x65150x6600False0.661534926471data6.43970794855IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                .rdata0x80000x139a0x1400False0.45data5.14577456407IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0xa0000x203380x600False0.499348958333data4.01369865045IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                .ndata0x2b0000x100000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .rsrc0x3b0000xa500xc00False0.402018229167data4.18462166815IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                RT_ICON0x3b1900x2e8dataEnglishUnited States
                RT_DIALOG0x3b4780x100dataEnglishUnited States
                RT_DIALOG0x3b5780x11cdataEnglishUnited States
                RT_DIALOG0x3b6980x60dataEnglishUnited States
                RT_GROUP_ICON0x3b6f80x14dataEnglishUnited States
                RT_MANIFEST0x3b7100x33eXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                Imports

                DLLImport
                ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States

                Network Behavior

                Network Port Distribution

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                May 5, 2022 08:14:00.061939955 CEST5985653192.168.2.78.8.8.8
                May 5, 2022 08:14:01.105869055 CEST5985653192.168.2.78.8.8.8
                May 5, 2022 08:14:02.152606010 CEST5985653192.168.2.78.8.8.8
                May 5, 2022 08:14:04.199518919 CEST5985653192.168.2.78.8.8.8
                May 5, 2022 08:14:05.082415104 CEST53598568.8.8.8192.168.2.7
                May 5, 2022 08:14:06.123655081 CEST53598568.8.8.8192.168.2.7
                May 5, 2022 08:14:07.171267033 CEST53598568.8.8.8192.168.2.7
                May 5, 2022 08:14:09.217835903 CEST53598568.8.8.8192.168.2.7
                May 5, 2022 08:14:21.655561924 CEST5056053192.168.2.78.8.8.8
                May 5, 2022 08:14:22.670001030 CEST5056053192.168.2.78.8.8.8
                May 5, 2022 08:14:23.685656071 CEST5056053192.168.2.78.8.8.8
                May 5, 2022 08:14:25.701590061 CEST5056053192.168.2.78.8.8.8
                May 5, 2022 08:14:26.674069881 CEST53505608.8.8.8192.168.2.7
                May 5, 2022 08:14:27.687593937 CEST53505608.8.8.8192.168.2.7
                May 5, 2022 08:14:28.703629971 CEST53505608.8.8.8192.168.2.7

                ICMP Packets

                TimestampSource IPDest IPChecksumCodeType
                May 5, 2022 08:14:06.123738050 CEST192.168.2.78.8.8.8cff6(Port unreachable)Destination Unreachable
                May 5, 2022 08:14:07.173743010 CEST192.168.2.78.8.8.8cff6(Port unreachable)Destination Unreachable
                May 5, 2022 08:14:09.218017101 CEST192.168.2.78.8.8.8cff6(Port unreachable)Destination Unreachable
                May 5, 2022 08:14:27.687700033 CEST192.168.2.78.8.8.8cff6(Port unreachable)Destination Unreachable
                May 5, 2022 08:14:28.703749895 CEST192.168.2.78.8.8.8cff6(Port unreachable)Destination Unreachable

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                May 5, 2022 08:14:00.061939955 CEST192.168.2.78.8.8.80xf32bStandard query (0)www.xianzyw.comA (IP address)IN (0x0001)
                May 5, 2022 08:14:01.105869055 CEST192.168.2.78.8.8.80xf32bStandard query (0)www.xianzyw.comA (IP address)IN (0x0001)
                May 5, 2022 08:14:02.152606010 CEST192.168.2.78.8.8.80xf32bStandard query (0)www.xianzyw.comA (IP address)IN (0x0001)
                May 5, 2022 08:14:04.199518919 CEST192.168.2.78.8.8.80xf32bStandard query (0)www.xianzyw.comA (IP address)IN (0x0001)
                May 5, 2022 08:14:21.655561924 CEST192.168.2.78.8.8.80x8228Standard query (0)www.baigouw.comA (IP address)IN (0x0001)
                May 5, 2022 08:14:22.670001030 CEST192.168.2.78.8.8.80x8228Standard query (0)www.baigouw.comA (IP address)IN (0x0001)
                May 5, 2022 08:14:23.685656071 CEST192.168.2.78.8.8.80x8228Standard query (0)www.baigouw.comA (IP address)IN (0x0001)
                May 5, 2022 08:14:25.701590061 CEST192.168.2.78.8.8.80x8228Standard query (0)www.baigouw.comA (IP address)IN (0x0001)

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                May 5, 2022 08:14:05.082415104 CEST8.8.8.8192.168.2.70xf32bServer failure (2)www.xianzyw.comnonenoneA (IP address)IN (0x0001)
                May 5, 2022 08:14:06.123655081 CEST8.8.8.8192.168.2.70xf32bServer failure (2)www.xianzyw.comnonenoneA (IP address)IN (0x0001)
                May 5, 2022 08:14:07.171267033 CEST8.8.8.8192.168.2.70xf32bServer failure (2)www.xianzyw.comnonenoneA (IP address)IN (0x0001)
                May 5, 2022 08:14:09.217835903 CEST8.8.8.8192.168.2.70xf32bServer failure (2)www.xianzyw.comnonenoneA (IP address)IN (0x0001)
                May 5, 2022 08:14:26.674069881 CEST8.8.8.8192.168.2.70x8228Server failure (2)www.baigouw.comnonenoneA (IP address)IN (0x0001)
                May 5, 2022 08:14:27.687593937 CEST8.8.8.8192.168.2.70x8228Server failure (2)www.baigouw.comnonenoneA (IP address)IN (0x0001)
                May 5, 2022 08:14:28.703629971 CEST8.8.8.8192.168.2.70x8228Server failure (2)www.baigouw.comnonenoneA (IP address)IN (0x0001)

                Code Manipulations

                User Modules

                Hook Summary

                Function NameHook TypeActive in Processes
                PeekMessageAINLINEexplorer.exe
                PeekMessageWINLINEexplorer.exe
                GetMessageWINLINEexplorer.exe
                GetMessageAINLINEexplorer.exe

                Processes

                Process: explorer.exe, Module: user32.dll
                Function NameHook TypeNew Data
                PeekMessageAINLINE0x48 0x8B 0xB8 0x86 0x6E 0xED
                PeekMessageWINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xED
                GetMessageWINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xED
                GetMessageAINLINE0x48 0x8B 0xB8 0x86 0x6E 0xED

                Statistics

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:08:12:15
                Start date:05/05/2022
                Path:C:\Users\user\Desktop\dK0SRzWoPq.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\dK0SRzWoPq.exe"
                Imagebase:0x400000
                File size:219317 bytes
                MD5 hash:6F111B596DA1AC7D71C4362B18309648
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low

                General

                Target ID:1
                Start time:08:12:17
                Start date:05/05/2022
                Path:C:\Users\user\AppData\Local\Temp\pkypr.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user~1\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\zpcthwca
                Imagebase:0x400000
                File size:5120 bytes
                MD5 hash:087998162F8FBD6E48CC5AB45BE63449
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.372566518.0000000002180000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.372566518.0000000002180000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.372566518.0000000002180000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                Antivirus matches:
                • Detection: 100%, Avira
                • Detection: 44%, ReversingLabs
                Reputation:low

                General

                Target ID:2
                Start time:08:12:18
                Start date:05/05/2022
                Path:C:\Users\user\AppData\Local\Temp\pkypr.exe
                Wow64 process (32bit):true
                Commandline:C:\Users\user~1\AppData\Local\Temp\pkypr.exe C:\Users\user~1\AppData\Local\Temp\zpcthwca
                Imagebase:0x400000
                File size:5120 bytes
                MD5 hash:087998162F8FBD6E48CC5AB45BE63449
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.369225156.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.367373235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.367373235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.367373235.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.463016643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.463016643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.463016643.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.463378064.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.463378064.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.463378064.00000000009D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.463592351.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.463592351.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.463592351.0000000000A00000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:low

                General

                Target ID:3
                Start time:08:12:24
                Start date:05/05/2022
                Path:C:\Windows\explorer.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\Explorer.EXE
                Imagebase:0x7ff631f70000
                File size:3933184 bytes
                MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.443403408.0000000007599000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.443403408.0000000007599000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.443403408.0000000007599000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.416140599.0000000007599000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.416140599.0000000007599000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.416140599.0000000007599000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:high

                General

                Target ID:12
                Start time:08:13:01
                Start date:05/05/2022
                Path:C:\Windows\SysWOW64\autoconv.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\SysWOW64\autoconv.exe
                Imagebase:0x260000
                File size:851968 bytes
                MD5 hash:4506BE56787EDCD771A351C10B5AE3B7
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate

                General

                Target ID:13
                Start time:08:13:02
                Start date:05/05/2022
                Path:C:\Windows\SysWOW64\mstsc.exe
                Wow64 process (32bit):true
                Commandline:C:\Windows\SysWOW64\mstsc.exe
                Imagebase:0x820000
                File size:3444224 bytes
                MD5 hash:2412003BE253A515C620CE4890F3D8F3
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.625629256.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.625629256.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.625629256.00000000030F0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.625466489.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.625466489.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.625466489.0000000000D30000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.625958951.0000000003160000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.625958951.0000000003160000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.625958951.0000000003160000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:moderate

                General

                Target ID:15
                Start time:08:13:07
                Start date:05/05/2022
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:/c del "C:\Users\user~1\AppData\Local\Temp\pkypr.exe"
                Imagebase:0xdd0000
                File size:232960 bytes
                MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:16
                Start time:08:13:08
                Start date:05/05/2022
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff7bab80000
                File size:625664 bytes
                MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Disassembly

                No disassembly