Windows Analysis Report
inlaww321345.exe

Overview

General Information

Sample Name:	inlaww321345.exe
Analysis ID:	626561
MD5:	43e64e0ab6ca479c2af3afed56216a91
SHA1:	983a822ffde2b558dfe2a8ac1dcc4d42df0f1d94
SHA256:	cbdf1e33bc694b1ca634a4b042bd010050c9baf99078c91adf961ef92cebd305
Tags:	exeformbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Signatures

AV Detection

Found malware configuration

Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.boxberry-my.com/sn31/"], "decoy": ["matsuomatsuo.com", "104wn.com", "bolacorner.com", "dawonderer.com", "yourpamlano.xyz", "mtzmx.icu", "lepakzaparket.com", "barmagli.com", "danta.ltd", "marumaru240.com", "people-centeredhr.com", "test-brew-inc.com", "clairvoyantbusinesscoach.com", "aforeignexchangeblog.com", "erentekbilisim.com", "gangqinqu123.net", "defiguaranteebonds.com", "thegioigaubong97.site", "vaoiwin.info", "vcwholeness.com", "03c3twpfee5estjovfu2655.com", "mutantapeyachtclubtoken.store", "pixelkev.xyz", "corporacioncymaz.com", "iampro-found.com", "azureconsults.com", "bam-bong.com", "advanceresubeopene.biz", "tzjisheng.com", "krdz28.online", "ycw2009.com", "minioe.com", "dronelink.xyz", "autu.cfd", "sdwmkj.com", "uixray.xyz", "informacion-numero-24-h.site", "123dianyingyuan.com", "tj-assets.com", "usaservicedogregistratuon.com", "metagwnics.com", "pepeksquad2.host", "kc7.club", "yundtremark.com", "finance-employers.com", "euroglobalnews.info", "estudioenzetti.com", "rodosmail.xyz", "bm65.xyz", "bchmtn.net", "server4uuss.net", "maisonretraiteprivee.com", "atelierelzaaidar.com", "thegurlyboutique.com", "primobellaquartz.com", "jetskirentaldublin.com", "akmeetech.com", "withoutyoutube.com", "blackcreekwatershed.com", "89qp52.com", "e3488.com", "vote4menk.com", "tyma.club", "theceditpalooza.com"]}

Multi AV Scanner detection for submitted file

Source: inlaww321345.exe	Virustotal: Detection: 53%			Perma Link
Source: inlaww321345.exe	ReversingLabs: Detection: 56%

Yara detected FormBook

Source: Yara match	File source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: www.boxberry-my.com/sn31/

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

ReversingLabs: Detection: 46%

Machine Learning detection for sample

Source: inlaww321345.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 2.0.idczzzzbpy.exe.400000.7.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.idczzzzbpy.exe.700000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.idczzzzbpy.exe.400000.9.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.idczzzzbpy.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.idczzzzbpy.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Uses 32bit PE files

Source: inlaww321345.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: inlaww321345.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\nwmcc\xasivn\insq\a82874181cac4c8c8d839f9e6026f5f4\nkrdof\moxadzwk\Release\moxadzwk.pdb source: inlaww321345.exe, 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmp, idczzzzbpy.exe, 00000001.00000000.239867122.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, idczzzzbpy.exe, 00000001.00000002.251217446.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, idczzzzbpy.exe, 00000002.00000000.244915451.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, chkdsk.exe, 00000010.00000002.507707421.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.509886446.00000000058BF000.00000004.10000000.00040000.00000000.sdmp, nsuD94B.tmp.0.dr, idczzzzbpy.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: idczzzzbpy.exe, 00000001.00000003.245625219.000000001A210000.00000004.00001000.00020000.00000000.sdmp, idczzzzbpy.exe, 00000001.00000003.242881004.000000001A080000.00000004.00001000.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.251002261.0000000001304000.00000004.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.320891841.000000000175F000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.253061392.00000000014AD000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.319381710.0000000005057000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.321067477.00000000051F7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: idczzzzbpy.exe, idczzzzbpy.exe, 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.251002261.0000000001304000.00000004.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.320891841.000000000175F000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.253061392.00000000014AD000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000010.00000003.319381710.0000000005057000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.321067477.00000000051F7000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\inlaww321345.exe	Code function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D7A
Source: C:\Users\user\Desktop\inlaww321345.exe	Code function: 0_2_004069A4 FindFirstFileW,FindClose,	0_2_004069A4
Source: C:\Users\user\Desktop\inlaww321345.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 4x nop then pop ebx	2_2_00407B1D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 4x nop then pop edi	2_2_00417DA4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop ebx	16_2_00977B1D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop edi	16_2_00987DA4

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.10 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.85.152.171 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.informacion-numero-24-h.site
Source: C:\Windows\explorer.exe	Domain query: www.tzjisheng.com

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49808 -> 188.114.96.10:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49808 -> 188.114.96.10:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49808 -> 188.114.96.10:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.rodosmail.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.boxberry-my.com/sn31/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /sn31/?3fK84j=bDKp2PCxjp9Dyht0&p6Ah=F3OPTzYh/KYNQDx4mU9pmepphtdjiinNkarquV5J38/xiILCZYJsFfYNFvKas6or25OS HTTP/1.1Host: www.informacion-numero-24-h.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sn31/?p6Ah=2a7s6yRQu5sKFClQSChidlXjlxi9pt4Q5wJ1geib+tah5K7nc27GLkEkTe4Wsszvrpha&3fK84j=bDKp2PCxjp9Dyht0 HTTP/1.1Host: www.tzjisheng.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.10 188.114.96.10
Source: Joe Sandbox View	IP Address: 188.114.96.10 188.114.96.10

Source: inlaww321345.exe

String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: unknown

DNS traffic detected: queries for: www.informacion-numero-24-h.site

Source: global traffic	HTTP traffic detected: GET /sn31/?3fK84j=bDKp2PCxjp9Dyht0&p6Ah=F3OPTzYh/KYNQDx4mU9pmepphtdjiinNkarquV5J38/xiILCZYJsFfYNFvKas6or25OS HTTP/1.1Host: www.informacion-numero-24-h.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sn31/?p6Ah=2a7s6yRQu5sKFClQSChidlXjlxi9pt4Q5wJ1geib+tah5K7nc27GLkEkTe4Wsszvrpha&3fK84j=bDKp2PCxjp9Dyht0 HTTP/1.1Host: www.tzjisheng.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\inlaww321345.exe

Code function: 0_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040580F

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Uses 32bit PE files

Source: inlaww321345.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\inlaww321345.exe

Code function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403646

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 1_2_003B1890	1_2_003B1890
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 1_2_003B9C12	1_2_003B9C12
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 1_2_003B96A0	1_2_003B96A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 1_2_003B7E88	1_2_003B7E88
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 1_2_003BC3BD	1_2_003BC3BD
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 1_2_003BA184	1_2_003BA184
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 1_2_003BB3F1	1_2_003BB3F1
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_003B9C12	2_2_003B9C12
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_003B96A0	2_2_003B96A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_003B1890	2_2_003B1890
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_003B7E88	2_2_003B7E88
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_003BC3BD	2_2_003BC3BD
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_003BA184	2_2_003BA184
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_003BB3F1	2_2_003BB3F1
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041D805	2_2_0041D805
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041DA33	2_2_0041DA33
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041EB32	2_2_0041EB32
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041C3EA	2_2_0041C3EA
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041ED64	2_2_0041ED64
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041DD0A	2_2_0041DD0A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_00402D87	2_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_00409E5E	2_2_00409E5E
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_00409E60	2_2_00409E60
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01684120	2_2_01684120
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166F900	2_2_0166F900
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0173E824	2_2_0173E824
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A830	2_2_0168A830
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721002	2_2_01721002
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017328EC	2_2_017328EC
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016920A0	2_2_016920A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017320A8	2_2_017320A8
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167B090	2_2_0167B090
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168AB40	2_2_0168AB40
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0170CB4F	2_2_0170CB4F
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01732B28	2_2_01732B28
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017123E3	2_2_017123E3
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172DBD2	2_2_0172DBD2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017203DA	2_2_017203DA
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169ABD8	2_2_0169ABD8
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169EBB0	2_2_0169EBB0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169138B	2_2_0169138B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0171FA2B	2_2_0171FA2B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017322AE	2_2_017322AE
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01731D55	2_2_01731D55
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01660D20	2_2_01660D20
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01732D07	2_2_01732D07
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167D5E0	2_2_0167D5E0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017325DD	2_2_017325DD
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01692581	2_2_01692581
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01722D82	2_2_01722D82
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172D466	2_2_0172D466
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167841F	2_2_0167841F
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01731FF1	2_2_01731FF1
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0173DFCE	2_2_0173DFCE
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01686E30	2_2_01686E30
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172D616	2_2_0172D616
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01732EF7	2_2_01732EF7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053B0D20	16_2_053B0D20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05481D55	16_2_05481D55
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05482D07	16_2_05482D07
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_054825DD	16_2_054825DD
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E2581	16_2_053E2581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053CD5E0	16_2_053CD5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0547D466	16_2_0547D466
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C841F	16_2_053C841F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0548DFCE	16_2_0548DFCE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05481FF1	16_2_05481FF1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053D6E30	16_2_053D6E30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0547D616	16_2_0547D616
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05482EF7	16_2_05482EF7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053D4120	16_2_053D4120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053BF900	16_2_053BF900
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471002	16_2_05471002
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0548E824	16_2_0548E824
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E20A0	16_2_053E20A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_054828EC	16_2_054828EC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053CB090	16_2_053CB090
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_054820A8	16_2_054820A8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05482B28	16_2_05482B28
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053DAB40	16_2_053DAB40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053EEBB0	16_2_053EEBB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0547DBD2	16_2_0547DBD2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_054703DA	16_2_054703DA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0546FA2B	16_2_0546FA2B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_054822AE	16_2_054822AE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098D805	16_2_0098D805
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098DA33	16_2_0098DA33
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098C3EA	16_2_0098C3EA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098EB32	16_2_0098EB32
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00972D90	16_2_00972D90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00972D87	16_2_00972D87
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098DD0A	16_2_0098DD0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098ED64	16_2_0098ED64
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00979E5E	16_2_00979E5E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00979E60	16_2_00979E60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00972FB0	16_2_00972FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 053BB150 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: String function: 003B4599 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: String function: 0166B150 appears 136 times
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: String function: 003B2400 appears 54 times

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041A360 NtCreateFile,	2_2_0041A360
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041A410 NtReadFile,	2_2_0041A410
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041A490 NtClose,	2_2_0041A490
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041A540 NtAllocateVirtualMemory,	2_2_0041A540
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041A35A NtCreateFile,	2_2_0041A35A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041A45A NtReadFile,	2_2_0041A45A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041A492 NtClose,	2_2_0041A492
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041A53A NtAllocateVirtualMemory,	2_2_0041A53A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_016A9910
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A99A0 NtCreateSection,LdrInitializeThunk,	2_2_016A99A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_016A9860
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9840 NtDelayExecution,LdrInitializeThunk,	2_2_016A9840
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A98F0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_016A98F0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9A50 NtCreateFile,LdrInitializeThunk,	2_2_016A9A50
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9A20 NtResumeThread,LdrInitializeThunk,	2_2_016A9A20
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9A00 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_016A9A00
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9540 NtReadFile,LdrInitializeThunk,	2_2_016A9540
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A95D0 NtClose,LdrInitializeThunk,	2_2_016A95D0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9710 NtQueryInformationToken,LdrInitializeThunk,	2_2_016A9710
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A97A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_016A97A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9780 NtMapViewOfSection,LdrInitializeThunk,	2_2_016A9780
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_016A9660
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A96E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_016A96E0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9950 NtQueueApcThread,	2_2_016A9950
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A99D0 NtCreateProcessEx,	2_2_016A99D0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016AB040 NtSuspendThread,	2_2_016AB040
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9820 NtEnumerateKey,	2_2_016A9820
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A98A0 NtWriteVirtualMemory,	2_2_016A98A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9B00 NtSetValueKey,	2_2_016A9B00
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016AA3B0 NtGetContextThread,	2_2_016AA3B0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9A10 NtQuerySection,	2_2_016A9A10
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9A80 NtOpenDirectoryObject,	2_2_016A9A80
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9560 NtWriteFile,	2_2_016A9560
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9520 NtWaitForSingleObject,	2_2_016A9520
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016AAD30 NtSetContextThread,	2_2_016AAD30
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A95F0 NtQueryInformationFile,	2_2_016A95F0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9760 NtOpenProcess,	2_2_016A9760
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016AA770 NtOpenThread,	2_2_016AA770
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9770 NtSetInformationFile,	2_2_016A9770
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9730 NtQueryVirtualMemory,	2_2_016A9730
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016AA710 NtOpenProcessToken,	2_2_016AA710
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9FE0 NtCreateMutant,	2_2_016A9FE0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9670 NtQueryInformationProcess,	2_2_016A9670
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9650 NtQueryValueKey,	2_2_016A9650
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9610 NtEnumerateValueKey,	2_2_016A9610
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A96D0 NtCreateKey,	2_2_016A96D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9540 NtReadFile,LdrInitializeThunk,	16_2_053F9540
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F95D0 NtClose,LdrInitializeThunk,	16_2_053F95D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9710 NtQueryInformationToken,LdrInitializeThunk,	16_2_053F9710
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9780 NtMapViewOfSection,LdrInitializeThunk,	16_2_053F9780
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9FE0 NtCreateMutant,LdrInitializeThunk,	16_2_053F9FE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9660 NtAllocateVirtualMemory,LdrInitializeThunk,	16_2_053F9660
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9650 NtQueryValueKey,LdrInitializeThunk,	16_2_053F9650
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F96E0 NtFreeVirtualMemory,LdrInitializeThunk,	16_2_053F96E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F96D0 NtCreateKey,LdrInitializeThunk,	16_2_053F96D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	16_2_053F9910
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F99A0 NtCreateSection,LdrInitializeThunk,	16_2_053F99A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9860 NtQuerySystemInformation,LdrInitializeThunk,	16_2_053F9860
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9840 NtDelayExecution,LdrInitializeThunk,	16_2_053F9840
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9A50 NtCreateFile,LdrInitializeThunk,	16_2_053F9A50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053FAD30 NtSetContextThread,	16_2_053FAD30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9520 NtWaitForSingleObject,	16_2_053F9520
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9560 NtWriteFile,	16_2_053F9560
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F95F0 NtQueryInformationFile,	16_2_053F95F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9730 NtQueryVirtualMemory,	16_2_053F9730
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053FA710 NtOpenProcessToken,	16_2_053FA710
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053FA770 NtOpenThread,	16_2_053FA770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9770 NtSetInformationFile,	16_2_053F9770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9760 NtOpenProcess,	16_2_053F9760
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F97A0 NtUnmapViewOfSection,	16_2_053F97A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9610 NtEnumerateValueKey,	16_2_053F9610
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9670 NtQueryInformationProcess,	16_2_053F9670
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9950 NtQueueApcThread,	16_2_053F9950
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F99D0 NtCreateProcessEx,	16_2_053F99D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9820 NtEnumerateKey,	16_2_053F9820
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053FB040 NtSuspendThread,	16_2_053FB040
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F98A0 NtWriteVirtualMemory,	16_2_053F98A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F98F0 NtReadVirtualMemory,	16_2_053F98F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9B00 NtSetValueKey,	16_2_053F9B00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053FA3B0 NtGetContextThread,	16_2_053FA3B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9A20 NtResumeThread,	16_2_053F9A20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9A10 NtQuerySection,	16_2_053F9A10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9A00 NtProtectVirtualMemory,	16_2_053F9A00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9A80 NtOpenDirectoryObject,	16_2_053F9A80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098A360 NtCreateFile,	16_2_0098A360
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098A490 NtClose,	16_2_0098A490
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098A410 NtReadFile,	16_2_0098A410
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098A540 NtAllocateVirtualMemory,	16_2_0098A540
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098A35A NtCreateFile,	16_2_0098A35A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098A492 NtClose,	16_2_0098A492
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098A45A NtReadFile,	16_2_0098A45A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098A53A NtAllocateVirtualMemory,	16_2_0098A53A

Source: inlaww321345.exe	Virustotal: Detection: 53%
Source: inlaww321345.exe	ReversingLabs: Detection: 56%

Source: C:\Users\user\Desktop\inlaww321345.exe

File read: C:\Users\user\Desktop\inlaww321345.exe

Jump to behavior

Source: inlaww321345.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\inlaww321345.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\inlaww321345.exe "C:\Users\user\Desktop\inlaww321345.exe"
Source: C:\Users\user\Desktop\inlaww321345.exe	Process created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Process created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\inlaww321345.exe	Process created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Process created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe"	Jump to behavior

Source: C:\Users\user\Desktop\inlaww321345.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\inlaww321345.exe

0_2_00403646

Source: C:\Users\user\Desktop\inlaww321345.exe

File created: C:\Users\user\AppData\Local\Temp\nsuD94A.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/4@3/2

Source: C:\Users\user\Desktop\inlaww321345.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\inlaww321345.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\inlaww321345.exe

Code function: 0_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404ABB

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1804:120:WilError_01

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Command line argument: ^F;		1_2_003B45B0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Command line argument: ^F;		2_2_003B45B0

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: inlaww321345.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\nwmcc\xasivn\insq\a82874181cac4c8c8d839f9e6026f5f4\nkrdof\moxadzwk\Release\moxadzwk.pdb source: inlaww321345.exe, 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmp, idczzzzbpy.exe, 00000001.00000000.239867122.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, idczzzzbpy.exe, 00000001.00000002.251217446.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, idczzzzbpy.exe, 00000002.00000000.244915451.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, chkdsk.exe, 00000010.00000002.507707421.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.509886446.00000000058BF000.00000004.10000000.00040000.00000000.sdmp, nsuD94B.tmp.0.dr, idczzzzbpy.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: idczzzzbpy.exe, 00000001.00000003.245625219.000000001A210000.00000004.00001000.00020000.00000000.sdmp, idczzzzbpy.exe, 00000001.00000003.242881004.000000001A080000.00000004.00001000.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.251002261.0000000001304000.00000004.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.320891841.000000000175F000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.253061392.00000000014AD000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.319381710.0000000005057000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.321067477.00000000051F7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: idczzzzbpy.exe, idczzzzbpy.exe, 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.251002261.0000000001304000.00000004.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.320891841.000000000175F000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.253061392.00000000014AD000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000010.00000003.319381710.0000000005057000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.321067477.00000000051F7000.00000004.00000800.00020000.00000000.sdmp

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 1_2_003B2445 push ecx; ret	1_2_003B2458
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_003B2445 push ecx; ret	2_2_003B2458
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_004168D5 push ebp; ret	2_2_004168D8
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041E9A8 push dword ptr [25B3BB99h]; ret	2_2_0041E9CB
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_00416CD3 push esi; ret	2_2_00416CDB
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_00417CF5 pushfd ; iretd	2_2_00417CF6
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041D4B5 push eax; ret	2_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041D56C push eax; ret	2_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041D502 push eax; ret	2_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041D50B push eax; ret	2_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016BD0D1 push ecx; ret	2_2_016BD0E4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0540D0D1 push ecx; ret	16_2_0540D0E4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_009868D5 push ebp; ret	16_2_009868D8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098E9A8 push dword ptr [25B3BB99h]; ret	16_2_0098E9CB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098D4B5 push eax; ret	16_2_0098D508
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00986CD3 push esi; ret	16_2_00986CDB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00987CF5 pushfd ; iretd	16_2_00987CF6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098D50B push eax; ret	16_2_0098D572
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098D502 push eax; ret	16_2_0098D508
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098D56C push eax; ret	16_2_0098D572

Drops PE files

Source: C:\Users\user\Desktop\inlaww321345.exe

File created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xE1

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Code function: 1_2_003B1890 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_003B1890

Source: C:\Users\user\Desktop\inlaww321345.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 0000000000979904 second address: 000000000097990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 0000000000979B7E second address: 0000000000979B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 4232

Thread sleep time: -36000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Code function: 2_2_00409AB0 rdtsc

2_2_00409AB0

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	API coverage: 4.1 %
Source: C:\Windows\SysWOW64\chkdsk.exe	API coverage: 9.0 %

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\inlaww321345.exe	Code function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D7A
Source: C:\Users\user\Desktop\inlaww321345.exe	Code function: 0_2_004069A4 FindFirstFileW,FindClose,	0_2_004069A4
Source: C:\Users\user\Desktop\inlaww321345.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\inlaww321345.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	API call chain: ExitProcess graph end node

Source: explorer.exe, 00000005.00000000.305108660.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.305285676.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
Source: explorer.exe, 00000005.00000000.305285676.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
Source: explorer.exe, 00000005.00000000.295963251.0000000000680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000005.00000000.306086683.0000000008400000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.296016880.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.305285676.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.301612924.00000000062C4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.279924875.0000000004287000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000005.00000000.305220626.000000000820E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.305285676.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: explorer.exe, 00000005.00000000.305108660.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.305285676.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00l

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Code function: 1_2_003B7A95 IsDebuggerPresent,

1_2_003B7A95

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Code function: 1_2_003B558A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_003B558A

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Code function: 1_2_003B86ED __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

1_2_003B86ED

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Code function: 2_2_00409AB0 rdtsc

2_2_00409AB0

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166C962 mov eax, dword ptr fs:[00000030h]	2_2_0166C962
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166B171 mov eax, dword ptr fs:[00000030h]	2_2_0166B171
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166B171 mov eax, dword ptr fs:[00000030h]	2_2_0166B171
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B944 mov eax, dword ptr fs:[00000030h]	2_2_0168B944
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B944 mov eax, dword ptr fs:[00000030h]	2_2_0168B944
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01684120 mov eax, dword ptr fs:[00000030h]	2_2_01684120
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01684120 mov eax, dword ptr fs:[00000030h]	2_2_01684120
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01684120 mov eax, dword ptr fs:[00000030h]	2_2_01684120
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01684120 mov eax, dword ptr fs:[00000030h]	2_2_01684120
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01684120 mov ecx, dword ptr fs:[00000030h]	2_2_01684120
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169513A mov eax, dword ptr fs:[00000030h]	2_2_0169513A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169513A mov eax, dword ptr fs:[00000030h]	2_2_0169513A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01669100 mov eax, dword ptr fs:[00000030h]	2_2_01669100
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01669100 mov eax, dword ptr fs:[00000030h]	2_2_01669100
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01669100 mov eax, dword ptr fs:[00000030h]	2_2_01669100
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016F41E8 mov eax, dword ptr fs:[00000030h]	2_2_016F41E8
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0166B1E1
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0166B1E1
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0166B1E1
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E69A6 mov eax, dword ptr fs:[00000030h]	2_2_016E69A6
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016961A0 mov eax, dword ptr fs:[00000030h]	2_2_016961A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016961A0 mov eax, dword ptr fs:[00000030h]	2_2_016961A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E51BE mov eax, dword ptr fs:[00000030h]	2_2_016E51BE
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E51BE mov eax, dword ptr fs:[00000030h]	2_2_016E51BE
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E51BE mov eax, dword ptr fs:[00000030h]	2_2_016E51BE
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E51BE mov eax, dword ptr fs:[00000030h]	2_2_016E51BE
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017249A4 mov eax, dword ptr fs:[00000030h]	2_2_017249A4
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017249A4 mov eax, dword ptr fs:[00000030h]	2_2_017249A4
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017249A4 mov eax, dword ptr fs:[00000030h]	2_2_017249A4
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017249A4 mov eax, dword ptr fs:[00000030h]	2_2_017249A4
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov eax, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov eax, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov eax, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov eax, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168C182 mov eax, dword ptr fs:[00000030h]	2_2_0168C182
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169A185 mov eax, dword ptr fs:[00000030h]	2_2_0169A185
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01692990 mov eax, dword ptr fs:[00000030h]	2_2_01692990
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01722073 mov eax, dword ptr fs:[00000030h]	2_2_01722073
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01731074 mov eax, dword ptr fs:[00000030h]	2_2_01731074
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01680050 mov eax, dword ptr fs:[00000030h]	2_2_01680050
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01680050 mov eax, dword ptr fs:[00000030h]	2_2_01680050
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169002D mov eax, dword ptr fs:[00000030h]	2_2_0169002D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169002D mov eax, dword ptr fs:[00000030h]	2_2_0169002D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169002D mov eax, dword ptr fs:[00000030h]	2_2_0169002D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169002D mov eax, dword ptr fs:[00000030h]	2_2_0169002D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169002D mov eax, dword ptr fs:[00000030h]	2_2_0169002D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167B02A mov eax, dword ptr fs:[00000030h]	2_2_0167B02A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167B02A mov eax, dword ptr fs:[00000030h]	2_2_0167B02A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167B02A mov eax, dword ptr fs:[00000030h]	2_2_0167B02A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167B02A mov eax, dword ptr fs:[00000030h]	2_2_0167B02A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A830 mov eax, dword ptr fs:[00000030h]	2_2_0168A830
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A830 mov eax, dword ptr fs:[00000030h]	2_2_0168A830
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A830 mov eax, dword ptr fs:[00000030h]	2_2_0168A830
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A830 mov eax, dword ptr fs:[00000030h]	2_2_0168A830
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01734015 mov eax, dword ptr fs:[00000030h]	2_2_01734015
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01734015 mov eax, dword ptr fs:[00000030h]	2_2_01734015
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E7016 mov eax, dword ptr fs:[00000030h]	2_2_016E7016
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E7016 mov eax, dword ptr fs:[00000030h]	2_2_016E7016
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E7016 mov eax, dword ptr fs:[00000030h]	2_2_016E7016
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016640E1 mov eax, dword ptr fs:[00000030h]	2_2_016640E1
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016640E1 mov eax, dword ptr fs:[00000030h]	2_2_016640E1
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016640E1 mov eax, dword ptr fs:[00000030h]	2_2_016640E1
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016658EC mov eax, dword ptr fs:[00000030h]	2_2_016658EC
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B8E4 mov eax, dword ptr fs:[00000030h]	2_2_0168B8E4
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B8E4 mov eax, dword ptr fs:[00000030h]	2_2_0168B8E4
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016FB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016FB8D0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016FB8D0 mov ecx, dword ptr fs:[00000030h]	2_2_016FB8D0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016FB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016FB8D0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016FB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016FB8D0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016FB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016FB8D0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016FB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016FB8D0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A90AF mov eax, dword ptr fs:[00000030h]	2_2_016A90AF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]	2_2_016920A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]	2_2_016920A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]	2_2_016920A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]	2_2_016920A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]	2_2_016920A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]	2_2_016920A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169F0BF mov ecx, dword ptr fs:[00000030h]	2_2_0169F0BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169F0BF mov eax, dword ptr fs:[00000030h]	2_2_0169F0BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169F0BF mov eax, dword ptr fs:[00000030h]	2_2_0169F0BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01669080 mov eax, dword ptr fs:[00000030h]	2_2_01669080
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E3884 mov eax, dword ptr fs:[00000030h]	2_2_016E3884
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E3884 mov eax, dword ptr fs:[00000030h]	2_2_016E3884
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166DB60 mov ecx, dword ptr fs:[00000030h]	2_2_0166DB60
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01693B7A mov eax, dword ptr fs:[00000030h]	2_2_01693B7A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01693B7A mov eax, dword ptr fs:[00000030h]	2_2_01693B7A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166DB40 mov eax, dword ptr fs:[00000030h]	2_2_0166DB40
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01738B58 mov eax, dword ptr fs:[00000030h]	2_2_01738B58
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166F358 mov eax, dword ptr fs:[00000030h]	2_2_0166F358
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172131B mov eax, dword ptr fs:[00000030h]	2_2_0172131B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168DBE9 mov eax, dword ptr fs:[00000030h]	2_2_0168DBE9
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]	2_2_016903E2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]	2_2_016903E2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]	2_2_016903E2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]	2_2_016903E2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]	2_2_016903E2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]	2_2_016903E2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017123E3 mov ecx, dword ptr fs:[00000030h]	2_2_017123E3
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017123E3 mov ecx, dword ptr fs:[00000030h]	2_2_017123E3
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017123E3 mov eax, dword ptr fs:[00000030h]	2_2_017123E3
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E53CA mov eax, dword ptr fs:[00000030h]	2_2_016E53CA
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E53CA mov eax, dword ptr fs:[00000030h]	2_2_016E53CA
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01694BAD mov eax, dword ptr fs:[00000030h]	2_2_01694BAD
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01694BAD mov eax, dword ptr fs:[00000030h]	2_2_01694BAD
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01694BAD mov eax, dword ptr fs:[00000030h]	2_2_01694BAD
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01735BA5 mov eax, dword ptr fs:[00000030h]	2_2_01735BA5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169138B mov eax, dword ptr fs:[00000030h]	2_2_0169138B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169138B mov eax, dword ptr fs:[00000030h]	2_2_0169138B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169138B mov eax, dword ptr fs:[00000030h]	2_2_0169138B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01671B8F mov eax, dword ptr fs:[00000030h]	2_2_01671B8F
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01671B8F mov eax, dword ptr fs:[00000030h]	2_2_01671B8F
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0171D380 mov ecx, dword ptr fs:[00000030h]	2_2_0171D380
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172138A mov eax, dword ptr fs:[00000030h]	2_2_0172138A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169B390 mov eax, dword ptr fs:[00000030h]	2_2_0169B390
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01692397 mov eax, dword ptr fs:[00000030h]	2_2_01692397
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A927A mov eax, dword ptr fs:[00000030h]	2_2_016A927A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0171B260 mov eax, dword ptr fs:[00000030h]	2_2_0171B260
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0171B260 mov eax, dword ptr fs:[00000030h]	2_2_0171B260
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01738A62 mov eax, dword ptr fs:[00000030h]	2_2_01738A62
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01669240 mov eax, dword ptr fs:[00000030h]	2_2_01669240
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01669240 mov eax, dword ptr fs:[00000030h]	2_2_01669240
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01669240 mov eax, dword ptr fs:[00000030h]	2_2_01669240
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01669240 mov eax, dword ptr fs:[00000030h]	2_2_01669240
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172EA55 mov eax, dword ptr fs:[00000030h]	2_2_0172EA55
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016F4257 mov eax, dword ptr fs:[00000030h]	2_2_016F4257
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]	2_2_0168A229
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]	2_2_0168A229
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]	2_2_0168A229
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]	2_2_0168A229
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]	2_2_0168A229
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]	2_2_0168A229
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]	2_2_0168A229
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]	2_2_0168A229
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]	2_2_0168A229
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A4A2C mov eax, dword ptr fs:[00000030h]	2_2_016A4A2C
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A4A2C mov eax, dword ptr fs:[00000030h]	2_2_016A4A2C
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172AA16 mov eax, dword ptr fs:[00000030h]	2_2_0172AA16
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172AA16 mov eax, dword ptr fs:[00000030h]	2_2_0172AA16
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01678A0A mov eax, dword ptr fs:[00000030h]	2_2_01678A0A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166AA16 mov eax, dword ptr fs:[00000030h]	2_2_0166AA16
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166AA16 mov eax, dword ptr fs:[00000030h]	2_2_0166AA16
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01683A1C mov eax, dword ptr fs:[00000030h]	2_2_01683A1C
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01665210 mov eax, dword ptr fs:[00000030h]	2_2_01665210
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01665210 mov ecx, dword ptr fs:[00000030h]	2_2_01665210
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01665210 mov eax, dword ptr fs:[00000030h]	2_2_01665210
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01665210 mov eax, dword ptr fs:[00000030h]	2_2_01665210
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01692AE4 mov eax, dword ptr fs:[00000030h]	2_2_01692AE4
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01692ACB mov eax, dword ptr fs:[00000030h]	2_2_01692ACB
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016652A5 mov eax, dword ptr fs:[00000030h]	2_2_016652A5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016652A5 mov eax, dword ptr fs:[00000030h]	2_2_016652A5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016652A5 mov eax, dword ptr fs:[00000030h]	2_2_016652A5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016652A5 mov eax, dword ptr fs:[00000030h]	2_2_016652A5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016652A5 mov eax, dword ptr fs:[00000030h]	2_2_016652A5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0167AAB0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0167AAB0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169FAB0 mov eax, dword ptr fs:[00000030h]	2_2_0169FAB0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169D294 mov eax, dword ptr fs:[00000030h]	2_2_0169D294
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169D294 mov eax, dword ptr fs:[00000030h]	2_2_0169D294
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168C577 mov eax, dword ptr fs:[00000030h]	2_2_0168C577
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168C577 mov eax, dword ptr fs:[00000030h]	2_2_0168C577
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A3D43 mov eax, dword ptr fs:[00000030h]	2_2_016A3D43
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E3540 mov eax, dword ptr fs:[00000030h]	2_2_016E3540
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01713D40 mov eax, dword ptr fs:[00000030h]	2_2_01713D40
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01687D50 mov eax, dword ptr fs:[00000030h]	2_2_01687D50
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01738D34 mov eax, dword ptr fs:[00000030h]	2_2_01738D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172E539 mov eax, dword ptr fs:[00000030h]	2_2_0172E539
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01694D3B mov eax, dword ptr fs:[00000030h]	2_2_01694D3B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01694D3B mov eax, dword ptr fs:[00000030h]	2_2_01694D3B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01694D3B mov eax, dword ptr fs:[00000030h]	2_2_01694D3B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166AD30 mov eax, dword ptr fs:[00000030h]	2_2_0166AD30
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016EA537 mov eax, dword ptr fs:[00000030h]	2_2_016EA537
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01718DF1 mov eax, dword ptr fs:[00000030h]	2_2_01718DF1
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0167D5E0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0167D5E0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172FDE2 mov eax, dword ptr fs:[00000030h]	2_2_0172FDE2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172FDE2 mov eax, dword ptr fs:[00000030h]	2_2_0172FDE2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172FDE2 mov eax, dword ptr fs:[00000030h]	2_2_0172FDE2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172FDE2 mov eax, dword ptr fs:[00000030h]	2_2_0172FDE2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6DC9 mov eax, dword ptr fs:[00000030h]	2_2_016E6DC9
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6DC9 mov eax, dword ptr fs:[00000030h]	2_2_016E6DC9
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6DC9 mov eax, dword ptr fs:[00000030h]	2_2_016E6DC9
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6DC9 mov ecx, dword ptr fs:[00000030h]	2_2_016E6DC9
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6DC9 mov eax, dword ptr fs:[00000030h]	2_2_016E6DC9
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6DC9 mov eax, dword ptr fs:[00000030h]	2_2_016E6DC9
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016935A1 mov eax, dword ptr fs:[00000030h]	2_2_016935A1
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01691DB5 mov eax, dword ptr fs:[00000030h]	2_2_01691DB5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01691DB5 mov eax, dword ptr fs:[00000030h]	2_2_01691DB5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01691DB5 mov eax, dword ptr fs:[00000030h]	2_2_01691DB5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017305AC mov eax, dword ptr fs:[00000030h]	2_2_017305AC
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017305AC mov eax, dword ptr fs:[00000030h]	2_2_017305AC
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01692581 mov eax, dword ptr fs:[00000030h]	2_2_01692581
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01692581 mov eax, dword ptr fs:[00000030h]	2_2_01692581
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01692581 mov eax, dword ptr fs:[00000030h]	2_2_01692581
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01692581 mov eax, dword ptr fs:[00000030h]	2_2_01692581
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01662D8A mov eax, dword ptr fs:[00000030h]	2_2_01662D8A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01662D8A mov eax, dword ptr fs:[00000030h]	2_2_01662D8A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01662D8A mov eax, dword ptr fs:[00000030h]	2_2_01662D8A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01662D8A mov eax, dword ptr fs:[00000030h]	2_2_01662D8A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01662D8A mov eax, dword ptr fs:[00000030h]	2_2_01662D8A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]	2_2_01722D82
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]	2_2_01722D82
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]	2_2_01722D82
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]	2_2_01722D82
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]	2_2_01722D82
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]	2_2_01722D82
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]	2_2_01722D82
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169FD9B mov eax, dword ptr fs:[00000030h]	2_2_0169FD9B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169FD9B mov eax, dword ptr fs:[00000030h]	2_2_0169FD9B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168746D mov eax, dword ptr fs:[00000030h]	2_2_0168746D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]	2_2_0169AC7B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]	2_2_0169AC7B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]	2_2_0169AC7B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]	2_2_0169AC7B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]	2_2_0169AC7B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]	2_2_0169AC7B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]	2_2_0169AC7B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]	2_2_0169AC7B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]	2_2_0169AC7B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]	2_2_0169AC7B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]	2_2_0169AC7B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169A44B mov eax, dword ptr fs:[00000030h]	2_2_0169A44B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016FC450 mov eax, dword ptr fs:[00000030h]	2_2_016FC450
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016FC450 mov eax, dword ptr fs:[00000030h]	2_2_016FC450
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169BC2C mov eax, dword ptr fs:[00000030h]	2_2_0169BC2C
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6C0A mov eax, dword ptr fs:[00000030h]	2_2_016E6C0A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6C0A mov eax, dword ptr fs:[00000030h]	2_2_016E6C0A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6C0A mov eax, dword ptr fs:[00000030h]	2_2_016E6C0A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6C0A mov eax, dword ptr fs:[00000030h]	2_2_016E6C0A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0173740D mov eax, dword ptr fs:[00000030h]	2_2_0173740D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0173740D mov eax, dword ptr fs:[00000030h]	2_2_0173740D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0173740D mov eax, dword ptr fs:[00000030h]	2_2_0173740D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017214FB mov eax, dword ptr fs:[00000030h]	2_2_017214FB
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6CF0 mov eax, dword ptr fs:[00000030h]	2_2_016E6CF0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6CF0 mov eax, dword ptr fs:[00000030h]	2_2_016E6CF0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6CF0 mov eax, dword ptr fs:[00000030h]	2_2_016E6CF0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01738CD6 mov eax, dword ptr fs:[00000030h]	2_2_01738CD6
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167849B mov eax, dword ptr fs:[00000030h]	2_2_0167849B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167FF60 mov eax, dword ptr fs:[00000030h]	2_2_0167FF60
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01738F6A mov eax, dword ptr fs:[00000030h]	2_2_01738F6A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167EF40 mov eax, dword ptr fs:[00000030h]	2_2_0167EF40
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01664F2E mov eax, dword ptr fs:[00000030h]	2_2_01664F2E
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01664F2E mov eax, dword ptr fs:[00000030h]	2_2_01664F2E
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B73D mov eax, dword ptr fs:[00000030h]	2_2_0168B73D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B73D mov eax, dword ptr fs:[00000030h]	2_2_0168B73D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169E730 mov eax, dword ptr fs:[00000030h]	2_2_0169E730
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169A70E mov eax, dword ptr fs:[00000030h]	2_2_0169A70E
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169A70E mov eax, dword ptr fs:[00000030h]	2_2_0169A70E
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0173070D mov eax, dword ptr fs:[00000030h]	2_2_0173070D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0173070D mov eax, dword ptr fs:[00000030h]	2_2_0173070D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168F716 mov eax, dword ptr fs:[00000030h]	2_2_0168F716
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016FFF10 mov eax, dword ptr fs:[00000030h]	2_2_016FFF10
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016FFF10 mov eax, dword ptr fs:[00000030h]	2_2_016FFF10
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A37F5 mov eax, dword ptr fs:[00000030h]	2_2_016A37F5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01678794 mov eax, dword ptr fs:[00000030h]	2_2_01678794
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E7794 mov eax, dword ptr fs:[00000030h]	2_2_016E7794
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E7794 mov eax, dword ptr fs:[00000030h]	2_2_016E7794
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E7794 mov eax, dword ptr fs:[00000030h]	2_2_016E7794
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167766D mov eax, dword ptr fs:[00000030h]	2_2_0167766D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168AE73 mov eax, dword ptr fs:[00000030h]	2_2_0168AE73
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168AE73 mov eax, dword ptr fs:[00000030h]	2_2_0168AE73
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168AE73 mov eax, dword ptr fs:[00000030h]	2_2_0168AE73
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168AE73 mov eax, dword ptr fs:[00000030h]	2_2_0168AE73
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168AE73 mov eax, dword ptr fs:[00000030h]	2_2_0168AE73
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]	2_2_01677E41
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]	2_2_01677E41
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]	2_2_01677E41
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]	2_2_01677E41
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]	2_2_01677E41
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]	2_2_01677E41
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172AE44 mov eax, dword ptr fs:[00000030h]	2_2_0172AE44
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172AE44 mov eax, dword ptr fs:[00000030h]	2_2_0172AE44
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166E620 mov eax, dword ptr fs:[00000030h]	2_2_0166E620
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0171FE3F mov eax, dword ptr fs:[00000030h]	2_2_0171FE3F
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166C600 mov eax, dword ptr fs:[00000030h]	2_2_0166C600
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166C600 mov eax, dword ptr fs:[00000030h]	2_2_0166C600
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166C600 mov eax, dword ptr fs:[00000030h]	2_2_0166C600
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01698E00 mov eax, dword ptr fs:[00000030h]	2_2_01698E00
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169A61C mov eax, dword ptr fs:[00000030h]	2_2_0169A61C
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169A61C mov eax, dword ptr fs:[00000030h]	2_2_0169A61C
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721608 mov eax, dword ptr fs:[00000030h]	2_2_01721608
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016776E2 mov eax, dword ptr fs:[00000030h]	2_2_016776E2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016916E0 mov ecx, dword ptr fs:[00000030h]	2_2_016916E0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01738ED6 mov eax, dword ptr fs:[00000030h]	2_2_01738ED6
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016936CC mov eax, dword ptr fs:[00000030h]	2_2_016936CC
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A8EC7 mov eax, dword ptr fs:[00000030h]	2_2_016A8EC7
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0171FEC0 mov eax, dword ptr fs:[00000030h]	2_2_0171FEC0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E46A7 mov eax, dword ptr fs:[00000030h]	2_2_016E46A7
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01730EA5 mov eax, dword ptr fs:[00000030h]	2_2_01730EA5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01730EA5 mov eax, dword ptr fs:[00000030h]	2_2_01730EA5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01730EA5 mov eax, dword ptr fs:[00000030h]	2_2_01730EA5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016FFE87 mov eax, dword ptr fs:[00000030h]	2_2_016FFE87
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05433540 mov eax, dword ptr fs:[00000030h]	16_2_05433540
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E4D3B mov eax, dword ptr fs:[00000030h]	16_2_053E4D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E4D3B mov eax, dword ptr fs:[00000030h]	16_2_053E4D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E4D3B mov eax, dword ptr fs:[00000030h]	16_2_053E4D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05463D40 mov eax, dword ptr fs:[00000030h]	16_2_05463D40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053BAD30 mov eax, dword ptr fs:[00000030h]	16_2_053BAD30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053DC577 mov eax, dword ptr fs:[00000030h]	16_2_053DC577
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053DC577 mov eax, dword ptr fs:[00000030h]	16_2_053DC577
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053D7D50 mov eax, dword ptr fs:[00000030h]	16_2_053D7D50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0543A537 mov eax, dword ptr fs:[00000030h]	16_2_0543A537
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05488D34 mov eax, dword ptr fs:[00000030h]	16_2_05488D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F3D43 mov eax, dword ptr fs:[00000030h]	16_2_053F3D43
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0547E539 mov eax, dword ptr fs:[00000030h]	16_2_0547E539
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436DC9 mov eax, dword ptr fs:[00000030h]	16_2_05436DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436DC9 mov eax, dword ptr fs:[00000030h]	16_2_05436DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436DC9 mov eax, dword ptr fs:[00000030h]	16_2_05436DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436DC9 mov ecx, dword ptr fs:[00000030h]	16_2_05436DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436DC9 mov eax, dword ptr fs:[00000030h]	16_2_05436DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436DC9 mov eax, dword ptr fs:[00000030h]	16_2_05436DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E1DB5 mov eax, dword ptr fs:[00000030h]	16_2_053E1DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E1DB5 mov eax, dword ptr fs:[00000030h]	16_2_053E1DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E1DB5 mov eax, dword ptr fs:[00000030h]	16_2_053E1DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E35A1 mov eax, dword ptr fs:[00000030h]	16_2_053E35A1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053EFD9B mov eax, dword ptr fs:[00000030h]	16_2_053EFD9B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053EFD9B mov eax, dword ptr fs:[00000030h]	16_2_053EFD9B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0547FDE2 mov eax, dword ptr fs:[00000030h]	16_2_0547FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0547FDE2 mov eax, dword ptr fs:[00000030h]	16_2_0547FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0547FDE2 mov eax, dword ptr fs:[00000030h]	16_2_0547FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0547FDE2 mov eax, dword ptr fs:[00000030h]	16_2_0547FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053B2D8A mov eax, dword ptr fs:[00000030h]	16_2_053B2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053B2D8A mov eax, dword ptr fs:[00000030h]	16_2_053B2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053B2D8A mov eax, dword ptr fs:[00000030h]	16_2_053B2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053B2D8A mov eax, dword ptr fs:[00000030h]	16_2_053B2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053B2D8A mov eax, dword ptr fs:[00000030h]	16_2_053B2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05468DF1 mov eax, dword ptr fs:[00000030h]	16_2_05468DF1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E2581 mov eax, dword ptr fs:[00000030h]	16_2_053E2581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E2581 mov eax, dword ptr fs:[00000030h]	16_2_053E2581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E2581 mov eax, dword ptr fs:[00000030h]	16_2_053E2581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E2581 mov eax, dword ptr fs:[00000030h]	16_2_053E2581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053CD5E0 mov eax, dword ptr fs:[00000030h]	16_2_053CD5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053CD5E0 mov eax, dword ptr fs:[00000030h]	16_2_053CD5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_054805AC mov eax, dword ptr fs:[00000030h]	16_2_054805AC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_054805AC mov eax, dword ptr fs:[00000030h]	16_2_054805AC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053EBC2C mov eax, dword ptr fs:[00000030h]	16_2_053EBC2C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0544C450 mov eax, dword ptr fs:[00000030h]	16_2_0544C450
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0544C450 mov eax, dword ptr fs:[00000030h]	16_2_0544C450
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0548740D mov eax, dword ptr fs:[00000030h]	16_2_0548740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0548740D mov eax, dword ptr fs:[00000030h]	16_2_0548740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0548740D mov eax, dword ptr fs:[00000030h]	16_2_0548740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436C0A mov eax, dword ptr fs:[00000030h]	16_2_05436C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436C0A mov eax, dword ptr fs:[00000030h]	16_2_05436C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436C0A mov eax, dword ptr fs:[00000030h]	16_2_05436C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436C0A mov eax, dword ptr fs:[00000030h]	16_2_05436C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053D746D mov eax, dword ptr fs:[00000030h]	16_2_053D746D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053EA44B mov eax, dword ptr fs:[00000030h]	16_2_053EA44B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05488CD6 mov eax, dword ptr fs:[00000030h]	16_2_05488CD6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C849B mov eax, dword ptr fs:[00000030h]	16_2_053C849B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436CF0 mov eax, dword ptr fs:[00000030h]	16_2_05436CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436CF0 mov eax, dword ptr fs:[00000030h]	16_2_05436CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436CF0 mov eax, dword ptr fs:[00000030h]	16_2_05436CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_054714FB mov eax, dword ptr fs:[00000030h]	16_2_054714FB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053EE730 mov eax, dword ptr fs:[00000030h]	16_2_053EE730
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053B4F2E mov eax, dword ptr fs:[00000030h]	16_2_053B4F2E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053B4F2E mov eax, dword ptr fs:[00000030h]	16_2_053B4F2E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05488F6A mov eax, dword ptr fs:[00000030h]	16_2_05488F6A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053DF716 mov eax, dword ptr fs:[00000030h]	16_2_053DF716
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053EA70E mov eax, dword ptr fs:[00000030h]	16_2_053EA70E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053EA70E mov eax, dword ptr fs:[00000030h]	16_2_053EA70E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0548070D mov eax, dword ptr fs:[00000030h]	16_2_0548070D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0548070D mov eax, dword ptr fs:[00000030h]	16_2_0548070D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0544FF10 mov eax, dword ptr fs:[00000030h]	16_2_0544FF10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0544FF10 mov eax, dword ptr fs:[00000030h]	16_2_0544FF10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053CFF60 mov eax, dword ptr fs:[00000030h]	16_2_053CFF60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053CEF40 mov eax, dword ptr fs:[00000030h]	16_2_053CEF40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C8794 mov eax, dword ptr fs:[00000030h]	16_2_053C8794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F37F5 mov eax, dword ptr fs:[00000030h]	16_2_053F37F5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05437794 mov eax, dword ptr fs:[00000030h]	16_2_05437794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05437794 mov eax, dword ptr fs:[00000030h]	16_2_05437794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05437794 mov eax, dword ptr fs:[00000030h]	16_2_05437794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0547AE44 mov eax, dword ptr fs:[00000030h]	16_2_0547AE44
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0547AE44 mov eax, dword ptr fs:[00000030h]	16_2_0547AE44
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053BE620 mov eax, dword ptr fs:[00000030h]	16_2_053BE620
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053EA61C mov eax, dword ptr fs:[00000030h]	16_2_053EA61C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053EA61C mov eax, dword ptr fs:[00000030h]	16_2_053EA61C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053BC600 mov eax, dword ptr fs:[00000030h]	16_2_053BC600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053BC600 mov eax, dword ptr fs:[00000030h]	16_2_053BC600

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Code function: 2_2_0040ACF0 LdrLoadDll,

2_2_0040ACF0

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 1_2_003B439B SetUnhandledExceptionFilter,	1_2_003B439B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 1_2_003B43CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_003B43CC
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_003B439B SetUnhandledExceptionFilter,	2_2_003B439B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_003B43CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_003B43CC

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.10 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.85.152.171 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.informacion-numero-24-h.site
Source: C:\Windows\explorer.exe	Domain query: www.tzjisheng.com

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 1040000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Thread register set: target process: 3968			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Thread register set: target process: 3968			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Process created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe"			Jump to behavior

Source: explorer.exe, 00000005.00000000.255915814.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.278458875.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.295991072.0000000000688000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000005.00000000.278690681.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.265115735.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.301324707.0000000005920000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.278690681.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.256196895.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.370103670.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.278690681.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.256196895.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.370103670.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.369902961.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.278476010.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.255927905.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000005.00000000.278690681.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.256196895.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.370103670.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: WProgram Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Code function: 1_2_003B3283 cpuid

1_2_003B3283

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Code function: 1_2_003B3EC8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_003B3EC8

Source: C:\Users\user\Desktop\inlaww321345.exe

0_2_00403646

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
154.85.152.171	www.tzjisheng.com	Seychelles		134548	DXTL-HKDXTLTseungKwanOServiceHK	true
188.114.96.10	www.informacion-numero-24-h.site	European Union		13335	CLOUDFLARENETUS	true

Contacted Domains

Name	IP	Active
parkingpage.namecheap.com	198.54.117.212	true
www.informacion-numero-24-h.site	188.114.96.10	true
www.tzjisheng.com	154.85.152.171	true
www.rodosmail.xyz	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.tzjisheng.com/sn31/?p6Ah=2a7s6yRQu5sKFClQSChidlXjlxi9pt4Q5wJ1geib+tah5K7nc27GLkEkTe4Wsszvrpha&3fK84j=bDKp2PCxjp9Dyht0	true	Avira URL Cloud: safe	unknown
www.boxberry-my.com/sn31/	true	Avira URL Cloud: malware	low
http://www.informacion-numero-24-h.site/sn31/?3fK84j=bDKp2PCxjp9Dyht0&p6Ah=F3OPTzYh/KYNQDx4mU9pmepphtdjiinNkarquV5J38/xiILCZYJsFfYNFvKas6or25OS	true	Avira URL Cloud: safe	unknown

AV Detection

Found malware configuration

Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp

Multi AV Scanner detection for submitted file

Source: inlaww321345.exe	Virustotal: Detection: 53%			Perma Link
Source: inlaww321345.exe	ReversingLabs: Detection: 56%

Yara detected FormBook

Source: Yara match	File source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: www.boxberry-my.com/sn31/

Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

ReversingLabs: Detection: 46%

Machine Learning detection for sample

Source: inlaww321345.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 2.0.idczzzzbpy.exe.400000.7.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 1.2.idczzzzbpy.exe.700000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.idczzzzbpy.exe.400000.9.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.idczzzzbpy.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.idczzzzbpy.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Uses 32bit PE files

Source: inlaww321345.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: inlaww321345.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\nwmcc\xasivn\insq\a82874181cac4c8c8d839f9e6026f5f4\nkrdof\moxadzwk\Release\moxadzwk.pdb source: inlaww321345.exe, 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmp, idczzzzbpy.exe, 00000001.00000000.239867122.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, idczzzzbpy.exe, 00000001.00000002.251217446.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, idczzzzbpy.exe, 00000002.00000000.244915451.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, chkdsk.exe, 00000010.00000002.507707421.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.509886446.00000000058BF000.00000004.10000000.00040000.00000000.sdmp, nsuD94B.tmp.0.dr, idczzzzbpy.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: idczzzzbpy.exe, 00000001.00000003.245625219.000000001A210000.00000004.00001000.00020000.00000000.sdmp, idczzzzbpy.exe, 00000001.00000003.242881004.000000001A080000.00000004.00001000.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.251002261.0000000001304000.00000004.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.320891841.000000000175F000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.253061392.00000000014AD000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.319381710.0000000005057000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.321067477.00000000051F7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: idczzzzbpy.exe, idczzzzbpy.exe, 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.251002261.0000000001304000.00000004.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.320891841.000000000175F000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.253061392.00000000014AD000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000010.00000003.319381710.0000000005057000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.321067477.00000000051F7000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\inlaww321345.exe	Code function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D7A
Source: C:\Users\user\Desktop\inlaww321345.exe	Code function: 0_2_004069A4 FindFirstFileW,FindClose,	0_2_004069A4
Source: C:\Users\user\Desktop\inlaww321345.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 4x nop then pop ebx	2_2_00407B1D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 4x nop then pop edi	2_2_00417DA4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop ebx	16_2_00977B1D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 4x nop then pop edi	16_2_00987DA4

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.10 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.85.152.171 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.informacion-numero-24-h.site
Source: C:\Windows\explorer.exe	Domain query: www.tzjisheng.com

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49808 -> 188.114.96.10:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49808 -> 188.114.96.10:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49808 -> 188.114.96.10:80

Performs DNS queries to domains with low reputation

Source:

DNS query: www.rodosmail.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.boxberry-my.com/sn31/

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /sn31/?3fK84j=bDKp2PCxjp9Dyht0&p6Ah=F3OPTzYh/KYNQDx4mU9pmepphtdjiinNkarquV5J38/xiILCZYJsFfYNFvKas6or25OS HTTP/1.1Host: www.informacion-numero-24-h.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sn31/?p6Ah=2a7s6yRQu5sKFClQSChidlXjlxi9pt4Q5wJ1geib+tah5K7nc27GLkEkTe4Wsszvrpha&3fK84j=bDKp2PCxjp9Dyht0 HTTP/1.1Host: www.tzjisheng.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.96.10 188.114.96.10
Source: Joe Sandbox View	IP Address: 188.114.96.10 188.114.96.10

Source: inlaww321345.exe

String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: unknown

DNS traffic detected: queries for: www.informacion-numero-24-h.site

Source: global traffic	HTTP traffic detected: GET /sn31/?3fK84j=bDKp2PCxjp9Dyht0&p6Ah=F3OPTzYh/KYNQDx4mU9pmepphtdjiinNkarquV5J38/xiILCZYJsFfYNFvKas6or25OS HTTP/1.1Host: www.informacion-numero-24-h.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /sn31/?p6Ah=2a7s6yRQu5sKFClQSChidlXjlxi9pt4Q5wJ1geib+tah5K7nc27GLkEkTe4Wsszvrpha&3fK84j=bDKp2PCxjp9Dyht0 HTTP/1.1Host: www.tzjisheng.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\inlaww321345.exe

0_2_0040580F

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Uses 32bit PE files

Source: inlaww321345.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Yara signature match

Source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\inlaww321345.exe

0_2_00403646

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 1_2_003B1890	1_2_003B1890
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 1_2_003B9C12	1_2_003B9C12
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 1_2_003B96A0	1_2_003B96A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 1_2_003B7E88	1_2_003B7E88
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 1_2_003BC3BD	1_2_003BC3BD
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 1_2_003BA184	1_2_003BA184
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 1_2_003BB3F1	1_2_003BB3F1
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_003B9C12	2_2_003B9C12
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_003B96A0	2_2_003B96A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_003B1890	2_2_003B1890
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_003B7E88	2_2_003B7E88
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_003BC3BD	2_2_003BC3BD
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_003BA184	2_2_003BA184
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_003BB3F1	2_2_003BB3F1
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041D805	2_2_0041D805
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041DA33	2_2_0041DA33
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041EB32	2_2_0041EB32
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041C3EA	2_2_0041C3EA
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041ED64	2_2_0041ED64
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041DD0A	2_2_0041DD0A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_00402D87	2_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_00409E5E	2_2_00409E5E
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_00409E60	2_2_00409E60
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01684120	2_2_01684120
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166F900	2_2_0166F900
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0173E824	2_2_0173E824
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A830	2_2_0168A830
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721002	2_2_01721002
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017328EC	2_2_017328EC
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016920A0	2_2_016920A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017320A8	2_2_017320A8
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167B090	2_2_0167B090
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168AB40	2_2_0168AB40
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0170CB4F	2_2_0170CB4F
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01732B28	2_2_01732B28
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017123E3	2_2_017123E3
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172DBD2	2_2_0172DBD2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017203DA	2_2_017203DA
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169ABD8	2_2_0169ABD8
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169EBB0	2_2_0169EBB0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169138B	2_2_0169138B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0171FA2B	2_2_0171FA2B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017322AE	2_2_017322AE
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01731D55	2_2_01731D55
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01660D20	2_2_01660D20
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01732D07	2_2_01732D07
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167D5E0	2_2_0167D5E0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017325DD	2_2_017325DD
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01692581	2_2_01692581
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01722D82	2_2_01722D82
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172D466	2_2_0172D466
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167841F	2_2_0167841F
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01731FF1	2_2_01731FF1
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0173DFCE	2_2_0173DFCE
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01686E30	2_2_01686E30
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172D616	2_2_0172D616
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01732EF7	2_2_01732EF7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053B0D20	16_2_053B0D20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05481D55	16_2_05481D55
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05482D07	16_2_05482D07
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_054825DD	16_2_054825DD
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E2581	16_2_053E2581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053CD5E0	16_2_053CD5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0547D466	16_2_0547D466
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C841F	16_2_053C841F
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0548DFCE	16_2_0548DFCE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05481FF1	16_2_05481FF1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053D6E30	16_2_053D6E30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0547D616	16_2_0547D616
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05482EF7	16_2_05482EF7
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053D4120	16_2_053D4120
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053BF900	16_2_053BF900
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471002	16_2_05471002
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0548E824	16_2_0548E824
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E20A0	16_2_053E20A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_054828EC	16_2_054828EC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053CB090	16_2_053CB090
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_054820A8	16_2_054820A8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05482B28	16_2_05482B28
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053DAB40	16_2_053DAB40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053EEBB0	16_2_053EEBB0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0547DBD2	16_2_0547DBD2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_054703DA	16_2_054703DA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0546FA2B	16_2_0546FA2B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_054822AE	16_2_054822AE
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098D805	16_2_0098D805
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098DA33	16_2_0098DA33
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098C3EA	16_2_0098C3EA
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098EB32	16_2_0098EB32
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00972D90	16_2_00972D90
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00972D87	16_2_00972D87
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098DD0A	16_2_0098DD0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098ED64	16_2_0098ED64
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00979E5E	16_2_00979E5E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00979E60	16_2_00979E60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00972FB0	16_2_00972FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: String function: 053BB150 appears 48 times
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: String function: 003B4599 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: String function: 0166B150 appears 136 times
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: String function: 003B2400 appears 54 times

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041A360 NtCreateFile,	2_2_0041A360
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041A410 NtReadFile,	2_2_0041A410
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041A490 NtClose,	2_2_0041A490
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041A540 NtAllocateVirtualMemory,	2_2_0041A540
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041A35A NtCreateFile,	2_2_0041A35A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041A45A NtReadFile,	2_2_0041A45A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041A492 NtClose,	2_2_0041A492
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041A53A NtAllocateVirtualMemory,	2_2_0041A53A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_016A9910
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A99A0 NtCreateSection,LdrInitializeThunk,	2_2_016A99A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9860 NtQuerySystemInformation,LdrInitializeThunk,	2_2_016A9860
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9840 NtDelayExecution,LdrInitializeThunk,	2_2_016A9840
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A98F0 NtReadVirtualMemory,LdrInitializeThunk,	2_2_016A98F0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9A50 NtCreateFile,LdrInitializeThunk,	2_2_016A9A50
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9A20 NtResumeThread,LdrInitializeThunk,	2_2_016A9A20
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9A00 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_016A9A00
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9540 NtReadFile,LdrInitializeThunk,	2_2_016A9540
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A95D0 NtClose,LdrInitializeThunk,	2_2_016A95D0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9710 NtQueryInformationToken,LdrInitializeThunk,	2_2_016A9710
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A97A0 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_016A97A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9780 NtMapViewOfSection,LdrInitializeThunk,	2_2_016A9780
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9660 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_016A9660
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A96E0 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_016A96E0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9950 NtQueueApcThread,	2_2_016A9950
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A99D0 NtCreateProcessEx,	2_2_016A99D0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016AB040 NtSuspendThread,	2_2_016AB040
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9820 NtEnumerateKey,	2_2_016A9820
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A98A0 NtWriteVirtualMemory,	2_2_016A98A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9B00 NtSetValueKey,	2_2_016A9B00
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016AA3B0 NtGetContextThread,	2_2_016AA3B0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9A10 NtQuerySection,	2_2_016A9A10
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9A80 NtOpenDirectoryObject,	2_2_016A9A80
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9560 NtWriteFile,	2_2_016A9560
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9520 NtWaitForSingleObject,	2_2_016A9520
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016AAD30 NtSetContextThread,	2_2_016AAD30
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A95F0 NtQueryInformationFile,	2_2_016A95F0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9760 NtOpenProcess,	2_2_016A9760
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016AA770 NtOpenThread,	2_2_016AA770
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9770 NtSetInformationFile,	2_2_016A9770
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9730 NtQueryVirtualMemory,	2_2_016A9730
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016AA710 NtOpenProcessToken,	2_2_016AA710
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9FE0 NtCreateMutant,	2_2_016A9FE0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9670 NtQueryInformationProcess,	2_2_016A9670
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9650 NtQueryValueKey,	2_2_016A9650
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A9610 NtEnumerateValueKey,	2_2_016A9610
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A96D0 NtCreateKey,	2_2_016A96D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9540 NtReadFile,LdrInitializeThunk,	16_2_053F9540
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F95D0 NtClose,LdrInitializeThunk,	16_2_053F95D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9710 NtQueryInformationToken,LdrInitializeThunk,	16_2_053F9710
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9780 NtMapViewOfSection,LdrInitializeThunk,	16_2_053F9780
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9FE0 NtCreateMutant,LdrInitializeThunk,	16_2_053F9FE0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9660 NtAllocateVirtualMemory,LdrInitializeThunk,	16_2_053F9660
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9650 NtQueryValueKey,LdrInitializeThunk,	16_2_053F9650
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F96E0 NtFreeVirtualMemory,LdrInitializeThunk,	16_2_053F96E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F96D0 NtCreateKey,LdrInitializeThunk,	16_2_053F96D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	16_2_053F9910
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F99A0 NtCreateSection,LdrInitializeThunk,	16_2_053F99A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9860 NtQuerySystemInformation,LdrInitializeThunk,	16_2_053F9860
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9840 NtDelayExecution,LdrInitializeThunk,	16_2_053F9840
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9A50 NtCreateFile,LdrInitializeThunk,	16_2_053F9A50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053FAD30 NtSetContextThread,	16_2_053FAD30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9520 NtWaitForSingleObject,	16_2_053F9520
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9560 NtWriteFile,	16_2_053F9560
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F95F0 NtQueryInformationFile,	16_2_053F95F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9730 NtQueryVirtualMemory,	16_2_053F9730
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053FA710 NtOpenProcessToken,	16_2_053FA710
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053FA770 NtOpenThread,	16_2_053FA770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9770 NtSetInformationFile,	16_2_053F9770
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9760 NtOpenProcess,	16_2_053F9760
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F97A0 NtUnmapViewOfSection,	16_2_053F97A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9610 NtEnumerateValueKey,	16_2_053F9610
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9670 NtQueryInformationProcess,	16_2_053F9670
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9950 NtQueueApcThread,	16_2_053F9950
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F99D0 NtCreateProcessEx,	16_2_053F99D0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9820 NtEnumerateKey,	16_2_053F9820
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053FB040 NtSuspendThread,	16_2_053FB040
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F98A0 NtWriteVirtualMemory,	16_2_053F98A0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F98F0 NtReadVirtualMemory,	16_2_053F98F0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9B00 NtSetValueKey,	16_2_053F9B00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053FA3B0 NtGetContextThread,	16_2_053FA3B0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9A20 NtResumeThread,	16_2_053F9A20
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9A10 NtQuerySection,	16_2_053F9A10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9A00 NtProtectVirtualMemory,	16_2_053F9A00
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F9A80 NtOpenDirectoryObject,	16_2_053F9A80
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098A360 NtCreateFile,	16_2_0098A360
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098A490 NtClose,	16_2_0098A490
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098A410 NtReadFile,	16_2_0098A410
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098A540 NtAllocateVirtualMemory,	16_2_0098A540
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098A35A NtCreateFile,	16_2_0098A35A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098A492 NtClose,	16_2_0098A492
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098A45A NtReadFile,	16_2_0098A45A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098A53A NtAllocateVirtualMemory,	16_2_0098A53A

Source: inlaww321345.exe	Virustotal: Detection: 53%
Source: inlaww321345.exe	ReversingLabs: Detection: 56%

Source: C:\Users\user\Desktop\inlaww321345.exe

File read: C:\Users\user\Desktop\inlaww321345.exe

Jump to behavior

Source: inlaww321345.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\inlaww321345.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\inlaww321345.exe "C:\Users\user\Desktop\inlaww321345.exe"
Source: C:\Users\user\Desktop\inlaww321345.exe	Process created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Process created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\inlaww321345.exe	Process created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Process created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe"	Jump to behavior

Source: C:\Users\user\Desktop\inlaww321345.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\inlaww321345.exe

0_2_00403646

Source: C:\Users\user\Desktop\inlaww321345.exe

File created: C:\Users\user\AppData\Local\Temp\nsuD94A.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@9/4@3/2

Source: C:\Users\user\Desktop\inlaww321345.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\inlaww321345.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\inlaww321345.exe

Code function: 0_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404ABB

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1804:120:WilError_01

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Command line argument: ^F;		1_2_003B45B0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Command line argument: ^F;		2_2_003B45B0

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: inlaww321345.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\nwmcc\xasivn\insq\a82874181cac4c8c8d839f9e6026f5f4\nkrdof\moxadzwk\Release\moxadzwk.pdb source: inlaww321345.exe, 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmp, idczzzzbpy.exe, 00000001.00000000.239867122.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, idczzzzbpy.exe, 00000001.00000002.251217446.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, idczzzzbpy.exe, 00000002.00000000.244915451.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, chkdsk.exe, 00000010.00000002.507707421.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.509886446.00000000058BF000.00000004.10000000.00040000.00000000.sdmp, nsuD94B.tmp.0.dr, idczzzzbpy.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: idczzzzbpy.exe, 00000001.00000003.245625219.000000001A210000.00000004.00001000.00020000.00000000.sdmp, idczzzzbpy.exe, 00000001.00000003.242881004.000000001A080000.00000004.00001000.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.251002261.0000000001304000.00000004.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.320891841.000000000175F000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.253061392.00000000014AD000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.319381710.0000000005057000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.321067477.00000000051F7000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: idczzzzbpy.exe, idczzzzbpy.exe, 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.251002261.0000000001304000.00000004.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.320891841.000000000175F000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.253061392.00000000014AD000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000010.00000003.319381710.0000000005057000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.321067477.00000000051F7000.00000004.00000800.00020000.00000000.sdmp

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 1_2_003B2445 push ecx; ret	1_2_003B2458
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_003B2445 push ecx; ret	2_2_003B2458
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_004168D5 push ebp; ret	2_2_004168D8
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041E9A8 push dword ptr [25B3BB99h]; ret	2_2_0041E9CB
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_00416CD3 push esi; ret	2_2_00416CDB
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_00417CF5 pushfd ; iretd	2_2_00417CF6
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041D4B5 push eax; ret	2_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041D56C push eax; ret	2_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041D502 push eax; ret	2_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0041D50B push eax; ret	2_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016BD0D1 push ecx; ret	2_2_016BD0E4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0540D0D1 push ecx; ret	16_2_0540D0E4
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_009868D5 push ebp; ret	16_2_009868D8
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098E9A8 push dword ptr [25B3BB99h]; ret	16_2_0098E9CB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098D4B5 push eax; ret	16_2_0098D508
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00986CD3 push esi; ret	16_2_00986CDB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_00987CF5 pushfd ; iretd	16_2_00987CF6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098D50B push eax; ret	16_2_0098D572
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098D502 push eax; ret	16_2_0098D508
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0098D56C push eax; ret	16_2_0098D572

Drops PE files

Source: C:\Users\user\Desktop\inlaww321345.exe

File created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xE1

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

1_2_003B1890

Source: C:\Users\user\Desktop\inlaww321345.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 0000000000979904 second address: 000000000097990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe	RDTSC instruction interceptor: First address: 0000000000979B7E second address: 0000000000979B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 4232

Thread sleep time: -36000s >= -30000s

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe	Last function: Thread delayed

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Code function: 2_2_00409AB0 rdtsc

2_2_00409AB0

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	API coverage: 4.1 %
Source: C:\Windows\SysWOW64\chkdsk.exe	API coverage: 9.0 %

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\inlaww321345.exe	Code function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D7A
Source: C:\Users\user\Desktop\inlaww321345.exe	Code function: 0_2_004069A4 FindFirstFileW,FindClose,	0_2_004069A4
Source: C:\Users\user\Desktop\inlaww321345.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\Desktop\inlaww321345.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	API call chain: ExitProcess graph end node

Source: explorer.exe, 00000005.00000000.305108660.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.305285676.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
Source: explorer.exe, 00000005.00000000.305285676.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
Source: explorer.exe, 00000005.00000000.295963251.0000000000680000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000005.00000000.306086683.0000000008400000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.296016880.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.305285676.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000005.00000000.301612924.00000000062C4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.279924875.0000000004287000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000005.00000000.305220626.000000000820E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.305285676.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: explorer.exe, 00000005.00000000.305108660.00000000080ED000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000005.00000000.305285676.0000000008223000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00l

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Code function: 1_2_003B7A95 IsDebuggerPresent,

1_2_003B7A95

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

1_2_003B558A

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

1_2_003B86ED

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Code function: 2_2_00409AB0 rdtsc

2_2_00409AB0

Enables debug privileges

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Process token adjusted: Debug

Jump to behavior

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166C962 mov eax, dword ptr fs:[00000030h]	2_2_0166C962
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166B171 mov eax, dword ptr fs:[00000030h]	2_2_0166B171
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166B171 mov eax, dword ptr fs:[00000030h]	2_2_0166B171
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B944 mov eax, dword ptr fs:[00000030h]	2_2_0168B944
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B944 mov eax, dword ptr fs:[00000030h]	2_2_0168B944
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01684120 mov eax, dword ptr fs:[00000030h]	2_2_01684120
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01684120 mov eax, dword ptr fs:[00000030h]	2_2_01684120
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01684120 mov eax, dword ptr fs:[00000030h]	2_2_01684120
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01684120 mov eax, dword ptr fs:[00000030h]	2_2_01684120
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01684120 mov ecx, dword ptr fs:[00000030h]	2_2_01684120
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169513A mov eax, dword ptr fs:[00000030h]	2_2_0169513A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169513A mov eax, dword ptr fs:[00000030h]	2_2_0169513A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01669100 mov eax, dword ptr fs:[00000030h]	2_2_01669100
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01669100 mov eax, dword ptr fs:[00000030h]	2_2_01669100
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01669100 mov eax, dword ptr fs:[00000030h]	2_2_01669100
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016F41E8 mov eax, dword ptr fs:[00000030h]	2_2_016F41E8
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0166B1E1
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0166B1E1
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166B1E1 mov eax, dword ptr fs:[00000030h]	2_2_0166B1E1
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E69A6 mov eax, dword ptr fs:[00000030h]	2_2_016E69A6
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016961A0 mov eax, dword ptr fs:[00000030h]	2_2_016961A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016961A0 mov eax, dword ptr fs:[00000030h]	2_2_016961A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E51BE mov eax, dword ptr fs:[00000030h]	2_2_016E51BE
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E51BE mov eax, dword ptr fs:[00000030h]	2_2_016E51BE
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E51BE mov eax, dword ptr fs:[00000030h]	2_2_016E51BE
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E51BE mov eax, dword ptr fs:[00000030h]	2_2_016E51BE
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017249A4 mov eax, dword ptr fs:[00000030h]	2_2_017249A4
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017249A4 mov eax, dword ptr fs:[00000030h]	2_2_017249A4
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017249A4 mov eax, dword ptr fs:[00000030h]	2_2_017249A4
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017249A4 mov eax, dword ptr fs:[00000030h]	2_2_017249A4
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov eax, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov eax, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov eax, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016899BF mov eax, dword ptr fs:[00000030h]	2_2_016899BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168C182 mov eax, dword ptr fs:[00000030h]	2_2_0168C182
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169A185 mov eax, dword ptr fs:[00000030h]	2_2_0169A185
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01692990 mov eax, dword ptr fs:[00000030h]	2_2_01692990
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01722073 mov eax, dword ptr fs:[00000030h]	2_2_01722073
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01731074 mov eax, dword ptr fs:[00000030h]	2_2_01731074
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01680050 mov eax, dword ptr fs:[00000030h]	2_2_01680050
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01680050 mov eax, dword ptr fs:[00000030h]	2_2_01680050
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169002D mov eax, dword ptr fs:[00000030h]	2_2_0169002D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169002D mov eax, dword ptr fs:[00000030h]	2_2_0169002D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169002D mov eax, dword ptr fs:[00000030h]	2_2_0169002D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169002D mov eax, dword ptr fs:[00000030h]	2_2_0169002D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169002D mov eax, dword ptr fs:[00000030h]	2_2_0169002D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167B02A mov eax, dword ptr fs:[00000030h]	2_2_0167B02A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167B02A mov eax, dword ptr fs:[00000030h]	2_2_0167B02A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167B02A mov eax, dword ptr fs:[00000030h]	2_2_0167B02A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167B02A mov eax, dword ptr fs:[00000030h]	2_2_0167B02A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A830 mov eax, dword ptr fs:[00000030h]	2_2_0168A830
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A830 mov eax, dword ptr fs:[00000030h]	2_2_0168A830
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A830 mov eax, dword ptr fs:[00000030h]	2_2_0168A830
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A830 mov eax, dword ptr fs:[00000030h]	2_2_0168A830
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01734015 mov eax, dword ptr fs:[00000030h]	2_2_01734015
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01734015 mov eax, dword ptr fs:[00000030h]	2_2_01734015
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E7016 mov eax, dword ptr fs:[00000030h]	2_2_016E7016
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E7016 mov eax, dword ptr fs:[00000030h]	2_2_016E7016
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E7016 mov eax, dword ptr fs:[00000030h]	2_2_016E7016
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016640E1 mov eax, dword ptr fs:[00000030h]	2_2_016640E1
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016640E1 mov eax, dword ptr fs:[00000030h]	2_2_016640E1
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016640E1 mov eax, dword ptr fs:[00000030h]	2_2_016640E1
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016658EC mov eax, dword ptr fs:[00000030h]	2_2_016658EC
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B8E4 mov eax, dword ptr fs:[00000030h]	2_2_0168B8E4
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B8E4 mov eax, dword ptr fs:[00000030h]	2_2_0168B8E4
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016FB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016FB8D0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016FB8D0 mov ecx, dword ptr fs:[00000030h]	2_2_016FB8D0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016FB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016FB8D0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016FB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016FB8D0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016FB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016FB8D0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016FB8D0 mov eax, dword ptr fs:[00000030h]	2_2_016FB8D0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A90AF mov eax, dword ptr fs:[00000030h]	2_2_016A90AF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]	2_2_016920A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]	2_2_016920A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]	2_2_016920A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]	2_2_016920A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]	2_2_016920A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]	2_2_016920A0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169F0BF mov ecx, dword ptr fs:[00000030h]	2_2_0169F0BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169F0BF mov eax, dword ptr fs:[00000030h]	2_2_0169F0BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169F0BF mov eax, dword ptr fs:[00000030h]	2_2_0169F0BF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01669080 mov eax, dword ptr fs:[00000030h]	2_2_01669080
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E3884 mov eax, dword ptr fs:[00000030h]	2_2_016E3884
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E3884 mov eax, dword ptr fs:[00000030h]	2_2_016E3884
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166DB60 mov ecx, dword ptr fs:[00000030h]	2_2_0166DB60
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01693B7A mov eax, dword ptr fs:[00000030h]	2_2_01693B7A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01693B7A mov eax, dword ptr fs:[00000030h]	2_2_01693B7A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166DB40 mov eax, dword ptr fs:[00000030h]	2_2_0166DB40
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01738B58 mov eax, dword ptr fs:[00000030h]	2_2_01738B58
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166F358 mov eax, dword ptr fs:[00000030h]	2_2_0166F358
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]	2_2_0168A309
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172131B mov eax, dword ptr fs:[00000030h]	2_2_0172131B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168DBE9 mov eax, dword ptr fs:[00000030h]	2_2_0168DBE9
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]	2_2_016903E2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]	2_2_016903E2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]	2_2_016903E2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]	2_2_016903E2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]	2_2_016903E2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]	2_2_016903E2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017123E3 mov ecx, dword ptr fs:[00000030h]	2_2_017123E3
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017123E3 mov ecx, dword ptr fs:[00000030h]	2_2_017123E3
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017123E3 mov eax, dword ptr fs:[00000030h]	2_2_017123E3
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E53CA mov eax, dword ptr fs:[00000030h]	2_2_016E53CA
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E53CA mov eax, dword ptr fs:[00000030h]	2_2_016E53CA
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01694BAD mov eax, dword ptr fs:[00000030h]	2_2_01694BAD
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01694BAD mov eax, dword ptr fs:[00000030h]	2_2_01694BAD
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01694BAD mov eax, dword ptr fs:[00000030h]	2_2_01694BAD
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01735BA5 mov eax, dword ptr fs:[00000030h]	2_2_01735BA5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169138B mov eax, dword ptr fs:[00000030h]	2_2_0169138B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169138B mov eax, dword ptr fs:[00000030h]	2_2_0169138B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169138B mov eax, dword ptr fs:[00000030h]	2_2_0169138B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01671B8F mov eax, dword ptr fs:[00000030h]	2_2_01671B8F
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01671B8F mov eax, dword ptr fs:[00000030h]	2_2_01671B8F
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0171D380 mov ecx, dword ptr fs:[00000030h]	2_2_0171D380
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172138A mov eax, dword ptr fs:[00000030h]	2_2_0172138A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169B390 mov eax, dword ptr fs:[00000030h]	2_2_0169B390
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01692397 mov eax, dword ptr fs:[00000030h]	2_2_01692397
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A927A mov eax, dword ptr fs:[00000030h]	2_2_016A927A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0171B260 mov eax, dword ptr fs:[00000030h]	2_2_0171B260
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0171B260 mov eax, dword ptr fs:[00000030h]	2_2_0171B260
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01738A62 mov eax, dword ptr fs:[00000030h]	2_2_01738A62
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01669240 mov eax, dword ptr fs:[00000030h]	2_2_01669240
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01669240 mov eax, dword ptr fs:[00000030h]	2_2_01669240
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01669240 mov eax, dword ptr fs:[00000030h]	2_2_01669240
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01669240 mov eax, dword ptr fs:[00000030h]	2_2_01669240
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172EA55 mov eax, dword ptr fs:[00000030h]	2_2_0172EA55
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016F4257 mov eax, dword ptr fs:[00000030h]	2_2_016F4257
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]	2_2_0168A229
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]	2_2_0168A229
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]	2_2_0168A229
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]	2_2_0168A229
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]	2_2_0168A229
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]	2_2_0168A229
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]	2_2_0168A229
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]	2_2_0168A229
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]	2_2_0168A229
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A4A2C mov eax, dword ptr fs:[00000030h]	2_2_016A4A2C
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A4A2C mov eax, dword ptr fs:[00000030h]	2_2_016A4A2C
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172AA16 mov eax, dword ptr fs:[00000030h]	2_2_0172AA16
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172AA16 mov eax, dword ptr fs:[00000030h]	2_2_0172AA16
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01678A0A mov eax, dword ptr fs:[00000030h]	2_2_01678A0A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166AA16 mov eax, dword ptr fs:[00000030h]	2_2_0166AA16
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166AA16 mov eax, dword ptr fs:[00000030h]	2_2_0166AA16
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01683A1C mov eax, dword ptr fs:[00000030h]	2_2_01683A1C
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01665210 mov eax, dword ptr fs:[00000030h]	2_2_01665210
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01665210 mov ecx, dword ptr fs:[00000030h]	2_2_01665210
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01665210 mov eax, dword ptr fs:[00000030h]	2_2_01665210
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01665210 mov eax, dword ptr fs:[00000030h]	2_2_01665210
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01692AE4 mov eax, dword ptr fs:[00000030h]	2_2_01692AE4
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]	2_2_01724AEF
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01692ACB mov eax, dword ptr fs:[00000030h]	2_2_01692ACB
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016652A5 mov eax, dword ptr fs:[00000030h]	2_2_016652A5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016652A5 mov eax, dword ptr fs:[00000030h]	2_2_016652A5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016652A5 mov eax, dword ptr fs:[00000030h]	2_2_016652A5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016652A5 mov eax, dword ptr fs:[00000030h]	2_2_016652A5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016652A5 mov eax, dword ptr fs:[00000030h]	2_2_016652A5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0167AAB0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167AAB0 mov eax, dword ptr fs:[00000030h]	2_2_0167AAB0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169FAB0 mov eax, dword ptr fs:[00000030h]	2_2_0169FAB0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169D294 mov eax, dword ptr fs:[00000030h]	2_2_0169D294
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169D294 mov eax, dword ptr fs:[00000030h]	2_2_0169D294
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168C577 mov eax, dword ptr fs:[00000030h]	2_2_0168C577
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168C577 mov eax, dword ptr fs:[00000030h]	2_2_0168C577
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A3D43 mov eax, dword ptr fs:[00000030h]	2_2_016A3D43
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E3540 mov eax, dword ptr fs:[00000030h]	2_2_016E3540
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01713D40 mov eax, dword ptr fs:[00000030h]	2_2_01713D40
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01687D50 mov eax, dword ptr fs:[00000030h]	2_2_01687D50
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01738D34 mov eax, dword ptr fs:[00000030h]	2_2_01738D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172E539 mov eax, dword ptr fs:[00000030h]	2_2_0172E539
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01694D3B mov eax, dword ptr fs:[00000030h]	2_2_01694D3B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01694D3B mov eax, dword ptr fs:[00000030h]	2_2_01694D3B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01694D3B mov eax, dword ptr fs:[00000030h]	2_2_01694D3B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]	2_2_01673D34
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166AD30 mov eax, dword ptr fs:[00000030h]	2_2_0166AD30
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016EA537 mov eax, dword ptr fs:[00000030h]	2_2_016EA537
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01718DF1 mov eax, dword ptr fs:[00000030h]	2_2_01718DF1
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0167D5E0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167D5E0 mov eax, dword ptr fs:[00000030h]	2_2_0167D5E0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172FDE2 mov eax, dword ptr fs:[00000030h]	2_2_0172FDE2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172FDE2 mov eax, dword ptr fs:[00000030h]	2_2_0172FDE2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172FDE2 mov eax, dword ptr fs:[00000030h]	2_2_0172FDE2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172FDE2 mov eax, dword ptr fs:[00000030h]	2_2_0172FDE2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6DC9 mov eax, dword ptr fs:[00000030h]	2_2_016E6DC9
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6DC9 mov eax, dword ptr fs:[00000030h]	2_2_016E6DC9
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6DC9 mov eax, dword ptr fs:[00000030h]	2_2_016E6DC9
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6DC9 mov ecx, dword ptr fs:[00000030h]	2_2_016E6DC9
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6DC9 mov eax, dword ptr fs:[00000030h]	2_2_016E6DC9
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6DC9 mov eax, dword ptr fs:[00000030h]	2_2_016E6DC9
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016935A1 mov eax, dword ptr fs:[00000030h]	2_2_016935A1
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01691DB5 mov eax, dword ptr fs:[00000030h]	2_2_01691DB5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01691DB5 mov eax, dword ptr fs:[00000030h]	2_2_01691DB5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01691DB5 mov eax, dword ptr fs:[00000030h]	2_2_01691DB5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017305AC mov eax, dword ptr fs:[00000030h]	2_2_017305AC
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017305AC mov eax, dword ptr fs:[00000030h]	2_2_017305AC
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01692581 mov eax, dword ptr fs:[00000030h]	2_2_01692581
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01692581 mov eax, dword ptr fs:[00000030h]	2_2_01692581
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01692581 mov eax, dword ptr fs:[00000030h]	2_2_01692581
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01692581 mov eax, dword ptr fs:[00000030h]	2_2_01692581
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01662D8A mov eax, dword ptr fs:[00000030h]	2_2_01662D8A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01662D8A mov eax, dword ptr fs:[00000030h]	2_2_01662D8A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01662D8A mov eax, dword ptr fs:[00000030h]	2_2_01662D8A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01662D8A mov eax, dword ptr fs:[00000030h]	2_2_01662D8A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01662D8A mov eax, dword ptr fs:[00000030h]	2_2_01662D8A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]	2_2_01722D82
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]	2_2_01722D82
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]	2_2_01722D82
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]	2_2_01722D82
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]	2_2_01722D82
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]	2_2_01722D82
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]	2_2_01722D82
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169FD9B mov eax, dword ptr fs:[00000030h]	2_2_0169FD9B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169FD9B mov eax, dword ptr fs:[00000030h]	2_2_0169FD9B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168746D mov eax, dword ptr fs:[00000030h]	2_2_0168746D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]	2_2_0169AC7B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]	2_2_0169AC7B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]	2_2_0169AC7B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]	2_2_0169AC7B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]	2_2_0169AC7B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]	2_2_0169AC7B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]	2_2_0169AC7B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]	2_2_0169AC7B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]	2_2_0169AC7B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]	2_2_0169AC7B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]	2_2_0169AC7B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]	2_2_0168B477
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169A44B mov eax, dword ptr fs:[00000030h]	2_2_0169A44B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016FC450 mov eax, dword ptr fs:[00000030h]	2_2_016FC450
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016FC450 mov eax, dword ptr fs:[00000030h]	2_2_016FC450
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169BC2C mov eax, dword ptr fs:[00000030h]	2_2_0169BC2C
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6C0A mov eax, dword ptr fs:[00000030h]	2_2_016E6C0A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6C0A mov eax, dword ptr fs:[00000030h]	2_2_016E6C0A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6C0A mov eax, dword ptr fs:[00000030h]	2_2_016E6C0A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6C0A mov eax, dword ptr fs:[00000030h]	2_2_016E6C0A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]	2_2_01721C06
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0173740D mov eax, dword ptr fs:[00000030h]	2_2_0173740D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0173740D mov eax, dword ptr fs:[00000030h]	2_2_0173740D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0173740D mov eax, dword ptr fs:[00000030h]	2_2_0173740D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_017214FB mov eax, dword ptr fs:[00000030h]	2_2_017214FB
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6CF0 mov eax, dword ptr fs:[00000030h]	2_2_016E6CF0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6CF0 mov eax, dword ptr fs:[00000030h]	2_2_016E6CF0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E6CF0 mov eax, dword ptr fs:[00000030h]	2_2_016E6CF0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01738CD6 mov eax, dword ptr fs:[00000030h]	2_2_01738CD6
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]	2_2_01724496
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167849B mov eax, dword ptr fs:[00000030h]	2_2_0167849B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167FF60 mov eax, dword ptr fs:[00000030h]	2_2_0167FF60
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01738F6A mov eax, dword ptr fs:[00000030h]	2_2_01738F6A
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167EF40 mov eax, dword ptr fs:[00000030h]	2_2_0167EF40
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01664F2E mov eax, dword ptr fs:[00000030h]	2_2_01664F2E
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01664F2E mov eax, dword ptr fs:[00000030h]	2_2_01664F2E
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B73D mov eax, dword ptr fs:[00000030h]	2_2_0168B73D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168B73D mov eax, dword ptr fs:[00000030h]	2_2_0168B73D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169E730 mov eax, dword ptr fs:[00000030h]	2_2_0169E730
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169A70E mov eax, dword ptr fs:[00000030h]	2_2_0169A70E
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169A70E mov eax, dword ptr fs:[00000030h]	2_2_0169A70E
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0173070D mov eax, dword ptr fs:[00000030h]	2_2_0173070D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0173070D mov eax, dword ptr fs:[00000030h]	2_2_0173070D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168F716 mov eax, dword ptr fs:[00000030h]	2_2_0168F716
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016FFF10 mov eax, dword ptr fs:[00000030h]	2_2_016FFF10
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016FFF10 mov eax, dword ptr fs:[00000030h]	2_2_016FFF10
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A37F5 mov eax, dword ptr fs:[00000030h]	2_2_016A37F5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01678794 mov eax, dword ptr fs:[00000030h]	2_2_01678794
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E7794 mov eax, dword ptr fs:[00000030h]	2_2_016E7794
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E7794 mov eax, dword ptr fs:[00000030h]	2_2_016E7794
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E7794 mov eax, dword ptr fs:[00000030h]	2_2_016E7794
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0167766D mov eax, dword ptr fs:[00000030h]	2_2_0167766D
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168AE73 mov eax, dword ptr fs:[00000030h]	2_2_0168AE73
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168AE73 mov eax, dword ptr fs:[00000030h]	2_2_0168AE73
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168AE73 mov eax, dword ptr fs:[00000030h]	2_2_0168AE73
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168AE73 mov eax, dword ptr fs:[00000030h]	2_2_0168AE73
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0168AE73 mov eax, dword ptr fs:[00000030h]	2_2_0168AE73
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]	2_2_01677E41
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]	2_2_01677E41
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]	2_2_01677E41
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]	2_2_01677E41
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]	2_2_01677E41
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]	2_2_01677E41
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172AE44 mov eax, dword ptr fs:[00000030h]	2_2_0172AE44
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0172AE44 mov eax, dword ptr fs:[00000030h]	2_2_0172AE44
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166E620 mov eax, dword ptr fs:[00000030h]	2_2_0166E620
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0171FE3F mov eax, dword ptr fs:[00000030h]	2_2_0171FE3F
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166C600 mov eax, dword ptr fs:[00000030h]	2_2_0166C600
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166C600 mov eax, dword ptr fs:[00000030h]	2_2_0166C600
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0166C600 mov eax, dword ptr fs:[00000030h]	2_2_0166C600
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01698E00 mov eax, dword ptr fs:[00000030h]	2_2_01698E00
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169A61C mov eax, dword ptr fs:[00000030h]	2_2_0169A61C
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0169A61C mov eax, dword ptr fs:[00000030h]	2_2_0169A61C
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01721608 mov eax, dword ptr fs:[00000030h]	2_2_01721608
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016776E2 mov eax, dword ptr fs:[00000030h]	2_2_016776E2
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016916E0 mov ecx, dword ptr fs:[00000030h]	2_2_016916E0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01738ED6 mov eax, dword ptr fs:[00000030h]	2_2_01738ED6
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016936CC mov eax, dword ptr fs:[00000030h]	2_2_016936CC
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016A8EC7 mov eax, dword ptr fs:[00000030h]	2_2_016A8EC7
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_0171FEC0 mov eax, dword ptr fs:[00000030h]	2_2_0171FEC0
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016E46A7 mov eax, dword ptr fs:[00000030h]	2_2_016E46A7
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01730EA5 mov eax, dword ptr fs:[00000030h]	2_2_01730EA5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01730EA5 mov eax, dword ptr fs:[00000030h]	2_2_01730EA5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_01730EA5 mov eax, dword ptr fs:[00000030h]	2_2_01730EA5
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_016FFE87 mov eax, dword ptr fs:[00000030h]	2_2_016FFE87
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05433540 mov eax, dword ptr fs:[00000030h]	16_2_05433540
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E4D3B mov eax, dword ptr fs:[00000030h]	16_2_053E4D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E4D3B mov eax, dword ptr fs:[00000030h]	16_2_053E4D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E4D3B mov eax, dword ptr fs:[00000030h]	16_2_053E4D3B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05463D40 mov eax, dword ptr fs:[00000030h]	16_2_05463D40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]	16_2_053C3D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053BAD30 mov eax, dword ptr fs:[00000030h]	16_2_053BAD30
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053DC577 mov eax, dword ptr fs:[00000030h]	16_2_053DC577
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053DC577 mov eax, dword ptr fs:[00000030h]	16_2_053DC577
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053D7D50 mov eax, dword ptr fs:[00000030h]	16_2_053D7D50
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0543A537 mov eax, dword ptr fs:[00000030h]	16_2_0543A537
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05488D34 mov eax, dword ptr fs:[00000030h]	16_2_05488D34
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F3D43 mov eax, dword ptr fs:[00000030h]	16_2_053F3D43
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0547E539 mov eax, dword ptr fs:[00000030h]	16_2_0547E539
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436DC9 mov eax, dword ptr fs:[00000030h]	16_2_05436DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436DC9 mov eax, dword ptr fs:[00000030h]	16_2_05436DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436DC9 mov eax, dword ptr fs:[00000030h]	16_2_05436DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436DC9 mov ecx, dword ptr fs:[00000030h]	16_2_05436DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436DC9 mov eax, dword ptr fs:[00000030h]	16_2_05436DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436DC9 mov eax, dword ptr fs:[00000030h]	16_2_05436DC9
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E1DB5 mov eax, dword ptr fs:[00000030h]	16_2_053E1DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E1DB5 mov eax, dword ptr fs:[00000030h]	16_2_053E1DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E1DB5 mov eax, dword ptr fs:[00000030h]	16_2_053E1DB5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E35A1 mov eax, dword ptr fs:[00000030h]	16_2_053E35A1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053EFD9B mov eax, dword ptr fs:[00000030h]	16_2_053EFD9B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053EFD9B mov eax, dword ptr fs:[00000030h]	16_2_053EFD9B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0547FDE2 mov eax, dword ptr fs:[00000030h]	16_2_0547FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0547FDE2 mov eax, dword ptr fs:[00000030h]	16_2_0547FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0547FDE2 mov eax, dword ptr fs:[00000030h]	16_2_0547FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0547FDE2 mov eax, dword ptr fs:[00000030h]	16_2_0547FDE2
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053B2D8A mov eax, dword ptr fs:[00000030h]	16_2_053B2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053B2D8A mov eax, dword ptr fs:[00000030h]	16_2_053B2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053B2D8A mov eax, dword ptr fs:[00000030h]	16_2_053B2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053B2D8A mov eax, dword ptr fs:[00000030h]	16_2_053B2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053B2D8A mov eax, dword ptr fs:[00000030h]	16_2_053B2D8A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05468DF1 mov eax, dword ptr fs:[00000030h]	16_2_05468DF1
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E2581 mov eax, dword ptr fs:[00000030h]	16_2_053E2581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E2581 mov eax, dword ptr fs:[00000030h]	16_2_053E2581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E2581 mov eax, dword ptr fs:[00000030h]	16_2_053E2581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053E2581 mov eax, dword ptr fs:[00000030h]	16_2_053E2581
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053CD5E0 mov eax, dword ptr fs:[00000030h]	16_2_053CD5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053CD5E0 mov eax, dword ptr fs:[00000030h]	16_2_053CD5E0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_054805AC mov eax, dword ptr fs:[00000030h]	16_2_054805AC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_054805AC mov eax, dword ptr fs:[00000030h]	16_2_054805AC
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053EBC2C mov eax, dword ptr fs:[00000030h]	16_2_053EBC2C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0544C450 mov eax, dword ptr fs:[00000030h]	16_2_0544C450
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0544C450 mov eax, dword ptr fs:[00000030h]	16_2_0544C450
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]	16_2_05471C06
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0548740D mov eax, dword ptr fs:[00000030h]	16_2_0548740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0548740D mov eax, dword ptr fs:[00000030h]	16_2_0548740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0548740D mov eax, dword ptr fs:[00000030h]	16_2_0548740D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436C0A mov eax, dword ptr fs:[00000030h]	16_2_05436C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436C0A mov eax, dword ptr fs:[00000030h]	16_2_05436C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436C0A mov eax, dword ptr fs:[00000030h]	16_2_05436C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436C0A mov eax, dword ptr fs:[00000030h]	16_2_05436C0A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053D746D mov eax, dword ptr fs:[00000030h]	16_2_053D746D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053EA44B mov eax, dword ptr fs:[00000030h]	16_2_053EA44B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05488CD6 mov eax, dword ptr fs:[00000030h]	16_2_05488CD6
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C849B mov eax, dword ptr fs:[00000030h]	16_2_053C849B
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436CF0 mov eax, dword ptr fs:[00000030h]	16_2_05436CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436CF0 mov eax, dword ptr fs:[00000030h]	16_2_05436CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05436CF0 mov eax, dword ptr fs:[00000030h]	16_2_05436CF0
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_054714FB mov eax, dword ptr fs:[00000030h]	16_2_054714FB
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053EE730 mov eax, dword ptr fs:[00000030h]	16_2_053EE730
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053B4F2E mov eax, dword ptr fs:[00000030h]	16_2_053B4F2E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053B4F2E mov eax, dword ptr fs:[00000030h]	16_2_053B4F2E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05488F6A mov eax, dword ptr fs:[00000030h]	16_2_05488F6A
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053DF716 mov eax, dword ptr fs:[00000030h]	16_2_053DF716
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053EA70E mov eax, dword ptr fs:[00000030h]	16_2_053EA70E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053EA70E mov eax, dword ptr fs:[00000030h]	16_2_053EA70E
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0548070D mov eax, dword ptr fs:[00000030h]	16_2_0548070D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0548070D mov eax, dword ptr fs:[00000030h]	16_2_0548070D
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0544FF10 mov eax, dword ptr fs:[00000030h]	16_2_0544FF10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0544FF10 mov eax, dword ptr fs:[00000030h]	16_2_0544FF10
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053CFF60 mov eax, dword ptr fs:[00000030h]	16_2_053CFF60
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053CEF40 mov eax, dword ptr fs:[00000030h]	16_2_053CEF40
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053C8794 mov eax, dword ptr fs:[00000030h]	16_2_053C8794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053F37F5 mov eax, dword ptr fs:[00000030h]	16_2_053F37F5
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05437794 mov eax, dword ptr fs:[00000030h]	16_2_05437794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05437794 mov eax, dword ptr fs:[00000030h]	16_2_05437794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_05437794 mov eax, dword ptr fs:[00000030h]	16_2_05437794
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0547AE44 mov eax, dword ptr fs:[00000030h]	16_2_0547AE44
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_0547AE44 mov eax, dword ptr fs:[00000030h]	16_2_0547AE44
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053BE620 mov eax, dword ptr fs:[00000030h]	16_2_053BE620
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053EA61C mov eax, dword ptr fs:[00000030h]	16_2_053EA61C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053EA61C mov eax, dword ptr fs:[00000030h]	16_2_053EA61C
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053BC600 mov eax, dword ptr fs:[00000030h]	16_2_053BC600
Source: C:\Windows\SysWOW64\chkdsk.exe	Code function: 16_2_053BC600 mov eax, dword ptr fs:[00000030h]	16_2_053BC600

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process queried: DebugPort			Jump to behavior

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Code function: 2_2_0040ACF0 LdrLoadDll,

2_2_0040ACF0

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 1_2_003B439B SetUnhandledExceptionFilter,	1_2_003B439B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 1_2_003B43CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_003B43CC
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_003B439B SetUnhandledExceptionFilter,	2_2_003B439B
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Code function: 2_2_003B43CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_003B43CC

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 188.114.96.10 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.85.152.171 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.informacion-numero-24-h.site
Source: C:\Windows\explorer.exe	Domain query: www.tzjisheng.com

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 1040000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Thread register set: target process: 3968			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Thread register set: target process: 3968			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	Process created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk			Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe"			Jump to behavior

Source: explorer.exe, 00000005.00000000.255915814.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.278458875.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.295991072.0000000000688000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000005.00000000.278690681.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.265115735.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.301324707.0000000005920000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.278690681.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.256196895.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.370103670.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.278690681.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.256196895.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.370103670.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.369902961.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.278476010.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.255927905.000000000069D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000005.00000000.278690681.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.256196895.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.370103670.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: WProgram Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Code function: 1_2_003B3283 cpuid

1_2_003B3283

Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

Code function: 1_2_003B3EC8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_003B3EC8

Source: C:\Users\user\Desktop\inlaww321345.exe

0_2_00403646

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

ID:	626561
Product:	CloudBasic
Start time:	13:06:16
Start date:	14.05.2022
Sample:	inlaww321345.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	43e64e0ab6ca479c2af3afed56216a91
SHA1:	983a822ffde2b558dfe2a8ac1dcc4d42df0f1d94
SHA256:	cbdf1e33bc694b1ca634a4b042bd010050c9baf99078c91adf961ef92cebd305
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\c363o8ren09aotd	data	E3D27BCFA9AA0D4B5A3F6B09ABBD95A0	FF9D9165EEB1BC30B24824E3179CE751D0D171CA	9367FD47E61A19528C3F5CF2C8DCB9A966AC2760E0E0303D98CB16569DC571C0
C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe	PE32 executable (GUI) Intel 80386, for MS Windows	0A3F789C1F124B76E2EDC74EBEACF70A	780584F128175C82C09BE5237D6F18CA71F5AF8A	88475EA713BF4983BAD0C805626D4C36B4C7F556E0CFE3220D54A66AF49536ED
C:\Users\user\AppData\Local\Temp\naxsk	data	724AADB7157867E0297086B8CB329FDD	2CAF2D787B88C05EE73FC815F528D0519597BCEC	FF0DA8E72E0EB7C85762F73D269CB37E6EF6AB78BCDCDD02CBC600921B416A4F
C:\Users\user\AppData\Local\Temp\nsuD94B.tmp	data	585D37FBFEFC8B840674B7FBDDDF74A4	D4027F373F35D9CBDF5C52F98B30C81C74C61BDB	4E75A79C5CBEC5424037AF3B798D39110AD2247FC7E4F59DC69FA85E62C34C16

Windows Analysis Report
inlaww321345.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report inlaww321345.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
inlaww321345.exe