Loading ...

Play interactive tourEdit tour

Analysis Report PORT AGENCY APPOINTMENT.exe

Overview

General Information

Sample Name:PORT AGENCY APPOINTMENT.exe
Analysis ID:310947
MD5:d76be82e5668e612cfef3fb40004393f
SHA1:e8a11f6b3cef621596dafec054d859504df83cc7
SHA256:16b440cc5de0bd4de364a024da4b136961cfe878b31b85e7140fec0f7c541ec0
Tags:exeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PORT AGENCY APPOINTMENT.exe (PID: 5420 cmdline: 'C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exe' MD5: D76BE82E5668E612CFEF3FB40004393F)
    • PORT AGENCY APPOINTMENT.exe (PID: 4784 cmdline: 'C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exe' MD5: D76BE82E5668E612CFEF3FB40004393F)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autofmt.exe (PID: 64 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
      • colorcpl.exe (PID: 5016 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
        • cmd.exe (PID: 3412 cmdline: /c del 'C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000015.00000002.470188499.00000000009E2000.00000004.00000020.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x3d18:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000015.00000002.469885958.0000000000970000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000015.00000002.469885958.0000000000970000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b307:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c30a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000015.00000002.469885958.0000000000970000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183e9:$sqlite3step: 68 34 1C 7B E1
    • 0x184fc:$sqlite3step: 68 34 1C 7B E1
    • 0x18418:$sqlite3text: 68 38 2A 90 C5
    • 0x1853d:$sqlite3text: 68 38 2A 90 C5
    • 0x1842b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18553:$sqlite3blob: 68 53 D8 7F 8C
    00000015.00000002.470415925.0000000000F60000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 18 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus detection for URL or domainShow sources
      Source: https://redesuperpops.com.br/spike/anyiba_ieUWV173.binAvira URL Cloud: Label: malware
      Source: https://redesuperpops.com.br/spike/anyiba_ieUWV173.binAvira URL Cloud: Label: malware
      Multi AV Scanner detection for domain / URLShow sources
      Source: redesuperpops.com.brVirustotal: Detection: 8%Perma Link
      Source: redesuperpops.com.brVirustotal: Detection: 8%Perma Link
      Multi AV Scanner detection for submitted fileShow sources
      Source: PORT AGENCY APPOINTMENT.exeReversingLabs: Detection: 14%
      Source: PORT AGENCY APPOINTMENT.exeReversingLabs: Detection: 14%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000015.00000002.469885958.0000000000970000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.470415925.0000000000F60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.468947848.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.400562202.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.406523710.000000001E010000.00000040.00000001.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 4x nop then pop ebx12_2_000A7AFB
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 4x nop then pop edi12_2_000AE450
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 4x nop then pop edi12_2_000B6C82
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 4x nop then pop edi12_2_000B7D4A
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 4x nop then pop ebx12_2_000A7AFB
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 4x nop then pop edi12_2_000AE450
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 4x nop then pop edi12_2_000B6C82
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 4x nop then pop edi12_2_000B7D4A
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop ebx21_2_006E7AFB
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop edi21_2_006EE450
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 4x nop then pop edi21_2_006F7D4A
      Source: Joe Sandbox ViewIP Address: 192.185.216.181 192.185.216.181
      Source: Joe Sandbox ViewIP Address: 192.185.216.181 192.185.216.181
      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: unknownDNS traffic detected: queries for: redesuperpops.com.br
      Source: unknownDNS traffic detected: queries for: redesuperpops.com.br
      Source: explorer.exe, 00000010.00000000.365102350.0000000008A14000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: PORT AGENCY APPOINTMENT.exe, 0000000C.00000002.400841935.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://redesuperpops.com.br/spike/anyiba_ieUWV173.bin
      Source: explorer.exe, 00000010.00000000.365102350.0000000008A14000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000010.00000000.365195344.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: PORT AGENCY APPOINTMENT.exe, 0000000C.00000002.400841935.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://redesuperpops.com.br/spike/anyiba_ieUWV173.bin
      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000015.00000002.469885958.0000000000970000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.470415925.0000000000F60000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000015.00000002.468947848.00000000006E0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.400562202.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000C.00000002.406523710.000000001E010000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000015.00000002.470188499.00000000009E2000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000015.00000002.469885958.0000000000970000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000015.00000002.469885958.0000000000970000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000015.00000002.470415925.0000000000F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000015.00000002.470415925.0000000000F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000015.00000002.468947848.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000015.00000002.468947848.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000015.00000002.472553163.0000000004C0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000C.00000002.400562202.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.400562202.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000C.00000002.406523710.000000001E010000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.406523710.000000001E010000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000015.00000002.470188499.00000000009E2000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000015.00000002.469885958.0000000000970000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000015.00000002.469885958.0000000000970000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000015.00000002.470415925.0000000000F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000015.00000002.470415925.0000000000F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000015.00000002.468947848.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000015.00000002.468947848.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000015.00000002.472553163.0000000004C0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000C.00000002.400562202.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.400562202.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000C.00000002.406523710.000000001E010000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000C.00000002.406523710.000000001E010000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 0_2_020DCBEC NtProtectVirtualMemory,0_2_020DCBEC
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 0_2_020DCBEC NtProtectVirtualMemory,0_2_020DCBEC
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9660 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_1E2B9660
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B96E0 NtFreeVirtualMemory,LdrInitializeThunk,12_2_1E2B96E0
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9710 NtQueryInformationToken,LdrInitializeThunk,12_2_1E2B9710
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B97A0 NtUnmapViewOfSection,LdrInitializeThunk,12_2_1E2B97A0
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9780 NtMapViewOfSection,LdrInitializeThunk,12_2_1E2B9780
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9540 NtReadFile,LdrInitializeThunk,12_2_1E2B9540
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B95D0 NtClose,LdrInitializeThunk,12_2_1E2B95D0
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9A20 NtResumeThread,LdrInitializeThunk,12_2_1E2B9A20
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9A00 NtProtectVirtualMemory,LdrInitializeThunk,12_2_1E2B9A00
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9A50 NtCreateFile,LdrInitializeThunk,12_2_1E2B9A50
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9860 NtQuerySystemInformation,LdrInitializeThunk,12_2_1E2B9860
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9840 NtDelayExecution,LdrInitializeThunk,12_2_1E2B9840
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B98F0 NtReadVirtualMemory,LdrInitializeThunk,12_2_1E2B98F0
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,12_2_1E2B9910
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B99A0 NtCreateSection,LdrInitializeThunk,12_2_1E2B99A0
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9610 NtEnumerateValueKey,12_2_1E2B9610
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9670 NtQueryInformationProcess,12_2_1E2B9670
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9650 NtQueryValueKey,12_2_1E2B9650
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B96D0 NtCreateKey,12_2_1E2B96D0
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9730 NtQueryVirtualMemory,12_2_1E2B9730
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2BA710 NtOpenProcessToken,12_2_1E2BA710
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9760 NtOpenProcess,12_2_1E2B9760
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2BA770 NtOpenThread,12_2_1E2BA770
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9770 NtSetInformationFile,12_2_1E2B9770
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9FE0 NtCreateMutant,12_2_1E2B9FE0
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9520 NtWaitForSingleObject,12_2_1E2B9520
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2BAD30 NtSetContextThread,12_2_1E2BAD30
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9560 NtWriteFile,12_2_1E2B9560
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B95F0 NtQueryInformationFile,12_2_1E2B95F0
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9A10 NtQuerySection,12_2_1E2B9A10
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9A80 NtOpenDirectoryObject,12_2_1E2B9A80
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9B00 NtSetValueKey,12_2_1E2B9B00
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2BA3B0 NtGetContextThread,12_2_1E2BA3B0
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9820 NtEnumerateKey,12_2_1E2B9820
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2BB040 NtSuspendThread,12_2_1E2BB040
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B98A0 NtWriteVirtualMemory,12_2_1E2B98A0
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B9950 NtQueueApcThread,12_2_1E2B9950
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2B99D0 NtCreateProcessEx,12_2_1E2B99D0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749540 NtReadFile,LdrInitializeThunk,21_2_04749540
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047495D0 NtClose,LdrInitializeThunk,21_2_047495D0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749660 NtAllocateVirtualMemory,LdrInitializeThunk,21_2_04749660
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749650 NtQueryValueKey,LdrInitializeThunk,21_2_04749650
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047496E0 NtFreeVirtualMemory,LdrInitializeThunk,21_2_047496E0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047496D0 NtCreateKey,LdrInitializeThunk,21_2_047496D0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749710 NtQueryInformationToken,LdrInitializeThunk,21_2_04749710
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749FE0 NtCreateMutant,LdrInitializeThunk,21_2_04749FE0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749780 NtMapViewOfSection,LdrInitializeThunk,21_2_04749780
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749860 NtQuerySystemInformation,LdrInitializeThunk,21_2_04749860
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749840 NtDelayExecution,LdrInitializeThunk,21_2_04749840
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749910 NtAdjustPrivilegesToken,LdrInitializeThunk,21_2_04749910
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047499A0 NtCreateSection,LdrInitializeThunk,21_2_047499A0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749A50 NtCreateFile,LdrInitializeThunk,21_2_04749A50
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749560 NtWriteFile,21_2_04749560
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0474AD30 NtSetContextThread,21_2_0474AD30
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749520 NtWaitForSingleObject,21_2_04749520
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047495F0 NtQueryInformationFile,21_2_047495F0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749670 NtQueryInformationProcess,21_2_04749670
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749610 NtEnumerateValueKey,21_2_04749610
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0474A770 NtOpenThread,21_2_0474A770
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749770 NtSetInformationFile,21_2_04749770
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749760 NtOpenProcess,21_2_04749760
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749730 NtQueryVirtualMemory,21_2_04749730
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0474A710 NtOpenProcessToken,21_2_0474A710
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047497A0 NtUnmapViewOfSection,21_2_047497A0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0474B040 NtSuspendThread,21_2_0474B040
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749820 NtEnumerateKey,21_2_04749820
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047498F0 NtReadVirtualMemory,21_2_047498F0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047498A0 NtWriteVirtualMemory,21_2_047498A0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749950 NtQueueApcThread,21_2_04749950
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047499D0 NtCreateProcessEx,21_2_047499D0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749A20 NtResumeThread,21_2_04749A20
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749A10 NtQuerySection,21_2_04749A10
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749A00 NtProtectVirtualMemory,21_2_04749A00
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749A80 NtOpenDirectoryObject,21_2_04749A80
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04749B00 NtSetValueKey,21_2_04749B00
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0474A3B0 NtGetContextThread,21_2_0474A3B0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_006F9D40 NtCreateFile,21_2_006F9D40
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_006F9DF0 NtReadFile,21_2_006F9DF0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_006F9E70 NtClose,21_2_006F9E70
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_006F9F20 NtAllocateVirtualMemory,21_2_006F9F20
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_006F9D3B NtCreateFile,21_2_006F9D3B
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_006F9DEA NtReadFile,21_2_006F9DEA
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_006F9D92 NtCreateFile,21_2_006F9D92
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 0_2_004016750_2_00401675
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 0_2_004016750_2_00401675
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E296E3012_2_1E296E30
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E33D61612_2_1E33D616
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E342EF712_2_1E342EF7
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E341FF112_2_1E341FF1
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E34DFCE12_2_1E34DFCE
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E28841F12_2_1E28841F
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E33D46612_2_1E33D466
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E29B47712_2_1E29B477
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E33449612_2_1E334496
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E270D2012_2_1E270D20
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E342D0712_2_1E342D07
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E341D5512_2_1E341D55
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2A258112_2_1E2A2581
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E332D8212_2_1E332D82
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E28D5E012_2_1E28D5E0
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E3425DD12_2_1E3425DD
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E32FA2B12_2_1E32FA2B
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E29B23612_2_1E29B236
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E3422AE12_2_1E3422AE
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E334AEF12_2_1E334AEF
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E342B2812_2_1E342B28
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E29A30912_2_1E29A309
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E29AB4012_2_1E29AB40
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E31CB4F12_2_1E31CB4F
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2AEBB012_2_1E2AEBB0
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2A138B12_2_1E2A138B
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E29EB9A12_2_1E29EB9A
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E3223E312_2_1E3223E3
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E33DBD212_2_1E33DBD2
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E3303DA12_2_1E3303DA
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2AABD812_2_1E2AABD8
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E34E82412_2_1E34E824
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E29A83012_2_1E29A830
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E33100212_2_1E331002
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2A20A012_2_1E2A20A0
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E3420A812_2_1E3420A8
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E28B09012_2_1E28B090
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E3428EC12_2_1E3428EC
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E29412012_2_1E294120
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E27F90012_2_1E27F900
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2999BF12_2_1E2999BF
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_0008106912_2_00081069
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_0008986212_2_00089862
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_0008107212_2_00081072
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_00082CEC12_2_00082CEC
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_00082CF212_2_00082CF2
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_0008813212_2_00088132
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_0008DD9F12_2_0008DD9F
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_0008AA3212_2_0008AA32
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_00085B1F12_2_00085B1F
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_00085B2212_2_00085B22
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_000BD19412_2_000BD194
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_000BE24112_2_000BE241
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_000A2D9012_2_000A2D90
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_000A9E4012_2_000A9E40
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_000A2FB012_2_000A2FB0
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_000BDFE812_2_000BDFE8
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_000FAA3212_2_000FAA32
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_000F106912_2_000F1069
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_000F986212_2_000F9862
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_000F107212_2_000F1072
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_000F2CEC12_2_000F2CEC
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_000F2CF212_2_000F2CF2
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_000F5B1F12_2_000F5B1F
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_000F5B2212_2_000F5B22
      Source: C:\Windows\explorer.exeCode function: 16_2_06377A3216_2_06377A32
      Source: C:\Windows\explorer.exeCode function: 16_2_0636E07216_2_0636E072
      Source: C:\Windows\explorer.exeCode function: 16_2_0637686216_2_06376862
      Source: C:\Windows\explorer.exeCode function: 16_2_0637AA6F16_2_0637AA6F
      Source: C:\Windows\explorer.exeCode function: 16_2_0636E06916_2_0636E069
      Source: C:\Windows\explorer.exeCode function: 16_2_0636FCF216_2_0636FCF2
      Source: C:\Windows\explorer.exeCode function: 16_2_0636FCEC16_2_0636FCEC
      Source: C:\Windows\explorer.exeCode function: 16_2_0637513216_2_06375132
      Source: C:\Windows\explorer.exeCode function: 16_2_06372B2216_2_06372B22
      Source: C:\Windows\explorer.exeCode function: 16_2_06372B1F16_2_06372B1F
      Source: C:\Windows\explorer.exeCode function: 16_2_0637AB0E16_2_0637AB0E
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0472B47721_2_0472B477
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047CD46621_2_047CD466
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0471841F21_2_0471841F
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047C449621_2_047C4496
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047D1D5521_2_047D1D55
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04700D2021_2_04700D20
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047D2D0721_2_047D2D07
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0471D5E021_2_0471D5E0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047D25DD21_2_047D25DD
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0473258121_2_04732581
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047C2D8221_2_047C2D82
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_04726E3021_2_04726E30
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047CD61621_2_047CD616
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047D2EF721_2_047D2EF7
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047D1FF121_2_047D1FF1
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047DDFCE21_2_047DDFCE
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0472A83021_2_0472A830
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047DE82421_2_047DE824
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047C100221_2_047C1002
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047D28EC21_2_047D28EC
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047320A021_2_047320A0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047D20A821_2_047D20A8
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0471B09021_2_0471B090
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0472412021_2_04724120
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0470F90021_2_0470F900
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047299BF21_2_047299BF
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0472B23621_2_0472B236
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047BFA2B21_2_047BFA2B
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047C4AEF21_2_047C4AEF
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047D22AE21_2_047D22AE
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0472AB4021_2_0472AB40
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047ACB4F21_2_047ACB4F
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047D2B2821_2_047D2B28
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0472A30921_2_0472A309
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047B23E321_2_047B23E3
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047C03DA21_2_047C03DA
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0473ABD821_2_0473ABD8
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_047CDBD221_2_047CDBD2
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0473EBB021_2_0473EBB0
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0473138B21_2_0473138B
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_006FD19421_2_006FD194
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_006FE24121_2_006FE241
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_006E2D9021_2_006E2D90
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_006E9E4021_2_006E9E40
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_006FDFE821_2_006FDFE8
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_006E2FB021_2_006E2FB0
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: String function: 1E27B150 appears 139 times
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: String function: 1E27B150 appears 139 times
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: String function: 0470B150 appears 136 times
      Source: PORT AGENCY APPOINTMENT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: PORT AGENCY APPOINTMENT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: PORT AGENCY APPOINTMENT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: PORT AGENCY APPOINTMENT.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: PORT AGENCY APPOINTMENT.exe, 00000000.00000002.292181405.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameparabolized.exe vs PORT AGENCY APPOINTMENT.exe
      Source: PORT AGENCY APPOINTMENT.exe, 00000000.00000002.292341285.00000000020A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PORT AGENCY APPOINTMENT.exe
      Source: PORT AGENCY APPOINTMENT.exe, 0000000C.00000002.407167455.000000001E4FF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PORT AGENCY APPOINTMENT.exe
      Source: PORT AGENCY APPOINTMENT.exe, 0000000C.00000000.291349086.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameparabolized.exe vs PORT AGENCY APPOINTMENT.exe
      Source: PORT AGENCY APPOINTMENT.exe, 0000000C.00000002.406245770.000000001DC40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs PORT AGENCY APPOINTMENT.exe
      Source: PORT AGENCY APPOINTMENT.exe, 0000000C.00000002.400783718.0000000000113000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamecolorcpl.exej% vs PORT AGENCY APPOINTMENT.exe
      Source: PORT AGENCY APPOINTMENT.exe, 0000000C.00000002.406309193.000000001DDB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs PORT AGENCY APPOINTMENT.exe
      Source: PORT AGENCY APPOINTMENT.exeBinary or memory string: OriginalFilenameparabolized.exe vs PORT AGENCY APPOINTMENT.exe
      Source: PORT AGENCY APPOINTMENT.exe, 00000000.00000002.292181405.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameparabolized.exe vs PORT AGENCY APPOINTMENT.exe
      Source: PORT AGENCY APPOINTMENT.exe, 00000000.00000002.292341285.00000000020A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs PORT AGENCY APPOINTMENT.exe
      Source: PORT AGENCY APPOINTMENT.exe, 0000000C.00000002.407167455.000000001E4FF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PORT AGENCY APPOINTMENT.exe
      Source: PORT AGENCY APPOINTMENT.exe, 0000000C.00000000.291349086.0000000000415000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameparabolized.exe vs PORT AGENCY APPOINTMENT.exe
      Source: PORT AGENCY APPOINTMENT.exe, 0000000C.00000002.406245770.000000001DC40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs PORT AGENCY APPOINTMENT.exe
      Source: PORT AGENCY APPOINTMENT.exe, 0000000C.00000002.400783718.0000000000113000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamecolorcpl.exej% vs PORT AGENCY APPOINTMENT.exe
      Source: PORT AGENCY APPOINTMENT.exe, 0000000C.00000002.406309193.000000001DDB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs PORT AGENCY APPOINTMENT.exe
      Source: PORT AGENCY APPOINTMENT.exeBinary or memory string: OriginalFilenameparabolized.exe vs PORT AGENCY APPOINTMENT.exe
      Source: 00000015.00000002.470188499.00000000009E2000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000015.00000002.469885958.0000000000970000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000015.00000002.469885958.0000000000970000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000015.00000002.470415925.0000000000F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000015.00000002.470415925.0000000000F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000015.00000002.468947848.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000015.00000002.468947848.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000015.00000002.472553163.0000000004C0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.400562202.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.400562202.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000C.00000002.406523710.000000001E010000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.406523710.000000001E010000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000015.00000002.470188499.00000000009E2000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000015.00000002.469885958.0000000000970000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000015.00000002.469885958.0000000000970000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000015.00000002.470415925.0000000000F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000015.00000002.470415925.0000000000F60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000015.00000002.468947848.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000015.00000002.468947848.00000000006E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000015.00000002.472553163.0000000004C0F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000C.00000002.400562202.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.400562202.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000C.00000002.406523710.000000001E010000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000C.00000002.406523710.000000001E010000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/0@1/1
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4276:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4276:120:WilError_01
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeFile created: C:\Users\user\AppData\Local\Temp\~DFD3500F80500279AC.TMPJump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeFile created: C:\Users\user\AppData\Local\Temp\~DFD3500F80500279AC.TMPJump to behavior
      Source: PORT AGENCY APPOINTMENT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: PORT AGENCY APPOINTMENT.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: PORT AGENCY APPOINTMENT.exeReversingLabs: Detection: 14%
      Source: PORT AGENCY APPOINTMENT.exeReversingLabs: Detection: 14%
      Source: unknownProcess created: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exe 'C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exe 'C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeProcess created: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exe 'C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exe' Jump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exeJump to behavior
      Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exe'Jump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exe 'C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exe 'C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeProcess created: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exe 'C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exe' Jump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeProcess created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\colorcpl.exeJump to behavior
      Source: C:\Windows\SysWOW64\colorcpl.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exe'Jump to behavior
      Source: Binary string: colorcpl.pdbGCTL source: PORT AGENCY APPOINTMENT.exe, 0000000C.00000002.400775834.0000000000110000.00000040.00000001.sdmp
      Source: Binary string: colorcpl.pdb source: PORT AGENCY APPOINTMENT.exe, 0000000C.00000002.400775834.0000000000110000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.365576543.0000000009B40000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: PORT AGENCY APPOINTMENT.exe, 0000000C.00000002.406745386.000000001E250000.00000040.00000001.sdmp, colorcpl.exe, 00000015.00000002.471109820.00000000046E0000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: PORT AGENCY APPOINTMENT.exe, colorcpl.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.365576543.0000000009B40000.00000002.00000001.sdmp
      Source: Binary string: colorcpl.pdbGCTL source: PORT AGENCY APPOINTMENT.exe, 0000000C.00000002.400775834.0000000000110000.00000040.00000001.sdmp
      Source: Binary string: colorcpl.pdb source: PORT AGENCY APPOINTMENT.exe, 0000000C.00000002.400775834.0000000000110000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.365576543.0000000009B40000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: PORT AGENCY APPOINTMENT.exe, 0000000C.00000002.406745386.000000001E250000.00000040.00000001.sdmp, colorcpl.exe, 00000015.00000002.471109820.00000000046E0000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: PORT AGENCY APPOINTMENT.exe, colorcpl.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.365576543.0000000009B40000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: PORT AGENCY APPOINTMENT.exe PID: 5420, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PORT AGENCY APPOINTMENT.exe PID: 4784, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: PORT AGENCY APPOINTMENT.exe PID: 5420, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: PORT AGENCY APPOINTMENT.exe PID: 4784, type: MEMORY
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 0_2_00412803 push eax; ret 0_2_00412842
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 0_2_020D4EF0 push ds; iretd 0_2_020D4F47
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 0_2_020D4F49 push ds; iretd 0_2_020D4F64
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 0_2_00412803 push eax; ret 0_2_00412842
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 0_2_020D4EF0 push ds; iretd 0_2_020D4F47
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 0_2_020D4F49 push ds; iretd 0_2_020D4F64
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_3_000A77D8 push edi; iretd 12_3_000A77DA
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_3_000A3FD4 push eax; retf 12_3_000A4039
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_3_000A23F0 pushfd ; iretd 12_3_000A23F1
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_1E2CD0D1 push ecx; ret 12_2_1E2CD0E4
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_0008E3E6 pushad ; ret 12_2_0008E3E7
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_000B71BE push esi; ret 12_2_000B71E6
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_000AE26A pushfd ; retf 12_2_000AE27D
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_000B9E3A push ss; ret 12_2_000B9E3B
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_000BCE95 push eax; ret 12_2_000BCEE8
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_000BCEEB push eax; ret 12_2_000BCF52
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_000BCEE2 push eax; ret 12_2_000BCEE8
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 12_2_000BCF4C push eax; ret 12_2_000BCF52
      Source: C:\Windows\explorer.exeCode function: 16_2_0637B3E6 pushad ; ret 16_2_0637B3E7
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_0475D0D1 push ecx; ret 21_2_0475D0E4
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_006F71BE push esi; ret 21_2_006F71E6
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_006EE26A pushfd ; retf 21_2_006EE27D
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_006F9E3A push ss; ret 21_2_006F9E3B
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_006FCEEB push eax; ret 21_2_006FCF52
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_006FCEE2 push eax; ret 21_2_006FCEE8
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_006FCE95 push eax; ret 21_2_006FCEE8
      Source: C:\Windows\SysWOW64\colorcpl.exeCode function: 21_2_006FCF4C push eax; ret 21_2_006FCF52

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE0
      Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE0
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\colorcpl.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeRDTSC instruction interceptor: First address: 00000000020DAEE7 second address: 00000000020DAEE7 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F5778948A18h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f test bl, 00000018h 0x00000022 cmp cl, al 0x00000024 add edi, edx 0x00000026 test cx, ax 0x00000029 dec dword ptr [ebp+000000F8h] 0x0000002f cmp ah, bh 0x00000031 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000038 jne 00007F57789489A6h 0x0000003a jmp 00007F5778948A56h 0x0000003c test dl, 0000001Ch 0x0000003f test ax, dx 0x00000042 call 00007F5778948A91h 0x00000047 call 00007F5778948A2Ah 0x0000004c lfence 0x0000004f mov edx, dword ptr [7FFE0014h] 0x00000055 lfence 0x00000058 ret 0x00000059 mov esi, edx 0x0000005b pushad 0x0000005c rdtsc
      Tries to detect Any.runShow sources
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeFile opened: C:\Program Files\Qemu-ga\qemu-ga.exeJump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeFile opened: C:\Program Files\qga\qga.exeJump to behavior
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: PORT AGENCY APPOINTMENT.exe, 00000000.00000002.292310656.0000000000701000.00000004.00000020.sdmpBinary or memory string: U-GA\QEMU-GA.EXE
      Source: PORT AGENCY APPOINTMENT.exe, PORT AGENCY APPOINTMENT.exe, 0000000C.00000002.400841935.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Source: PORT AGENCY APPOINTMENT.exe, 00000000.00000002.292310656.0000000000701000.00000004.00000020.sdmpBinary or memory string: U-GA\QEMU-GA.EXE
      Source: PORT AGENCY APPOINTMENT.exe, PORT AGENCY APPOINTMENT.exe, 0000000C.00000002.400841935.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeRDTSC instruction interceptor: First address: 00000000020DAEE7 second address: 00000000020DAEE7 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F5778948A18h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f test bl, 00000018h 0x00000022 cmp cl, al 0x00000024 add edi, edx 0x00000026 test cx, ax 0x00000029 dec dword ptr [ebp+000000F8h] 0x0000002f cmp ah, bh 0x00000031 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000038 jne 00007F57789489A6h 0x0000003a jmp 00007F5778948A56h 0x0000003c test dl, 0000001Ch 0x0000003f test ax, dx 0x00000042 call 00007F5778948A91h 0x00000047 call 00007F5778948A2Ah 0x0000004c lfence 0x0000004f mov edx, dword ptr [7FFE0014h] 0x00000055 lfence 0x00000058 ret 0x00000059 mov esi, edx 0x0000005b pushad 0x0000005c rdtsc
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeRDTSC instruction interceptor: First address: 00000000020DAF5E second address: 00000000020DAF5E instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F5778CF2932h 0x0000001f popad 0x00000020 call 00007F5778CF2079h 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeRDTSC instruction interceptor: First address: 00000000020DD224 second address: 00000000020DD224 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov byte ptr [eax+ecx], 00000000h 0x00000007 jmp 00007F5778948A56h 0x00000009 test dh, ch 0x0000000b dec ecx 0x0000000c cmp ecx, 00000000h 0x0000000f jnl 00007F5778948971h 0x00000015 jmp 00007F5778948A56h 0x00000017 pushad 0x00000018 mov eax, 0000009Dh 0x0000001d rdtsc
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeRDTSC instruction interceptor: First address: 00000000020D9365 second address: 00000000020D9B51 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 jmp 00007F5778CF6427h 0x00000008 call 00007F5778CED81Eh 0x0000000d pop dword ptr [ebp+00000110h] 0x00000013 mov edx, dword ptr [ebp+00000110h] 0x00000019 jmp 00007F5778CF1E6Ah 0x0000001b cmp edi, 5767F631h 0x00000021 cmp byte ptr [edx+02h], 0000003Ah 0x00000025 jne 00007F5778CF1F6Dh 0x0000002b push ecx 0x0000002c push ecx 0x0000002d jmp 00007F5778CF1E72h 0x0000002f cmp dl, 00000073h 0x00000032 push eax 0x00000033 push dword ptr [ebp+00000110h] 0x00000039 call 00007F5778CF220Eh 0x0000003e mov ecx, dword ptr [esp+0Ch] 0x00000042 jmp 00007F5778CF1E6Eh 0x00000044 cmp eax, eax 0x00000046 mov edx, dword ptr [esp+08h] 0x0000004a mov ebx, dword ptr [esp+04h] 0x0000004e jmp 00007F5778CF1E6Ah 0x00000050 test edx, edx 0x00000052 test ecx, ecx 0x00000054 je 00007F5778CF1F71h 0x0000005a jmp 00007F5778CF1E66h 0x0000005c cmp dh, dh 0x0000005e jmp 00007F5778CF1E6Ah 0x00000060 test cx, cx 0x00000063 jmp 00007F5778CF1E66h 0x00000065 test edi, 0D3067CFh 0x0000006b mov al, byte ptr [edx] 0x0000006d jmp 00007F5778CF1E72h 0x0000006f pushad 0x00000070 mov edx, 000000B2h 0x00000075 rdtsc
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeRDTSC instruction interceptor: First address: 00000000020D9B51 second address: 00000000020D9B51 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov byte ptr [ebx], al 0x00000005 inc ebx 0x00000006 inc edx 0x00000007 dec ecx 0x00000008 test ecx, ecx 0x0000000a jne 00007F5778948960h 0x00000010 jmp 00007F5778948A56h 0x00000012 test edi, 0D3067CFh 0x00000018 mov al, byte ptr [edx] 0x0000001a jmp 00007F5778948A62h 0x0000001c pushad 0x0000001d mov edx, 000000B2h 0x00000022 rdtsc
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeRDTSC instruction interceptor: First address: 000000000056AF5E second address: 000000000056AF5E instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F5778CF2932h 0x0000001f popad 0x00000020 call 00007F5778CF2079h 0x00000025 lfence 0x00000028 rdtsc
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeRDTSC instruction interceptor: First address: 000000000056D224 second address: 000000000056D224 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov byte ptr [eax+ecx], 00000000h 0x00000007 jmp 00007F5778948A56h 0x00000009 test dh, ch 0x0000000b dec ecx 0x0000000c cmp ecx, 00000000h 0x0000000f jnl 00007F5778948971h 0x00000015 jmp 00007F5778948A56h 0x00000017 pushad 0x00000018 mov eax, 0000009Dh 0x0000001d rdtsc
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeRDTSC instruction interceptor: First address: 0000000000569B51 second address: 0000000000569B51 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov byte ptr [ebx], al 0x00000005 inc ebx 0x00000006 inc edx 0x00000007 dec ecx 0x00000008 test ecx, ecx 0x0000000a jne 00007F5778CF1D70h 0x00000010 jmp 00007F5778CF1E66h 0x00000012 test edi, 0D3067CFh 0x00000018 mov al, byte ptr [edx] 0x0000001a jmp 00007F5778CF1E72h 0x0000001c pushad 0x0000001d mov edx, 000000B2h 0x00000022 rdtsc
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 00000000006E98E4 second address: 00000000006E98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\colorcpl.exeRDTSC instruction interceptor: First address: 00000000006E9B5E second address: 00000000006E9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 0_2_020D4E0F rdtsc 0_2_020D4E0F
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeCode function: 0_2_020D4E0F rdtsc 0_2_020D4E0F
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeWindow / User API: threadDelayed 780Jump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exeWindow / User API: threadDelayed 780Jump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exe TID: 2288Thread sleep count: 780 > 30Jump to behavior
      Source: C:\Users\user\Desktop\PORT AGENCY APPOINTMENT.exe TID: 2288Thread sleep count: 780 > 30Jump to behavior
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\explorer.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: explorer.exe, 00000010.00000000.364166392.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: explorer.exe, 00000010.00000000.364166392.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
      Source: explorer.exe, 00000010.00000000.363807802.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000010.00000000.363281875.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: explorer.exe, 00000010.00000000.364166392.000000000871F000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&K
      Source: explorer.exe, 00000010.00000002.480376408.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
      Source: PORT AGENCY APPOINTMENT.exe, 00000000.00000002.292310656.0000000000701000.00000004.00000020.sdmpBinary or memory string: u-ga\qemu-ga.exe
      Source: explorer.exe, 00000010.00000000.364166392.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
      Source: explorer.exe, 00000010.00000000.364166392.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
      Source: explorer.exe, 00000010.00000000.364277923.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
      Source: explorer.exe, 00000010.00000002.480428275.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
      Source: explorer.exe, 00000010.00000000.363281875.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: PORT AGENCY APPOINTMENT.exe, PORT AGENCY APPOINTMENT.exe, 0000000C.00000002.400841935.0000000000560000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: explorer.exe, 00000010.00000000.363281875.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: explorer.exe, 00000010.00000002.480457011.000000000562F000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: explorer.exe, 00000010.00000000.363281875.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: explorer.exe, 00000010.00000000.364166392.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
      Source: explorer.exe, 00000010.00000000.364166392.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
      Source: explorer.exe, 00000010.00000000.363807802.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
      Source: explorer.exe, 00000010.00000000.363281875.0000000008220000.00000002.00000001.sdmp<