Loading ...

Play interactive tourEdit tour

Analysis Report PO#560.zip.exe

Overview

General Information

Sample Name:PO#560.zip.exe
Analysis ID:383967
MD5:225f5938273f006356fd813e46e3fcef
SHA1:347cd34fd095ae8f843ee436dde5043bba8fb192
SHA256:69a395d24a3536ef7698ae036596bed55856d4777356946f498faec3f1395f8d
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses an obfuscated file name to hide its real file extension (double extension)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO#560.zip.exe (PID: 3468 cmdline: 'C:\Users\user\Desktop\PO#560.zip.exe' MD5: 225F5938273F006356FD813E46E3FCEF)
    • PO#560.zip.exe (PID: 5448 cmdline: {path} MD5: 225F5938273F006356FD813E46E3FCEF)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • systray.exe (PID: 4952 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
          • cmd.exe (PID: 1308 cmdline: /c del 'C:\Users\user\Desktop\PO#560.zip.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.talllensphotography.com/md5/"], "decoy": ["gnd3.com", "thedrata.com", "carbeloy.com", "impactpittsburg.com", "sussage.com", "mikespencil.com", "ghoshtechno.com", "partnermassagetherapy.com", "nagago.asia", "parkviee.com", "kichisanpo.com", "awbaviation.com", "shopvibeup.com", "ab-alamode.com", "cash4homesutah.com", "funbrushstrokes.com", "adeleycar.com", "actsbooking.com", "rojorodi.icu", "fleurdelyscantho.com", "bobwhiteknives.com", "entrefloresdr.com", "eurostarcellars.com", "shipu143.com", "lindsaydrees.com", "turningtecc.com", "reusedearth.com", "theemperorbrand.com", "afrohiphops.com", "officehoursonly.com", "pharmacistscbd.com", "yaanpay.com", "mymoxypets.com", "sharehealthalliance.com", "sparktvnetwork.com", "marymoorridgecondo.com", "honest-woman.com", "blitzerfoto.net", "vanhanhnhansu.com", "lawyerspledge.com", "parkwashingtondc.com", "worldwideexpressweb.net", "oatml.com", "acquaintancenutritious.info", "lukmanmalik.xyz", "eudorabcantik.com", "fotosdepueblo.com", "latelierp.com", "dogmomtreats.com", "beerthirtyslc.com", "greenlightsmokables.com", "newyorkbusinesssolutions.com", "latravesia.net", "worldvisioncompany.com", "radiusbrisbane.com", "beachhammocking.com", "games-daizo.com", "customkreation.com", "universiteyehazirlan.com", "studentpalace.rentals", "vizecix.com", "new123movies.pro", "skincolored.com", "goldstespresso.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.479474418.0000000000B60000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000A.00000002.479474418.0000000000B60000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000A.00000002.479474418.0000000000B60000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000002.479196744.0000000000B10000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000002.479196744.0000000000B10000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.PO#560.zip.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.PO#560.zip.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.PO#560.zip.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        4.2.PO#560.zip.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.PO#560.zip.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: www.talllensphotography.com/md5/Avira URL Cloud: Label: malware
          Source: http://www.talllensphotography.com/md5/?IBcTaR=Djxti6ShQzh8&DzrLH=JP702FCblU1K1nbBBTKIcgs3vFjx7LTnku6fbfQ3JvhMEqeKMVIpxerk2LYg3Mu/rBkVAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 0000000A.00000002.479474418.0000000000B60000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.talllensphotography.com/md5/"], "decoy": ["gnd3.com", "thedrata.com", "carbeloy.com", "impactpittsburg.com", "sussage.com", "mikespencil.com", "ghoshtechno.com", "partnermassagetherapy.com", "nagago.asia", "parkviee.com", "kichisanpo.com", "awbaviation.com", "shopvibeup.com", "ab-alamode.com", "cash4homesutah.com", "funbrushstrokes.com", "adeleycar.com", "actsbooking.com", "rojorodi.icu", "fleurdelyscantho.com", "bobwhiteknives.com", "entrefloresdr.com", "eurostarcellars.com", "shipu143.com", "lindsaydrees.com", "turningtecc.com", "reusedearth.com", "theemperorbrand.com", "afrohiphops.com", "officehoursonly.com", "pharmacistscbd.com", "yaanpay.com", "mymoxypets.com", "sharehealthalliance.com", "sparktvnetwork.com", "marymoorridgecondo.com", "honest-woman.com", "blitzerfoto.net", "vanhanhnhansu.com", "lawyerspledge.com", "parkwashingtondc.com", "worldwideexpressweb.net", "oatml.com", "acquaintancenutritious.info", "lukmanmalik.xyz", "eudorabcantik.com", "fotosdepueblo.com", "latelierp.com", "dogmomtreats.com", "beerthirtyslc.com", "greenlightsmokables.com", "newyorkbusinesssolutions.com", "latravesia.net", "worldvisioncompany.com", "radiusbrisbane.com", "beachhammocking.com", "games-daizo.com", "customkreation.com", "universiteyehazirlan.com", "studentpalace.rentals", "vizecix.com", "new123movies.pro", "skincolored.com", "goldstespresso.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO#560.zip.exeVirustotal: Detection: 32%Perma Link
          Source: PO#560.zip.exeReversingLabs: Detection: 41%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.479474418.0000000000B60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.479196744.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.279265822.0000000001420000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.478037976.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.235177972.0000000004239000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.278875737.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.279183925.00000000012E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.PO#560.zip.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.PO#560.zip.exe.400000.0.unpack, type: UNPACKEDPE
          Source: 4.2.PO#560.zip.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: PO#560.zip.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: PO#560.zip.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: systray.pdb source: PO#560.zip.exe, 00000004.00000002.279505547.00000000014C9000.00000004.00000020.sdmp
          Source: Binary string: systray.pdbGCTL source: PO#560.zip.exe, 00000004.00000002.279505547.00000000014C9000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO#560.zip.exe, 00000004.00000002.279978802.000000000188F000.00000040.00000001.sdmp, systray.exe, 0000000A.00000002.482167165.0000000004ABF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO#560.zip.exe, 00000004.00000002.279978802.000000000188F000.00000040.00000001.sdmp, systray.exe
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4x nop then pop edi4_2_00416C9C
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop edi10_2_008C6C9C

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49734 -> 185.53.177.14:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49734 -> 185.53.177.14:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49734 -> 185.53.177.14:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 50.118.194.26:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 50.118.194.26:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 50.118.194.26:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.talllensphotography.com/md5/
          Source: global trafficHTTP traffic detected: GET /md5/?IBcTaR=Djxti6ShQzh8&DzrLH=KmRkPCie18HGThsKkJHqLKLrKfVDUYN2hxdl6/3xA/G+A1ySyYzJdTo7KJPmykLVFLh3 HTTP/1.1Host: www.mymoxypets.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md5/?DzrLH=dXMJ/yrosuk4D2OPjKCB839u/6tvM7QWLhghObYdXqbvabebVJQVkG1vpLTC6vFDwMgu&IBcTaR=Djxti6ShQzh8 HTTP/1.1Host: www.new123movies.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md5/?IBcTaR=Djxti6ShQzh8&DzrLH=JP702FCblU1K1nbBBTKIcgs3vFjx7LTnku6fbfQ3JvhMEqeKMVIpxerk2LYg3Mu/rBkV HTTP/1.1Host: www.talllensphotography.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 151.101.1.211 151.101.1.211
          Source: Joe Sandbox ViewASN Name: FASTLYUS FASTLYUS
          Source: Joe Sandbox ViewASN Name: EGIHOSTINGUS EGIHOSTINGUS
          Source: Joe Sandbox ViewASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
          Source: global trafficHTTP traffic detected: GET /md5/?IBcTaR=Djxti6ShQzh8&DzrLH=KmRkPCie18HGThsKkJHqLKLrKfVDUYN2hxdl6/3xA/G+A1ySyYzJdTo7KJPmykLVFLh3 HTTP/1.1Host: www.mymoxypets.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md5/?DzrLH=dXMJ/yrosuk4D2OPjKCB839u/6tvM7QWLhghObYdXqbvabebVJQVkG1vpLTC6vFDwMgu&IBcTaR=Djxti6ShQzh8 HTTP/1.1Host: www.new123movies.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /md5/?IBcTaR=Djxti6ShQzh8&DzrLH=JP702FCblU1K1nbBBTKIcgs3vFjx7LTnku6fbfQ3JvhMEqeKMVIpxerk2LYg3Mu/rBkV HTTP/1.1Host: www.talllensphotography.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.mymoxypets.com
          Source: explorer.exe, 00000005.00000000.261798460.00000000089BF000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: PO#560.zip.exe, 00000000.00000002.247136868.0000000007292000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: PO#560.zip.exe, 00000000.00000003.222424567.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.agfamonotype.
          Source: PO#560.zip.exe, 00000000.00000003.213421217.00000000060AF000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: PO#560.zip.exe, 00000000.00000003.213564531.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: PO#560.zip.exe, 00000000.00000003.213718774.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com2
          Source: PO#560.zip.exe, 00000000.00000003.213964934.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com3
          Source: PO#560.zip.exe, 00000000.00000003.213824153.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com9
          Source: PO#560.zip.exe, 00000000.00000003.213718774.00000000060B0000.00000004.00000001.sdmp, PO#560.zip.exe, 00000000.00000003.213964934.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
          Source: PO#560.zip.exe, 00000000.00000003.213964934.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comI
          Source: PO#560.zip.exe, 00000000.00000003.214819617.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comQ
          Source: PO#560.zip.exe, 00000000.00000003.213824153.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
          Source: PO#560.zip.exe, 00000000.00000003.213718774.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC)
          Source: PO#560.zip.exe, 00000000.00000003.213564531.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTCm
          Source: PO#560.zip.exe, 00000000.00000003.213824153.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma
          Source: PO#560.zip.exe, 00000000.00000003.213824153.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comc
          Source: PO#560.zip.exe, 00000000.00000003.213564531.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comdd_
          Source: PO#560.zip.exe, 00000000.00000003.213564531.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comego
          Source: PO#560.zip.exe, 00000000.00000002.247136868.0000000007292000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: PO#560.zip.exe, 00000000.00000003.213564531.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
          Source: PO#560.zip.exe, 00000000.00000003.213718774.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comwdth
          Source: PO#560.zip.exe, 00000000.00000002.247136868.0000000007292000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: PO#560.zip.exe, 00000000.00000003.215738986.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers#
          Source: PO#560.zip.exe, 00000000.00000003.215703797.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: PO#560.zip.exe, 00000000.00000002.247136868.0000000007292000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: PO#560.zip.exe, 00000000.00000002.247136868.0000000007292000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: PO#560.zip.exe, 00000000.00000002.247136868.0000000007292000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: PO#560.zip.exe, 00000000.00000003.216534912.00000000060B0000.00000004.00000001.sdmp, PO#560.zip.exe, 00000000.00000002.247136868.0000000007292000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: PO#560.zip.exe, 00000000.00000003.216063105.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers:
          Source: PO#560.zip.exe, 00000000.00000002.247136868.0000000007292000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: PO#560.zip.exe, 00000000.00000002.247136868.0000000007292000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: PO#560.zip.exe, 00000000.00000003.215780122.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers_
          Source: PO#560.zip.exe, 00000000.00000002.241188316.000000000608A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comasef
          Source: PO#560.zip.exe, 00000000.00000002.241188316.000000000608A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comav
          Source: PO#560.zip.exe, 00000000.00000002.241188316.000000000608A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comrsiv
          Source: PO#560.zip.exe, 00000000.00000002.247136868.0000000007292000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: PO#560.zip.exe, 00000000.00000003.212947601.00000000060AE000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: PO#560.zip.exe, 00000000.00000002.247136868.0000000007292000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: PO#560.zip.exe, 00000000.00000002.247136868.0000000007292000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: PO#560.zip.exe, 00000000.00000003.212947601.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn;
          Source: PO#560.zip.exe, 00000000.00000003.212947601.00000000060AE000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt-i%
          Source: PO#560.zip.exe, 00000000.00000002.247136868.0000000007292000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: PO#560.zip.exe, 00000000.00000002.247136868.0000000007292000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: PO#560.zip.exe, 00000000.00000002.247136868.0000000007292000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: PO#560.zip.exe, 00000000.00000003.214521453.000000000608A000.00000004.00000001.sdmp, PO#560.zip.exe, 00000000.00000003.214435274.000000000608A000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: PO#560.zip.exe, 00000000.00000003.214335139.0000000006083000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//d1
          Source: PO#560.zip.exe, 00000000.00000003.214521453.000000000608A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/I
          Source: PO#560.zip.exe, 00000000.00000003.214521453.000000000608A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/R
          Source: PO#560.zip.exe, 00000000.00000003.214521453.000000000608A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
          Source: PO#560.zip.exe, 00000000.00000003.214521453.000000000608A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/d
          Source: PO#560.zip.exe, 00000000.00000003.214521453.000000000608A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/en-u
          Source: PO#560.zip.exe, 00000000.00000003.214521453.000000000608A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/hs
          Source: PO#560.zip.exe, 00000000.00000003.214521453.000000000608A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: PO#560.zip.exe, 00000000.00000003.214608357.000000000608C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/I
          Source: PO#560.zip.exe, 00000000.00000003.214608357.000000000608C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/hs
          Source: PO#560.zip.exe, 00000000.00000003.214521453.000000000608A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n-u
          Source: PO#560.zip.exe, 00000000.00000003.214521453.000000000608A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/w
          Source: PO#560.zip.exe, 00000000.00000003.213421217.00000000060AF000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.
          Source: PO#560.zip.exe, 00000000.00000003.215072761.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
          Source: PO#560.zip.exe, 00000000.00000003.215261953.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.4
          Source: PO#560.zip.exe, 00000000.00000002.247136868.0000000007292000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: PO#560.zip.exe, 00000000.00000002.247136868.0000000007292000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: PO#560.zip.exe, 00000000.00000002.247136868.0000000007292000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: PO#560.zip.exe, 00000000.00000002.247136868.0000000007292000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: PO#560.zip.exe, 00000000.00000002.247136868.0000000007292000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: PO#560.zip.exe, 00000000.00000003.213564531.00000000060B0000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.261880107.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: PO#560.zip.exe, 00000000.00000003.213564531.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnalv
          Source: PO#560.zip.exe, 00000000.00000003.213564531.00000000060B0000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnbio
          Source: PO#560.zip.exeString found in binary or memory: https://github.com/michel-pi/EasyBot.Net
          Source: systray.exe, 0000000A.00000002.485148191.00000000053BF000.00000004.00000001.sdmpString found in binary or memory: https://my.bigcartel.com;
          Source: systray.exe, 0000000A.00000002.485148191.00000000053BF000.00000004.00000001.sdmpString found in binary or memory: https://www.mymoxypets.com/md5?IBcTaR=Djxti6ShQzh8&DzrLH=KmRkPCie18HGThsKkJHqLKLrKfVDUYN2hxdl6/3xA/G
          Source: systray.exe, 0000000A.00000002.485148191.00000000053BF000.00000004.00000001.sdmpString found in binary or memory: https://www.mymoxypets.com/md5?IBcTaR=Djxti6ShQzh8&DzrLH=KmRkPCie18HGThsKkJHqLKLrKfVDUYN2hxdl6/3
          Source: PO#560.zip.exe, 00000000.00000002.233962937.0000000001540000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.479474418.0000000000B60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.479196744.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.279265822.0000000001420000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.478037976.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.235177972.0000000004239000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.278875737.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.279183925.00000000012E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.PO#560.zip.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.PO#560.zip.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000A.00000002.479474418.0000000000B60000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.479474418.0000000000B60000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.479196744.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.479196744.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.279265822.0000000001420000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.279265822.0000000001420000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.478037976.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.478037976.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.235177972.0000000004239000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.235177972.0000000004239000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.278875737.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.278875737.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.279183925.00000000012E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.279183925.00000000012E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.PO#560.zip.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.PO#560.zip.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.PO#560.zip.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.PO#560.zip.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: PO#560.zip.exe
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4_2_00419D60 NtCreateFile,4_2_00419D60
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4_2_00419E10 NtReadFile,4_2_00419E10
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4_2_00419E90 NtClose,4_2_00419E90
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4_2_00419F40 NtAllocateVirtualMemory,4_2_00419F40
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4_2_00419E0B NtReadFile,4_2_00419E0B
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4_2_00419E8A NtClose,4_2_00419E8A
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4_2_00419F3A NtAllocateVirtualMemory,4_2_00419F3A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A095D0 NtClose,LdrInitializeThunk,10_2_04A095D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09540 NtReadFile,LdrInitializeThunk,10_2_04A09540
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A096E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_04A096E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A096D0 NtCreateKey,LdrInitializeThunk,10_2_04A096D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_04A09660
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09650 NtQueryValueKey,LdrInitializeThunk,10_2_04A09650
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09780 NtMapViewOfSection,LdrInitializeThunk,10_2_04A09780
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09FE0 NtCreateMutant,LdrInitializeThunk,10_2_04A09FE0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09710 NtQueryInformationToken,LdrInitializeThunk,10_2_04A09710
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09860 NtQuerySystemInformation,LdrInitializeThunk,10_2_04A09860
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09840 NtDelayExecution,LdrInitializeThunk,10_2_04A09840
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A099A0 NtCreateSection,LdrInitializeThunk,10_2_04A099A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_04A09910
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09A50 NtCreateFile,LdrInitializeThunk,10_2_04A09A50
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A095F0 NtQueryInformationFile,10_2_04A095F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09520 NtWaitForSingleObject,10_2_04A09520
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A0AD30 NtSetContextThread,10_2_04A0AD30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09560 NtWriteFile,10_2_04A09560
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09610 NtEnumerateValueKey,10_2_04A09610
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09670 NtQueryInformationProcess,10_2_04A09670
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A097A0 NtUnmapViewOfSection,10_2_04A097A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09730 NtQueryVirtualMemory,10_2_04A09730
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A0A710 NtOpenProcessToken,10_2_04A0A710
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09760 NtOpenProcess,10_2_04A09760
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A0A770 NtOpenThread,10_2_04A0A770
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09770 NtSetInformationFile,10_2_04A09770
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A098A0 NtWriteVirtualMemory,10_2_04A098A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A098F0 NtReadVirtualMemory,10_2_04A098F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09820 NtEnumerateKey,10_2_04A09820
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A0B040 NtSuspendThread,10_2_04A0B040
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A099D0 NtCreateProcessEx,10_2_04A099D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09950 NtQueueApcThread,10_2_04A09950
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09A80 NtOpenDirectoryObject,10_2_04A09A80
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09A20 NtResumeThread,10_2_04A09A20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09A00 NtProtectVirtualMemory,10_2_04A09A00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09A10 NtQuerySection,10_2_04A09A10
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A0A3B0 NtGetContextThread,10_2_04A0A3B0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A09B00 NtSetValueKey,10_2_04A09B00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_008C9D60 NtCreateFile,10_2_008C9D60
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_008C9E90 NtClose,10_2_008C9E90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_008C9E10 NtReadFile,10_2_008C9E10
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_008C9F40 NtAllocateVirtualMemory,10_2_008C9F40
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_008C9E8A NtClose,10_2_008C9E8A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_008C9E0B NtReadFile,10_2_008C9E0B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_008C9F3A NtAllocateVirtualMemory,10_2_008C9F3A
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_017AC2040_2_017AC204
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_017AE6300_2_017AE630
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_017AE6200_2_017AE620
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE0B200_2_02FE0B20
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE1EC80_2_02FE1EC8
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE46B00_2_02FE46B0
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE4F700_2_02FE4F70
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE7CF50_2_02FE7CF5
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE4C780_2_02FE4C78
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE0A980_2_02FE0A98
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE23C80_2_02FE23C8
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE00400_2_02FE0040
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE00070_2_02FE0007
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE49580_2_02FE4958
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE494B0_2_02FE494B
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE1EB80_2_02FE1EB8
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE46A10_2_02FE46A1
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE6E980_2_02FE6E98
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE6E880_2_02FE6E88
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE0FE80_2_02FE0FE8
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE0FD80_2_02FE0FD8
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE4F600_2_02FE4F60
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE4C690_2_02FE4C69
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE15E80_2_02FE15E8
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE15A80_2_02FE15A8
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE65100_2_02FE6510
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE65000_2_02FE6500
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4_2_0041E8414_2_0041E841
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4_2_0041D0184_2_0041D018
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4_2_0041E1FC4_2_0041E1FC
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4_2_00402D874_2_00402D87
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4_2_00409E404_2_00409E40
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4_2_00409E3B4_2_00409E3B
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4_2_0041E7E74_2_0041E7E7
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_049D841F10_2_049D841F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A8D46610_2_04A8D466
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_049F258110_2_049F2581
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A925DD10_2_04A925DD
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_049DD5E010_2_049DD5E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A92D0710_2_04A92D07
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_049C0D2010_2_049C0D20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A91D5510_2_04A91D55
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A92EF710_2_04A92EF7
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_049E6E3010_2_049E6E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A8D61610_2_04A8D616
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A91FF110_2_04A91FF1
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A9DFCE10_2_04A9DFCE
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A920A810_2_04A920A8
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_049DB09010_2_049DB090
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_049F20A010_2_049F20A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A928EC10_2_04A928EC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A9E82410_2_04A9E824
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A8100210_2_04A81002
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_049CF90010_2_049CF900
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_049E412010_2_049E4120
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A922AE10_2_04A922AE
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A7FA2B10_2_04A7FA2B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_049FEBB010_2_049FEBB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A803DA10_2_04A803DA
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A8DBD210_2_04A8DBD2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A92B2810_2_04A92B28
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_008CE1FC10_2_008CE1FC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_008B2D8710_2_008B2D87
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_008B2D9010_2_008B2D90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_008B9E3B10_2_008B9E3B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_008B9E4010_2_008B9E40
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_008B2FB010_2_008B2FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 049CB150 appears 45 times
          Source: PO#560.zip.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: PO#560.zip.exe, 00000000.00000002.233441652.0000000000E18000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameW vs PO#560.zip.exe
          Source: PO#560.zip.exe, 00000000.00000002.236012959.000000000473C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PO#560.zip.exe
          Source: PO#560.zip.exe, 00000000.00000002.247662573.0000000007850000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PO#560.zip.exe
          Source: PO#560.zip.exe, 00000000.00000002.234946752.0000000003231000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMetroFramework.dll> vs PO#560.zip.exe
          Source: PO#560.zip.exe, 00000000.00000002.233962937.0000000001540000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO#560.zip.exe
          Source: PO#560.zip.exe, 00000004.00000002.279505547.00000000014C9000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamesystray.exej% vs PO#560.zip.exe
          Source: PO#560.zip.exe, 00000004.00000000.232128127.0000000000D58000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameW vs PO#560.zip.exe
          Source: PO#560.zip.exe, 00000004.00000002.279978802.000000000188F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO#560.zip.exe
          Source: PO#560.zip.exeBinary or memory string: OriginalFilenameW vs PO#560.zip.exe
          Source: PO#560.zip.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 0000000A.00000002.479474418.0000000000B60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.479474418.0000000000B60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.479196744.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.479196744.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.279265822.0000000001420000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.279265822.0000000001420000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.478037976.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.478037976.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.235177972.0000000004239000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.235177972.0000000004239000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.278875737.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.278875737.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.279183925.00000000012E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.279183925.00000000012E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.PO#560.zip.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.PO#560.zip.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.PO#560.zip.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.PO#560.zip.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: PO#560.zip.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@4/3
          Source: C:\Users\user\Desktop\PO#560.zip.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#560.zip.exe.logJump to behavior
          Source: C:\Users\user\Desktop\PO#560.zip.exeMutant created: \Sessions\1\BaseNamedObjects\GxiiSkAr
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3564:120:WilError_01
          Source: PO#560.zip.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PO#560.zip.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\PO#560.zip.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PO#560.zip.exeVirustotal: Detection: 32%
          Source: PO#560.zip.exeReversingLabs: Detection: 41%
          Source: unknownProcess created: C:\Users\user\Desktop\PO#560.zip.exe 'C:\Users\user\Desktop\PO#560.zip.exe'
          Source: C:\Users\user\Desktop\PO#560.zip.exeProcess created: C:\Users\user\Desktop\PO#560.zip.exe {path}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO#560.zip.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO#560.zip.exeProcess created: C:\Users\user\Desktop\PO#560.zip.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO#560.zip.exe'Jump to behavior
          Source: C:\Users\user\Desktop\PO#560.zip.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: PO#560.zip.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: PO#560.zip.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: systray.pdb source: PO#560.zip.exe, 00000004.00000002.279505547.00000000014C9000.00000004.00000020.sdmp
          Source: Binary string: systray.pdbGCTL source: PO#560.zip.exe, 00000004.00000002.279505547.00000000014C9000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO#560.zip.exe, 00000004.00000002.279978802.000000000188F000.00000040.00000001.sdmp, systray.exe, 0000000A.00000002.482167165.0000000004ABF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO#560.zip.exe, 00000004.00000002.279978802.000000000188F000.00000040.00000001.sdmp, systray.exe

          Data Obfuscation:

          barindex
          .NET source code contains method to dynamically call methods (often used by packers)Show sources
          Source: PO#560.zip.exe, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
          Source: 0.2.PO#560.zip.exe.d60000.0.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
          Source: 0.0.PO#560.zip.exe.d60000.0.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
          Source: 4.0.PO#560.zip.exe.ca0000.0.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
          Source: 4.2.PO#560.zip.exe.ca0000.1.unpack, ImageManager/Main.cs.Net Code: LateBinding.LateCall(V_6, null, "Invoke", new object[] { 0, V_0 }, null, null)
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FEAEE5 push FFFFFF8Bh; iretd 0_2_02FEAEE7
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE3FCA push dword ptr [esi]; iretd 0_2_02FE3FD2
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 0_2_02FE3FC3 push 36FFFFFFh; iretd 0_2_02FE3FC8
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4_2_004170A0 pushfd ; retf 4_2_004170A6
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4_2_0041CEB5 push eax; ret 4_2_0041CF08
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4_2_0041CF6C push eax; ret 4_2_0041CF72
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4_2_0041CF02 push eax; ret 4_2_0041CF08
          Source: C:\Users\user\Desktop\PO#560.zip.exeCode function: 4_2_0041CF0B push eax; ret 4_2_0041CF72
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_04A1D0D1 push ecx; ret 10_2_04A1D0E4
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_008C70A0 pushfd ; retf 10_2_008C70A6
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_008CCEB5 push eax; ret 10_2_008CCF08
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_008CCF0B push eax; ret 10_2_008CCF72
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_008CCF02 push eax; ret 10_2_008CCF08
          Source: C:\Windows\SysWOW64\systray.exeCode function: 10_2_008CCF6C push eax; ret 10_2_008CCF72
          Source: initial sampleStatic PE information: section name: .text entropy: 7.89802258187

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xEE
          Uses an obfuscated file name to hide its real file extension (double extension)Show sources
          Source: Possible double extension: zip.exeStatic PE information: PO#560.zip.exe
          Source: C:\Users\user\Desktop\PO#560.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO#560.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO#560.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO#560.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO#560.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO#560.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO#560.zip.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          S