Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Trojan.Packed2.43183.29557.7257

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan.Packed2.43183.29557.7257 (renamed file extension from 7257 to exe)
Analysis ID:432683
MD5:4e9095ceadd56bc68a99947ab929f691
SHA1:bce676ea49fb6709dc0e9a23df2e918e05b4074b
SHA256:1fe427cfa805bbabdc371ae3f6ccea4088ca76e8b9fce9828a74885d72339020
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.Packed2.43183.29557.exe (PID: 6916 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe' MD5: 4E9095CEADD56BC68A99947AB929F691)
    • AddInProcess32.exe (PID: 6200 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • systray.exe (PID: 2108 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
          • cmd.exe (PID: 4812 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.roamallday.com/sadn/"], "decoy": ["blessonschool.com", "lydialondon.com", "evln.xyz", "mychallengeiam.com", "stealthshop.net", "amybrownwhiteconsulting.info", "pakistanwholesaler.com", "authenticcase.com", "timothymaina.com", "kiem-etre.com", "thslot39.com", "tripprivee.com", "timeforbusinessblog.xyz", "afgecouncil100.com", "automotivesupplierdc.com", "thebigfoottheory.com", "resocoin.com", "healthepartner.com", "kkrazzybazar.com", "stgwxq.com", "tech4thelolo.com", "smshare2u.com", "mow-it-now.com", "seemymiamihome.com", "urbanadultstore.com", "tmvh8.com", "livelifelocalpublications.com", "blaxies3.com", "hotlab.info", "axmpjbwqh.icu", "lileshop.com", "genariofficial.com", "vibeofthetribe.com", "tldyyl.com", "dapurbuageung.com", "murrayburngundogs.com", "hertsandlondonknee.com", "mcfarline.com", "chicskr.com", "producepatties.com", "026lw.com", "humblehomeus.com", "accukoopje.com", "tantnewsgarre.website", "okettnet.net", "mattwilborne.info", "granthamrobotics.com", "theinfluenceprogram.net", "pointmortgageservicing.com", "garantiservice.com", "bossesbuildbusinesscredit.com", "oselsoft.xyz", "lareleverh.com", "mirzaissa-realtor.com", "tourneyphotos.com", "handpickednurse.com", "guiaconservador.com", "theliftquotient.com", "linkalto.com", "cosmoandcocrafts.com", "wzcp09.com", "mclpay.com", "jobjiihnb.club", "sudesheranga.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8190:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x851a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x1422d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13d19:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x1432f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x144a7:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x8f32:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12f94:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9caa:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1931f:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a3c2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16251:$sqlite3step: 68 34 1C 7B E1
    • 0x16364:$sqlite3step: 68 34 1C 7B E1
    • 0x16280:$sqlite3text: 68 38 2A 90 C5
    • 0x163a5:$sqlite3text: 68 38 2A 90 C5
    • 0x16293:$sqlite3blob: 68 53 D8 7F 8C
    • 0x163bb:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 22 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      11.0.AddInProcess32.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        11.0.AddInProcess32.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        11.0.AddInProcess32.exe.400000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        11.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          11.2.AddInProcess32.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.roamallday.com/sadn/"], "decoy": ["blessonschool.com", "lydialondon.com", "evln.xyz", "mychallengeiam.com", "stealthshop.net", "amybrownwhiteconsulting.info", "pakistanwholesaler.com", "authenticcase.com", "timothymaina.com", "kiem-etre.com", "thslot39.com", "tripprivee.com", "timeforbusinessblog.xyz", "afgecouncil100.com", "automotivesupplierdc.com", "thebigfoottheory.com", "resocoin.com", "healthepartner.com", "kkrazzybazar.com", "stgwxq.com", "tech4thelolo.com", "smshare2u.com", "mow-it-now.com", "seemymiamihome.com", "urbanadultstore.com", "tmvh8.com", "livelifelocalpublications.com", "blaxies3.com", "hotlab.info", "axmpjbwqh.icu", "lileshop.com", "genariofficial.com", "vibeofthetribe.com", "tldyyl.com", "dapurbuageung.com", "murrayburngundogs.com", "hertsandlondonknee.com", "mcfarline.com", "chicskr.com", "producepatties.com", "026lw.com", "humblehomeus.com", "accukoopje.com", "tantnewsgarre.website", "okettnet.net", "mattwilborne.info", "granthamrobotics.com", "theinfluenceprogram.net", "pointmortgageservicing.com", "garantiservice.com", "bossesbuildbusinesscredit.com", "oselsoft.xyz", "lareleverh.com", "mirzaissa-realtor.com", "tourneyphotos.com", "handpickednurse.com", "guiaconservador.com", "theliftquotient.com", "linkalto.com", "cosmoandcocrafts.com", "wzcp09.com", "mclpay.com", "jobjiihnb.club", "sudesheranga.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeVirustotal: Detection: 33%Perma Link
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeReversingLabs: Detection: 36%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeJoe Sandbox ML: detected
          Source: 11.0.AddInProcess32.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 11.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: AddInProcess32.pdb source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.722611270.0000000006220000.00000004.00000001.sdmp, AddInProcess32.exe, systray.exe, 00000011.00000002.900574783.0000000000423000.00000004.00000020.sdmp, AddInProcess32.exe.1.dr
          Source: Binary string: systray.pdb source: AddInProcess32.exe, 0000000B.00000002.803736776.0000000001359000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000C.00000000.748974641.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: systray.pdbGCTL source: AddInProcess32.exe, 0000000B.00000002.803736776.0000000001359000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, systray.exe, 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, systray.exe
          Source: Binary string: AddInProcess32.pdbpw source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.722611270.0000000006220000.00000004.00000001.sdmp, AddInProcess32.exe, 0000000B.00000000.725190319.0000000000CD2000.00000002.00020000.sdmp, systray.exe, 00000011.00000002.900574783.0000000000423000.00000004.00000020.sdmp, AddInProcess32.exe.1.dr
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000C.00000000.748974641.0000000005A00000.00000002.00000001.sdmp

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.roamallday.com/sadn/
          Source: global trafficHTTP traffic detected: GET /sadn/?5jDxn=9rYPWNexEp&9r8=cvOZMLUYKOYUB2MIVs3brF1aeCykDgyLTnisf2vSTBUNQvDIkJgvRwpKMlOnwLgVr/YP HTTP/1.1Host: www.granthamrobotics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sadn/?9r8=DXfJxxxI+/4CaoDoAzC1V5G6SJQKNuW4mru3KXZlF9SJY6Uq4c9wctugrHKIzz2k7BKt&5jDxn=9rYPWNexEp HTTP/1.1Host: www.mclpay.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 13.59.53.244 13.59.53.244
          Source: global trafficHTTP traffic detected: GET /sadn/?5jDxn=9rYPWNexEp&9r8=cvOZMLUYKOYUB2MIVs3brF1aeCykDgyLTnisf2vSTBUNQvDIkJgvRwpKMlOnwLgVr/YP HTTP/1.1Host: www.granthamrobotics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sadn/?9r8=DXfJxxxI+/4CaoDoAzC1V5G6SJQKNuW4mru3KXZlF9SJY6Uq4c9wctugrHKIzz2k7BKt&5jDxn=9rYPWNexEp HTTP/1.1Host: www.mclpay.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.granthamrobotics.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 10 Jun 2021 14:59:57 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.730902594.0000000006A83000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.652412615.0000000006A7E000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/1P
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.730902594.0000000006A83000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.652412615.0000000006A7E000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/gP
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.730902594.0000000006A83000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobj
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.652412615.0000000006A7E000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cobjP
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.652216791.0000000006A7E000.00000004.00000001.sdmpString found in binary or memory: http://ns.d
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731660422.0000000002780000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/WebPage
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731639609.0000000002751000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 0000000C.00000000.736993153.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 0000000C.00000000.754561733.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731639609.0000000002751000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731639609.0000000002751000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large array initializationsShow sources
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, j2DC/Rb6y.csLarge array initialization: .cctor: array initializer size 3852
          Source: 1.0.SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.3a0000.0.unpack, j2DC/Rb6y.csLarge array initialization: .cctor: array initializer size 3852
          Source: 1.2.SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.3a0000.0.unpack, j2DC/Rb6y.csLarge array initialization: .cctor: array initializer size 3852
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_004181B0 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_00418260 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_004182E0 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_00418390 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_004181AA NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0041825A NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_004182E2 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9950 NtQueueApcThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F99D0 NtCreateProcessEx,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017FB040 NtSuspendThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9820 NtEnumerateKey,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9B00 NtSetValueKey,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017FA3B0 NtGetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9A10 NtQuerySection,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9560 NtWriteFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017FAD30 NtSetContextThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9520 NtWaitForSingleObject,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F95F0 NtQueryInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017FA770 NtOpenThread,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9770 NtSetInformationFile,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9760 NtOpenProcess,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9730 NtQueryVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017FA710 NtOpenProcessToken,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9670 NtQueryInformationProcess,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9650 NtQueryValueKey,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F9610 NtEnumerateValueKey,
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017F96D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045BAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045BA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045BA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045BB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045B9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045BA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CD82E0 NtClose,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CD8260 NtReadFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CD8390 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CD81B0 NtCreateFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CD82E2 NtClose,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CD825A NtReadFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CD81AA NtCreateFile,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_0662237C CreateProcessAsUserW,
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_06621B18
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_06620040
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_066148A2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_066163AB
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_027280C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_0272C5C0
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_0272EE90
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_0272BB98
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_0272BDF0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0041C06D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0041C284
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0041CB0D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0041CB10
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_00408C50
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0041B573
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0041C781
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_00CD2050
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017D4120
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017BF900
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_018820A8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017DA830
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_018828EC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_01871002
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0188E824
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017E20A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017CB090
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017DAB40
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0187DBD2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_018703DA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_01882B28
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017EEBB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_018822AE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0186FA2B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_018825DD
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017B0D20
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_01882D07
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017CD5E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_01881D55
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017E2581
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017C841F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0187D466
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0188DFCE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_01881FF1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_017D6E30
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_01882EF7
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0187D616
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0463D466
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0458841F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_04641D55
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_04642D07
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_04570D20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0458D5E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_046425DD
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045A2581
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_04596E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0463D616
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_04642EF7
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_04641FF1
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0464DFCE
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0464E824
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_04631002
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0459A830
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_046428EC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0458B090
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_046420A8
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045A20A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0457F900
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_04594120
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045999BF
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0462FA2B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_046422AE
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0459AB40
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_04642B28
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_0463DBD2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_046303DA
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045AEBB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CDCB0D
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CDCB10
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CDC781
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CC2FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CC8C50
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CC2D90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CDB573
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: String function: 017BB150 appears 54 times
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 0457B150 appears 69 times
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731064405.00000000003A2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStudent.exe0 vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.731731070.0000000002801000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPe6.dll" vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.737040753.0000000003758000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.722611270.0000000006220000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAddInProcess32.exeT vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.740459563.00000000062B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000002.740075320.0000000005770000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeBinary or memory string: OriginalFilenameStudent.exe0 vs SecuriteInfo.com.Trojan.Packed2.43183.29557.exe
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.737256043.00000000037CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.803111095.0000000001290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.801838633.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.801642119.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.900861159.0000000002CC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000000.725117231.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.737458183.0000000003817000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.738166081.00000000038E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.900522638.0000000000330000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.0.AddInProcess32.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 11.0.AddInProcess32.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/2@3/2
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_01
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeVirustotal: Detection: 33%
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeReversingLabs: Detection: 36%
          Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exe'
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: AddInProcess32.pdb source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.722611270.0000000006220000.00000004.00000001.sdmp, AddInProcess32.exe, systray.exe, 00000011.00000002.900574783.0000000000423000.00000004.00000020.sdmp, AddInProcess32.exe.1.dr
          Source: Binary string: systray.pdb source: AddInProcess32.exe, 0000000B.00000002.803736776.0000000001359000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000C.00000000.748974641.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: systray.pdbGCTL source: AddInProcess32.exe, 0000000B.00000002.803736776.0000000001359000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 0000000B.00000002.804000123.0000000001790000.00000040.00000001.sdmp, systray.exe, 00000011.00000002.901215283.000000000466F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, systray.exe
          Source: Binary string: AddInProcess32.pdbpw source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, 00000001.00000003.722611270.0000000006220000.00000004.00000001.sdmp, AddInProcess32.exe, 0000000B.00000000.725190319.0000000000CD2000.00000002.00020000.sdmp, systray.exe, 00000011.00000002.900574783.0000000000423000.00000004.00000020.sdmp, AddInProcess32.exe.1.dr
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000C.00000000.748974641.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_003A3F39 pushfd ; ret
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_003A3D29 push esp; ret
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_003A2320 push 450963C2h; retf
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_003A3111 push 0000001Bh; iretd
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_003A230E push 450963C2h; retf
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_003A22B4 push ecx; retf
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_003A3AD7 push esi; iretd
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_06610A2A push ds; ret
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_06614F63 push es; iretd
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeCode function: 1_2_066105E6 pushfd ; iretd
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0041B3F2 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0041B3FB push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0041B3A5 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0041B45C push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0041C4CB push es; iretd
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_00415E0D push ecx; iretd
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 11_2_0180D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_045CD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CDB3FB push eax; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CDB3F2 push eax; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CDB3A5 push eax; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CC000A push edx; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CD5E0D push ecx; iretd
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CDC4CB push es; iretd
          Source: C:\Windows\SysWOW64\systray.exeCode function: 17_2_02CDB45C push eax; ret
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, Fs7/k3S.csHigh entropy of concatenated method names: '.ctor', 'Rc8', 'Pp8', 'g2Z', 'w2Z', 'Cg3', 'e8H', 'Xn9', 'Fx2', 'Yy2'
          Source: SecuriteInfo.com.Trojan.Packed2.43183.29557.exe, Lk46/Tn40.csHigh entropy of concatenated method names: '.ctor', 'p2EP', 'Kx1s', 'Ab5a', 'Xf51', 'z6MZ', 'Yf2j', 'd0SN', 'Zd3y', 'z3C9'
          Source: 1.0.SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.3a0000.0.unpack, Fs7/k3S.csHigh entropy of concatenated method names: '.ctor', 'Rc8', 'Pp8', 'g2Z', 'w2Z', 'Cg3', 'e8H', 'Xn9', 'Fx2', 'Yy2'
          Source: 1.0.SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.3a0000.0.unpack, Lk46/Tn40.csHigh entropy of concatenated method names: '.ctor', 'p2EP', 'Kx1s', 'Ab5a', 'Xf51', 'z6MZ', 'Yf2j', 'd0SN', 'Zd3y', 'z3C9'
          Source: 1.2.SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.3a0000.0.unpack, Fs7/k3S.csHigh entropy of concatenated method names: '.ctor', 'Rc8', 'Pp8', 'g2Z', 'w2Z', 'Cg3', 'e8H', 'Xn9', 'Fx2', 'Yy2'
          Source: 1.2.SecuriteInfo.com.Trojan.Packed2.43183.29557.exe.3a0000.0.unpack, Lk46/Tn40.csHigh entropy of concatenated method names: '.ctor', 'p2EP', 'Kx1s', 'Ab5a', 'Xf51', 'z6MZ', 'Yf2j', 'd0SN', 'Zd3y', 'z3C9'
          Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.43183.29557.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          bar