Windows Analysis Report PO07262021.exe

Overview

General Information

Sample Name:	PO07262021.exe
Analysis ID:	458795
MD5:	47a679ec6799a5a2c9212de73d404a83
SHA1:	d21c87a07b4701ddf3206aeb534d010dd928116b
SHA256:	c2e765b8a42432e042da5c444bdba20b8021bd5e1b022693978b6540fdbddec7
Tags:	exeFormbook
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected FormBook

.NET source code contains very large strings

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to launch a process as a different user

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.cryptoinhindi.online/nmks/"], "decoy": ["sunaoto.net", "uddeshyaheen.com", "memesyndicste.com", "wellnessbytanyabawa.com", "winabeel.com", "santabirria.com", "whatmattersindia.com", "3rdimultimedia.com", "koukismile.com", "hellobabymoccs.com", "marziehmakeup.com", "faiyou.com", "redbarnprovisions.com", "odmgl.com", "usevino.xyz", "csyczp.com", "gutfeelings.club", "coscos.xyz", "moodoo.icu", "thedarktechnician.com", "weebwrld.com", "wilsonmantels.com", "biodrains.com", "banqutstaff.com", "solomonislandsforum.com", "yolo-wear.com", "everylastdropinc.com", "dayblindstarstrategies.com", "freelancersarabia.com", "bellasnicolejewelrymd.com", "oscarh.net", "actevate.xyz", "apa168.com", "paintonpurposeofficial.com", "hrvatskepraviceblog.com", "tednme.com", "truverity.study", "militarynotary.com", "advancedhorticulture.com", "bookmyfreelancer.online", "nieght.com", "yabancidiziozetleri.net", "bkoclchain.com", "ahwaday.com", "yandex-deliverry.online", "electronichaven.today", "islamidesign.com", "lagerungen.com", "uneducatedbyamerica.com", "78500605.xyz", "taichiforwellbeingonline.com", "philipsima.com", "ezljdah.com", "auserconsulting.com", "finrowacademy.com", "securitybyicon.com", "craveroots.com", "ppneumatic.com", "neiretec.com", "amazonemea.xyz", "3dpraclabs-virtual-physics.com", "fitnesstrainingco.com", "brsconsortuimltd.com", "rapiddist.com"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\FzGSUpCvLNF.exe

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: PO07262021.exe	Virustotal: Detection: 58%			Perma Link
Source: PO07262021.exe	ReversingLabs: Detection: 73%

Yara detected FormBook

Source: Yara match	File source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\FzGSUpCvLNF.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: PO07262021.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 7.2.PO07262021.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

Uses 32bit PE files

Source: PO07262021.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: PO07262021.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000009.00000000.752806137.0000000005A00000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: PO07262021.exe, 00000007.00000002.767621920.0000000001190000.00000040.00000001.sdmp, cmd.exe, 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp
Source:	Binary string: cmd.pdbUGP source: PO07262021.exe, 00000007.00000002.768387188.00000000014E0000.00000040.00000001.sdmp, cmd.exe, 0000000F.00000000.765256590.00000000011D0000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: PO07262021.exe, 00000007.00000002.767621920.0000000001190000.00000040.00000001.sdmp, cmd.exe
Source:	Binary string: cmd.pdb source: PO07262021.exe, 00000007.00000002.768387188.00000000014E0000.00000040.00000001.sdmp, cmd.exe
Source:	Binary string: wscui.pdb source: explorer.exe, 00000009.00000000.752806137.0000000005A00000.00000002.00000001.sdmp

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F31DC FindFirstFileW,FindNextFileW,FindClose,	15_2_011F31DC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	15_2_011D85EA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	15_2_011E245C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	15_2_011DB89C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	15_2_011E68BA

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\PO07262021.exe

Code function: 4x nop then pop ebx

7_2_00407AFE

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.cryptoinhindi.online/nmks/

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /nmks/?6latBtaX=AODdElP/LvmD82bfBWBMQGTCd+0C8NCj5PjqI400wXLHipc47/wHi7nKSi/3AqembaQc&v2M=nRRXGl0p HTTP/1.1Host: www.winabeel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic

Source: unknown

DNS traffic detected: queries for: www.winabeel.com

Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: PO07262021.exe	String found in binary or memory: http://i.imgur.com/blkrqBo.gif
Source: explorer.exe, 00000009.00000000.735427722.0000000002B50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO07262021.exe, 00000000.00000003.647203244.000000000116D000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cnD
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: PO07262021.exe	String found in binary or memory: https://static.hummingbird.me/anime/poster_images/000/010/716/large/0fd8df1b586e60a0b1591cd8555c072f

E-Banking Fraud:

Yara detected FormBook

Source: Yara match	File source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large strings

Source: PO07262021.exe, Lens.cs

Long String: Length: 10292

Contains functionality to call native functions

Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_00419D60 NtCreateFile,	7_2_00419D60
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_00419E10 NtReadFile,	7_2_00419E10
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_00419E90 NtClose,	7_2_00419E90
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_00419F40 NtAllocateVirtualMemory,	7_2_00419F40
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_00419E8B NtClose,	7_2_00419E8B
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_00419F3D NtAllocateVirtualMemory,	7_2_00419F3D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F6D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	15_2_011F6D90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011FB5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	15_2_011FB5E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DB42E NtOpenThreadToken,NtOpenProcessToken,NtClose,	15_2_011DB42E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D84BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	15_2_011D84BE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D58A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,	15_2_011D58A4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DB4C0 NtQueryInformationToken,	15_2_011DB4C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DB4F8 NtQueryInformationToken,NtQueryInformationToken,	15_2_011DB4F8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D83F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,	15_2_011D83F2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F9AB4 NtSetInformationFile,	15_2_011F9AB4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9780 NtMapViewOfSection,LdrInitializeThunk,	15_2_03AA9780
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9FE0 NtCreateMutant,LdrInitializeThunk,	15_2_03AA9FE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9710 NtQueryInformationToken,LdrInitializeThunk,	15_2_03AA9710
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA96E0 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_03AA96E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA96D0 NtCreateKey,LdrInitializeThunk,	15_2_03AA96D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9A50 NtCreateFile,LdrInitializeThunk,	15_2_03AA9A50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA99A0 NtCreateSection,LdrInitializeThunk,	15_2_03AA99A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA95D0 NtClose,LdrInitializeThunk,	15_2_03AA95D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_03AA9910
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9540 NtReadFile,LdrInitializeThunk,	15_2_03AA9540
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9860 NtQuerySystemInformation,LdrInitializeThunk,	15_2_03AA9860
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9840 NtDelayExecution,LdrInitializeThunk,	15_2_03AA9840
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA97A0 NtUnmapViewOfSection,	15_2_03AA97A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AAA3B0 NtGetContextThread,	15_2_03AAA3B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9730 NtQueryVirtualMemory,	15_2_03AA9730
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9B00 NtSetValueKey,	15_2_03AA9B00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AAA710 NtOpenProcessToken,	15_2_03AAA710
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9760 NtOpenProcess,	15_2_03AA9760
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9770 NtSetInformationFile,	15_2_03AA9770
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AAA770 NtOpenThread,	15_2_03AAA770
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9A80 NtOpenDirectoryObject,	15_2_03AA9A80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9A20 NtResumeThread,	15_2_03AA9A20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9A00 NtProtectVirtualMemory,	15_2_03AA9A00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9610 NtEnumerateValueKey,	15_2_03AA9610
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9A10 NtQuerySection,	15_2_03AA9A10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9660 NtAllocateVirtualMemory,	15_2_03AA9660
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9670 NtQueryInformationProcess,	15_2_03AA9670
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9650 NtQueryValueKey,	15_2_03AA9650
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA95F0 NtQueryInformationFile,	15_2_03AA95F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA99D0 NtCreateProcessEx,	15_2_03AA99D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9520 NtWaitForSingleObject,	15_2_03AA9520
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AAAD30 NtSetContextThread,	15_2_03AAAD30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9560 NtWriteFile,	15_2_03AA9560
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9950 NtQueueApcThread,	15_2_03AA9950
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA98A0 NtWriteVirtualMemory,	15_2_03AA98A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA98F0 NtReadVirtualMemory,	15_2_03AA98F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03AA9820 NtEnumerateKey,	15_2_03AA9820

Contains functionality to communicate with device drivers

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 15_2_011E6550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,

15_2_011E6550

Contains functionality to launch a process as a different user

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 15_2_011E374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,

15_2_011E374E

Detected potential crypto function

Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_00401026	7_2_00401026
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_00401030	7_2_00401030
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_0041D9D8	7_2_0041D9D8
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_0041D1AB	7_2_0041D1AB
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_0041D3C4	7_2_0041D3C4
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_0041E5F4	7_2_0041E5F4
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_00402D90	7_2_00402D90
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_00409E40	7_2_00409E40
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_00409E3C	7_2_00409E3C
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_0041DFE0	7_2_0041DFE0
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_0041DFEC	7_2_0041DFEC
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_00402FB0	7_2_00402FB0
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_006A6507	7_2_006A6507
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F3506	15_2_011F3506
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E6550	15_2_011E6550
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E1969	15_2_011E1969
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D7190	15_2_011D7190
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F31DC	15_2_011F31DC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DD803	15_2_011DD803
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DE040	15_2_011DE040
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D9CF0	15_2_011D9CF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F5CEA	15_2_011F5CEA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D48E6	15_2_011D48E6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DCB48	15_2_011DCB48
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E5FC8	15_2_011E5FC8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011F6FF0	15_2_011F6FF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011DFA30	15_2_011DFA30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D5226	15_2_011D5226
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D5E70	15_2_011D5E70
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011D8AD7	15_2_011D8AD7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03A9EBB0	15_2_03A9EBB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03A86E30	15_2_03A86E30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03A92581	15_2_03A92581
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03A7D5E0	15_2_03A7D5E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03A60D20	15_2_03A60D20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03A84120	15_2_03A84120
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03A6F900	15_2_03A6F900
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03B31D55	15_2_03B31D55
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03A920A0	15_2_03A920A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03A7B090	15_2_03A7B090

Sample file is different than original file name gathered from version info

Source: PO07262021.exe, 00000000.00000000.642212993.00000000006D2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamecAlternateFileNameeFixedBuff.exe2 vs PO07262021.exe
Source: PO07262021.exe, 00000007.00000002.768168332.000000000143F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs PO07262021.exe
Source: PO07262021.exe, 00000007.00000002.766354813.0000000000792000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamecAlternateFileNameeFixedBuff.exe2 vs PO07262021.exe
Source: PO07262021.exe, 00000007.00000002.768464422.000000000152D000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs PO07262021.exe
Source: PO07262021.exe	Binary or memory string: OriginalFilenamecAlternateFileNameeFixedBuff.exe2 vs PO07262021.exe

Uses 32bit PE files

Source: PO07262021.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: PO07262021.exe, Shelf_itemm.cs	Base64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACgAAAAoCAYAAACM/rhtAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAKRJREFUeNpi/P//P8NgBkwMgxyMOnDUgaMOHHXgqANHHTjqwAEGoNYMMgYCeyA+CZIiAm8HYhWaugeLA58T6TgY3ohk/l4S9aLjvejuwRbFEiR6WhGJ/YvCAMTQz0LlFOM5mospBBSnQVo7cDQNjqZBaqTBpyQ66hEt0yC2msSDhNrkEhBr0bKqYxwdWRh14KgDRx046sBRB446cNSBQ9qBAAEGAPhFqjdpHPl0AAAAAElFTkSuQmCC'
Source: PO07262021.exe, Lens.cs	Base64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAAN8AAADHCAYAAACZfIbaAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAB27SURBVHhe7ZyHW5TXtofvP3Gfe+95To4tsQIWVER6b0rv0qUjiF3sBWwgauw5KYoxURMr9koQ0VhQI2rsCIiKgA1bUH937T0zgIbkOPrpR1nz5H0Y1Azz7b3evdba+2P+q4/dEDAM8+lh+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUQmWj2FUguVjGJVg+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUQmWj2FUguVjGJVg+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUYlmIl8wejdB0/+WYRoj4kRDQ9y0jNhpBvJpB8026E10f84w70Tj2GmIn6ZjrnmgunxykGjAetkGvgULyLwLGtk0MRPwp9hpKuaaCyrKpxkcY7sQ9LUPR3+HKAx0SoKVyyjYuU2E4+BpcHbPgKvHnEbMZRgtFA/us+HiPgtOg2fA3m0SrF3GwNwpBSYOsTC2D2si5poXKsmnXbFolepLgzTAMQZmzsPgMGgKPLwWItBvFUIC1iMyaBuih+widiNGsodhtOzG0OCdiArejvDAjQjwXQVPzyVwHpQBK+dR6G8fJRd2EW/NNQuqJ5+szwNlxrNwTqFsNwFe3otpIH9GUthhjIg8jfHRlzEptpQow+TYcoZpRBkmxpQgLfoaRkeeR2LIYUQEbIOv1zdwcpuJgY6J6GcfQQKGkngaAZuORfVQQT4xCCGyLBCDY+06BoM9sxDkn0MZbgeGRxxDWswlTI4rwfT4O0hPrNZSwzBvMDOxCjMSKjE1rhzjh17CiIgixA3ZjyDfNXAbPA+2LmkkYZKMt962zS/7fWL5RMYTfV6ozHimjvGybg+lEnN4xAmMi76IqfHlmJV0H3OGPcK85CfITHkmyUp5zjD1ZEpEbDzF3ORaGTMzScS06CtIoiwY4rcB7h6LYOMynuItTCMf0XRcqsMnlE9z8aLc7EsZb6BTgtxc8fVZSWVmPmW5SmQkPiThniE75SXmp7xAVvJTZA6rxbxhjxnmT4jYyKQYyUp+TvFSR3HzCrOTHiNt6DUMCzmKYN91VIJmoK9dJMUdlZ6EpvJ6OzbV4ZPJJ5teeaQQABOHaCo3x8odq7DADRgVdZoG7RFmJz6WzIp/iKlDyzA+7DxGBh/HyKBjGBFYiNTAI4T4yrRdRAwcwYigQowecgrjQs9hYsRVzIitxNykZ5iT9BRTY+9gbNQVxATtg4f7lzC1T0Rf2wj0sRXlZ6CMw+Yg4SeVT5zB9LTxl+Wm2B728/0a8aH7MTH2KpUSf2BO4hOkx93HlKgKku0Uot1zEey0GkGO3yDQYSUC7FdoEc+Ztog/zb+//XIEUDyEuqxF1OAtSPTJo4X6EjJo0Z6b9AIZCbWYFleD4WFF8PdaBUuHUTCxjYGxbRh6UfyJONQI2HSsfio+oXyarGdk4wszp2EY5JlFWe9nucEyjfq8hakg+R5TxruDMSG/k3g74WOzFE4DJsPBZALs+4+FXb/RxBhCPGfaJmL+R8t4cDWbCU+rhbRAr0Wy/1FMi75Lme8FQQs5MTbqMkJ818PGMQ2mtvEwtgmDkbWvTAAiAzYVp58SVeQzd06Bh9cieUYzMqoIMxJvY9GI17RyVSEt7DKSfAsQ6PidlM7UMBIDDCOIcImJAdM2ETEQARMRA4Zh8rl5rwRY9x2JQeZzMJSqpIkRNzAr4QmJ95x6wjrq/a4izO9n2DtNIvkSYGwdCgNLTxhZ+VAGDCABRempXvmpinwWzqnw9l6GuJD9GDu0GBlJlfiS5JsRc4t6vJOIpFJisMUcOcDdOzqiRycnGHRygcHnBH3twbQ5NPPvqokBLT07e6B3V19Y9k5CkNN3VDFRLMU/oNLzKeanvMSkmOuI9N8MR6epGGibiD5WIehuNhgGFl7oae0nS081d0A/sXz+Uj5LlxHw8VmBhNA8jIu+gFlJ9/DlyNeYHl2K4QFHEOr6I5xNp8C4qx+++JcZOrezQJf21ujawbaeboKOdkybQTPnXTvY1NO9oz2J6SSzoZ/dcowKPo106vXmJj1B9vBXmBJ7A1EBW+DkPB1mtknoYzkE3Qa6oYe5B4wsddlPPQGbmXw3G8k3Fcbd/NH5X0I8Kylc944O6PG5Iwy/cIZhZxcYET27MK0do87OMPjCSc59j04OUjohZI9OjpQRnWU7opNvZlz1G/INbSyfRTC6DXBB94Ga7Gdk5Yte1iSgjToCNiv5pkn5ChDi8oNWvkDKepb14hl87kwT4Yre3QajT3cPGPfwQF8DT6aV06e7O3p1HSTnXiy8BlJCIR61I1R+6uQbKeSLJfkSdfKVSPmcXXTyBaGriTO6m1L2M3OHoU5AG7H7+ekP4Zu1fH27C/ko67UXJYc9TcBgWPYfgkH2ifAdNBKBnmMR6jsBoX5a6HkI0yoQ8xnmPwHhhO+gVDhbx8CiXzD6G3lTr+dK8UBVUEfNXsAAA618QY3le/ln+cw18nUb4IoeIvuZeZKAPuhp5U8ZkAT8xBmwRcjXpR3V+O3taOB94OM2AqnxCzBt/CrMm74Oi+dtxZKsXCzOzMWX85jWgpjPpfNzsXxBLqaP/wbxERnwchkO24HhMhN2aScWZKqGRNmpt3xUepoOIgHdYWDuJQU0svT75CVoC5DPkrCm3s8G5n2DEBc+i2TbgU1rT2N/7lUc/+UuTh6uwvH8KhzLY1oLJ2g+i45U4cyxKprr45g7/UfEhM7EYIck9DP0xuf/tEbXdvaU/d5TvgFUeppS9hvoocmA5t4aAetL0KbjWElalHyi7BgWnYmvlxzArs2XUHiwAudP1uJ
Source: PO07262021.exe, NotifactionMSG.cs	Base64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACwAAAAsCAYAAAAehFoBAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAIJSURBVFhH7Zg9S8RAEED9KddoYWthoxxaKAqKCoocaiFYiApaCZbaXit2thb+Af+DpVhZeNzpiaIoWIjVei8YCMfsZj8SZDGBB0eymXmEzczkBu4nayomKuGyqYTLphIum/8l3JoeUu2lEfWwXlePWzOqu7uonvZXEvjNOa6xhrVSDFe8hFuzw6rTGFPd7Xn1dLBqBWu5h3ulmLY4C7eXR3vJ50QpG7iXGFJsG6yFW1ODqrNWFyV8IBYxpVwmrIQJ/LAxISYOgZiu0lbCRT7Zfogt5dSRK8x+kxIVicueNgrzRrtUgpeTPfV5dZnwdnosrpEgh231MApThqQEOpBMD6SlNTo6jXHRoR+tMIXe5elCiHB3Z8GquWiF6U5SYBMhwkBOySWLVpiWKgU1ESpMTskli1aYOUAKauL5aPNXV6n386a4xgQ5JZcsWuFkkBGC5pEeLlUihZySSxatcDJ1CUHzSA8fYXJKLlkKF/6+u02EpWu5hAj7bokQ4aAt4fPSwdfNtbdw0EvnU9aA9vzaPBSv5RFU1nwaB6JsCfi4OBPXmAhqHNG1Zohq+AHX8dKXwsZLiGqAT4nqEwmi+wgFAhf5pInlKgvWwinstyj+SMnCG00ZonZKUhKs5R7baqDDSziFQk93oqUyByQDE1NeD35zjmussWkKNgQJ/wWVcNlUwmUTmXBN/QCoe2Fr5J6flQAAAABJRU5ErkJggg==', 'iVBORw0KGgoAAAANSUhEUgAAACwAAAAsCAYAAAAehFoBAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAH/SURBVFhH7ZjPKwVRFMf9NTaUtbIhLC2IDXtra2t7ayUsJA8JsbCxsLGgR7yX915Kkli8nWyvPi+3NH3nx713Jk1m6lOvmTvnfJrunHPm9fWv102ZqISLphIumv8jPLh5a4a3783EXtNMHT6auZO2mT/t9OA357jGGtaqGD44Cw9t3ZnR3YaZOWqZhbNOJljLPdyrYrrgJDyy82CmHUSjcC8xVOysZBIe2Lg147WmlPCBWMRUudJIFSbw5H5+shZi+kinCuf5ZKMQW+VMIlGY/aYS5Ynrno4V5o12qQRLF8/moN3tsXL1KtcoyOFSPWKFKUMqQRxI2gNptSaOsVpDOiikMIXe5elCiPDscStzc5HCdCcVOIkQYSCncokihWmpKmgSocLkVC5RpDBzgAqaxOL504+uMas3b3JNEuRULlGkMMOLCpqGPVyqhIWcyiWKFGbiUkHTsIePMDmVS5RchZvdr56wupZGkLDvlggRDtoSPi8dXL9/egsHvXQ+ZQ1oz8uXL/JaGkFlzadxIMqWgLW7D7kmiaDGUbrWDKUafsB1vPQlt/ESSjXAW0r1iQSl+wgFAuf5pInlIwuZhC3st1L8kfIb3mjKELVTSSlYyz0u1SAOZ2ELhZ7uREtlDmB4YeICfnOOa6zJ2hSy4C38V1TCRVMJF00lXDQlE66bb+YGhyafMUw8AAAAAElFTkSuQmCC'
Source: PO07262021.exe, ThemeContainer.cs	Base64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAAAwAAAAMCAYAAABWdVznAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO
Source: PO07262021.exe, YouPLayer.cs	Base64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAAAwAAAAMCAYAAABWdVznAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/4@2/1

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 15_2_011DC5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit,

15_2_011DC5CA

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 15_2_011FA0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,

15_2_011FA0D2

Source: C:\Users\user\Desktop\PO07262021.exe

File created: C:\Users\user\AppData\Roaming\FzGSUpCvLNF.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2388:120:WilError_01
Source: C:\Users\user\Desktop\PO07262021.exe	Mutant created: \Sessions\1\BaseNamedObjects\fKCtYnPDseQYKUqQUyihPKJYaez

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO07262021.exe 'C:\Users\user\Desktop\PO07262021.exe'
Source: C:\Users\user\Desktop\PO07262021.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FzGSUpCvLNF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB7D9.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO07262021.exe	Process created: C:\Users\user\Desktop\PO07262021.exe C:\Users\user\Desktop\PO07262021.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO07262021.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PO07262021.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FzGSUpCvLNF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB7D9.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process created: C:\Users\user\Desktop\PO07262021.exe C:\Users\user\Desktop\PO07262021.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO07262021.exe'	Jump to behavior

Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_0041703E push esi; iretd	7_2_0041704D
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_0041E36F push ecx; iretd	7_2_0041E380
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_0041E3D4 push FBA9C29Ch; ret	7_2_0041E3DB
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_00417596 push esp; iretd	7_2_004175CC
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_004175A0 push esp; iretd	7_2_004175CC
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_0041CEB5 push eax; ret	7_2_0041CF08
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_0041CF6C push eax; ret	7_2_0041CF72
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_0041CF02 push eax; ret	7_2_0041CF08
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_0041CF0B push eax; ret	7_2_0041CF72
Source: C:\Users\user\Desktop\PO07262021.exe	Code function: 7_2_00416FD2 push 00000035h; retf	7_2_00416FD8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E76BD push ecx; ret	15_2_011E76D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E76D1 push ecx; ret	15_2_011E76E4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_03ABD0D1 push ecx; ret	15_2_03ABD0E4

Source: initial sample	Static PE information: section name: .text entropy: 6.94520727658
Source: initial sample	Static PE information: section name: .text entropy: 6.94520727658

Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\PO07262021.exe	RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\PO07262021.exe	RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 00000000010598E4 second address: 00000000010598EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 0000000001059B5E second address: 0000000001059B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\PO07262021.exe TID: 6692	Thread sleep time: -46734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe TID: 6716	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 5968	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 4984	Thread sleep time: -35000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\PO07262021.exe	Thread delayed: delay time: 46734			Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: explorer.exe, 00000009.00000000.752500086.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000009.00000000.722521161.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.718856258.0000000006650000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.722521161.000000000A60E000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.713227262.0000000004791000.00000004.00000001.sdmp	Binary or memory string: 0ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&t
Source: explorer.exe, 00000009.00000000.713177380.0000000004710000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000009.00000000.752500086.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000009.00000000.722572636.000000000A64D000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA~
Source: explorer.exe, 00000009.00000000.722788045.000000000A716000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000009.00000000.752500086.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000009.00000000.722870452.000000000A782000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: explorer.exe, 00000009.00000000.752500086.00000000058C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\PO07262021.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PO07262021.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E7310 SetUnhandledExceptionFilter,		15_2_011E7310
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 15_2_011E6FE3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		15_2_011E6FE3

Source: C:\Windows\explorer.exe	Domain query: www.winabeel.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.ppneumatic.com

Source: C:\Users\user\Desktop\PO07262021.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\PO07262021.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\PO07262021.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Thread register set: target process: 3424			Jump to behavior

Source: explorer.exe, 00000009.00000000.732433250.0000000000AD8000.00000004.00000020.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000009.00000000.732800237.0000000001080000.00000002.00000001.sdmp, cmd.exe, 0000000F.00000002.913554181.0000000005040000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000009.00000000.732800237.0000000001080000.00000002.00000001.sdmp, cmd.exe, 0000000F.00000002.913554181.0000000005040000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000000.732800237.0000000001080000.00000002.00000001.sdmp, cmd.exe, 0000000F.00000002.913554181.0000000005040000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000000.732800237.0000000001080000.00000002.00000001.sdmp, cmd.exe, 0000000F.00000002.913554181.0000000005040000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000009.00000000.722788045.000000000A716000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	15_2_011E3F80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	15_2_011D96A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,	15_2_011D5AEF

Name	IP	Active
winabeel.com	34.102.136.180	true
www.winabeel.com	unknown	unknown
www.ppneumatic.com	unknown	unknown

Windows Analysis Report PO07262021.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.winabeel.com/nmks/?6latBtaX=AODdElP/LvmD82bfBWBMQGTCd+0C8NCj5PjqI400wXLHipc47/wHi7nKSi/3AqembaQc&v2M=nRRXGl0p	false	Avira URL Cloud: safe	unknown
www.cryptoinhindi.online/nmks/	true	Avira URL Cloud: safe	low

ID:	458795
Product:	CloudBasic
Start time:	18:51:07
Start date:	03.08.2021
Sample:	PO07262021.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	47a679ec6799a5a2c9212de73d404a83
SHA1:	d21c87a07b4701ddf3206aeb534d010dd928116b
SHA256:	c2e765b8a42432e042da5c444bdba20b8021bd5e1b022693978b6540fdbddec7
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO07262021.exe.log	ASCII text, with CRLF line terminators	1DC1A2DCC9EFAA84EABF4F6D6066565B	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
C:\Users\user\AppData\Local\Temp\tmpB7D9.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	23D2D2B433F0ED44159491AFDD24534F	E70CB7AC5A0D0EB8BFD3352D0A4CFF41B3BB251B	DB595180719394A5059F3AB34F47925DFEFB13B7C5F7017CD4E269D3EDFCA22A
C:\Users\user\AppData\Roaming\FzGSUpCvLNF.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	47A679EC6799A5A2C9212DE73D404A83	D21C87A07B4701DDF3206AEB534D010DD928116B	C2E765B8A42432E042DA5C444BDBA20B8021BD5E1B022693978B6540FDBDDEC7
C:\Users\user\AppData\Roaming\FzGSUpCvLNF.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309