Loading ...

Play interactive tourEdit tour

Windows Analysis Report arrival notice.exe

Overview

General Information

Sample Name:arrival notice.exe
Analysis ID:483532
MD5:4196c697fa8a52ecddad63bf5ac9e8f9
SHA1:1179a7916f59fa2d88829a56f3f045e1cf32c418
SHA256:cfdb27a9ff39bd1aa5a0a43fe6e272c269a311f5748d8a13b2e705f7d66f16bd
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Sigma detected: CMSTP Execution Process Creation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • arrival notice.exe (PID: 6556 cmdline: 'C:\Users\user\Desktop\arrival notice.exe' MD5: 4196C697FA8A52ECDDAD63BF5AC9E8F9)
    • arrival notice.exe (PID: 7160 cmdline: C:\Users\user\Desktop\arrival notice.exe MD5: 4196C697FA8A52ECDDAD63BF5AC9E8F9)
    • arrival notice.exe (PID: 3436 cmdline: C:\Users\user\Desktop\arrival notice.exe MD5: 4196C697FA8A52ECDDAD63BF5AC9E8F9)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • cmstp.exe (PID: 6820 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
        • cmd.exe (PID: 5948 cmdline: /c del 'C:\Users\user\Desktop\arrival notice.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 1260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • explorer.exe (PID: 4824 cmdline: 'C:\Windows\explorer.exe' /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nordicbatterybelt.net/n58i/"], "decoy": ["southerncircumstance.com", "mcsasco.com", "ifbrick.com", "societe-anonyme.net", "bantank.xyz", "dogecoin.beauty", "aboutacoffee.com", "babalandlordrealestate.com", "tintgta.com", "integrity.directory", "parwnr.icu", "poltishof.online", "stayandstyle.com", "ickjeame.xyz", "currentmotors.ca", "pond.fund", "petrosterzis.com", "deadbydaylightpoints.com", "hotel-balzac.paris", "focusmaintainance.com", "odeonmarket.com", "voeran.net", "lookailpop.xyz", "sashaignatenko.com", "royalgreenvillage.com", "airbhouse.com", "zl-dz.com", "fuwuxz.com", "wugupihuhepop.xyz", "zmdhysm.com", "luchin.site", "rnchaincvkbip.xyz", "fffddfrfqffrtgthhhbhffgfr.com", "goabbasoon.info", "booyahbucks.com", "ilovecoventry.com", "components-electronics.com", "advindustry.com", "browandline.com", "hotnspicy.site", "marlonj26.com", "holidays24.net", "starworks.online", "mbchaindogbbc.xyz", "3wouqg.com", "evnfreesx.com", "baureihe51.com", "hycelassetmanagement.space", "photostickomni-trendyfinds.com", "singisa4letterword.com", "thklw.online", "menramen.com", "highspeedinternetinc.com", "beerenhunger.info", "hisensor.world", "lassurancevalence.com", "clementchanlab.com", "customia.xyz", "alysvera-centroestetico.com", "cx-xiezuo.com", "index-mp3.com", "mybenefits51.com", "vyhozoi.site", "lingerista.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.753650396.00000000012B0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.753650396.00000000012B0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.753650396.00000000012B0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    0000000E.00000002.987277254.0000000002E00000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000E.00000002.987277254.0000000002E00000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 27 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.arrival notice.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.arrival notice.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.arrival notice.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cc9:$sqlite3step: 68 34 1C 7B E1
        • 0x15ddc:$sqlite3step: 68 34 1C 7B E1
        • 0x15cf8:$sqlite3text: 68 38 2A 90 C5
        • 0x15e1d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
        5.2.arrival notice.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.arrival notice.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 4 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: CMSTP Execution Process CreationShow sources
          Source: Process startedAuthor: Nik Seetharaman: Data: Command: /c del 'C:\Users\user\Desktop\arrival notice.exe', CommandLine: /c del 'C:\Users\user\Desktop\arrival notice.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmstp.exe, ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 6820, ProcessCommandLine: /c del 'C:\Users\user\Desktop\arrival notice.exe', ProcessId: 5948

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000005.00000002.753650396.00000000012B0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.nordicbatterybelt.net/n58i/"], "decoy": ["southerncircumstance.com", "mcsasco.com", "ifbrick.com", "societe-anonyme.net", "bantank.xyz", "dogecoin.beauty", "aboutacoffee.com", "babalandlordrealestate.com", "tintgta.com", "integrity.directory", "parwnr.icu", "poltishof.online", "stayandstyle.com", "ickjeame.xyz", "currentmotors.ca", "pond.fund", "petrosterzis.com", "deadbydaylightpoints.com", "hotel-balzac.paris", "focusmaintainance.com", "odeonmarket.com", "voeran.net", "lookailpop.xyz", "sashaignatenko.com", "royalgreenvillage.com", "airbhouse.com", "zl-dz.com", "fuwuxz.com", "wugupihuhepop.xyz", "zmdhysm.com", "luchin.site", "rnchaincvkbip.xyz", "fffddfrfqffrtgthhhbhffgfr.com", "goabbasoon.info", "booyahbucks.com", "ilovecoventry.com", "components-electronics.com", "advindustry.com", "browandline.com", "hotnspicy.site", "marlonj26.com", "holidays24.net", "starworks.online", "mbchaindogbbc.xyz", "3wouqg.com", "evnfreesx.com", "baureihe51.com", "hycelassetmanagement.space", "photostickomni-trendyfinds.com", "singisa4letterword.com", "thklw.online", "menramen.com", "highspeedinternetinc.com", "beerenhunger.info", "hisensor.world", "lassurancevalence.com", "clementchanlab.com", "customia.xyz", "alysvera-centroestetico.com", "cx-xiezuo.com", "index-mp3.com", "mybenefits51.com", "vyhozoi.site", "lingerista.net"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: arrival notice.exeVirustotal: Detection: 29%Perma Link
          Source: arrival notice.exeReversingLabs: Detection: 25%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.arrival notice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.arrival notice.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.arrival notice.exe.37c44c0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.753650396.00000000012B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.987277254.0000000002E00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.712937418.000000000EC67000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.986144684.00000000007B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.672365867.00000000035F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.672532960.00000000036F2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.699881557.000000000EC67000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.752247585.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.753557009.0000000001280000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.987219865.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: arrival notice.exeJoe Sandbox ML: detected
          Source: 5.2.arrival notice.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: arrival notice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: arrival notice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmstp.pdbGCTL source: arrival notice.exe, 00000005.00000003.750476475.0000000001341000.00000004.00000001.sdmp
          Source: Binary string: \Registry\Machine\Software\Classes\SystemFileAssociations\.pdbsqrstuvwxyz{|}~ source: explorer.exe, 00000017.00000003.920395188.0000000007E54000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: arrival notice.exe, 00000005.00000002.753977107.00000000015D0000.00000040.00000001.sdmp, cmstp.exe, 0000000E.00000002.988607183.0000000004A6F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: arrival notice.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: arrival notice.exe, 00000005.00000003.750476475.0000000001341000.00000004.00000001.sdmp
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 4x nop then pop edi5_2_0041625A
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 4x nop then pop edi5_2_0040C3D2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi14_2_007C625A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi14_2_007BC3D2

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.nordicbatterybelt.net/n58i/
          Source: explorer.exe, 00000017.00000002.964094196.0000000007301000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000017.00000000.937508363.0000000007EE6000.00000004.00000001.sdmpString found in binary or memory: http://crl.v
          Source: explorer.exe, 00000017.00000002.958150774.000000000348F000.00000004.00000001.sdmpString found in binary or memory: http://ns.adoqw
          Source: arrival notice.exe, 00000000.00000002.671468135.0000000000A00000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 5.2.arrival notice.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.arrival notice.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.arrival notice.exe.37c44c0.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000005.00000002.753650396.00000000012B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.987277254.0000000002E00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.712937418.000000000EC67000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.986144684.00000000007B0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.672365867.00000000035F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.672532960.00000000036F2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.699881557.000000000EC67000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.752247585.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.753557009.0000000001280000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.987219865.0000000002DD0000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 5.2.arrival notice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.arrival notice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.arrival notice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.arrival notice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.arrival notice.exe.37c44c0.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.arrival notice.exe.37c44c0.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.753650396.00000000012B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.753650396.00000000012B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.987277254.0000000002E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.987277254.0000000002E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.712937418.000000000EC67000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.712937418.000000000EC67000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.986144684.00000000007B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.986144684.00000000007B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.672365867.00000000035F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.672365867.00000000035F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.672532960.00000000036F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.672532960.00000000036F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.699881557.000000000EC67000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.699881557.000000000EC67000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.752247585.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.752247585.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.753557009.0000000001280000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.753557009.0000000001280000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.987219865.0000000002DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.987219865.0000000002DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: arrival notice.exe
          .NET source code contains very large stringsShow sources
          Source: arrival notice.exe, Forms/mainForm.csLong String: Length: 38272
          Source: 0.0.arrival notice.exe.250000.0.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: 0.2.arrival notice.exe.250000.0.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: 4.2.arrival notice.exe.330000.0.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: 4.0.arrival notice.exe.330000.0.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: 5.2.arrival notice.exe.b50000.1.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: 5.0.arrival notice.exe.b50000.0.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: arrival notice.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: C:\Users\user\Desktop\arrival notice.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Users\user\Desktop\arrival notice.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exeJump to behavior
          Source: 5.2.arrival notice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.arrival notice.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.arrival notice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.arrival notice.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.arrival notice.exe.37c44c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.arrival notice.exe.37c44c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.753650396.00000000012B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.753650396.00000000012B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.987277254.0000000002E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.987277254.0000000002E00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.712937418.000000000EC67000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.712937418.000000000EC67000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.986144684.00000000007B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.986144684.00000000007B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.672365867.00000000035F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.672365867.00000000035F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.672532960.00000000036F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.672532960.00000000036F2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.699881557.000000000EC67000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.699881557.000000000EC67000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.752247585.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.752247585.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.753557009.0000000001280000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.753557009.0000000001280000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.987219865.0000000002DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.987219865.0000000002DD0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 0_2_02442FC40_2_02442FC4
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 0_2_02442BF80_2_02442BF8
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 0_2_024439490_2_02443949
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 0_2_024469180_2_02446918
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 0_2_024437630_2_02443763
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 0_2_024437680_2_02443768
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 0_2_02442BED0_2_02442BED
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 0_2_024400400_2_02440040
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 0_2_024434600_2_02443460
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 0_2_024434700_2_02443470
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 0_2_024400330_2_02440033
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 0_2_02440C930_2_02440C93
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 0_2_02440C980_2_02440C98
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 0_2_0244017C0_2_0244017C
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 0_2_024401350_2_02440135
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 0_2_024439F10_2_024439F1
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 0_2_024DC1240_2_024DC124
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 0_2_024DE5620_2_024DE562
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 0_2_024DE5700_2_024DE570
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_0041B8DB5_2_0041B8DB
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_0041C1365_2_0041C136
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_0041D2295_2_0041D229
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_00408C6B5_2_00408C6B
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_00408C705_2_00408C70
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_00402D875_2_00402D87
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016141205_2_01614120
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_015FF9005_2_015FF900
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016B10025_2_016B1002
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016C28EC5_2_016C28EC
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016220A05_2_016220A0
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016C20A85_2_016C20A8
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_0160B0905_2_0160B090
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016C2B285_2_016C2B28
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016BDBD25_2_016BDBD2
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_0162EBB05_2_0162EBB0
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016C22AE5_2_016C22AE
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016C1D555_2_016C1D55
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016C2D075_2_016C2D07
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_015F0D205_2_015F0D20
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_0160D5E05_2_0160D5E0
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016C25DD5_2_016C25DD
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016225815_2_01622581
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016BD4665_2_016BD466
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_0160841F5_2_0160841F
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016C1FF15_2_016C1FF1
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01616E305_2_01616E30
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016C2EF75_2_016C2EF7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_0498841F14_2_0498841F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_04A3D46614_2_04A3D466
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049A258114_2_049A2581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_0498D5E014_2_0498D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_04A425DD14_2_04A425DD
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_04A42D0714_2_04A42D07
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_04970D2014_2_04970D20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_04A41D5514_2_04A41D55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_04A42EF714_2_04A42EF7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_04996E3014_2_04996E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_04A3D61614_2_04A3D616
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_04A41FF114_2_04A41FF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_0498B09014_2_0498B090
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_04A420A814_2_04A420A8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049A20A014_2_049A20A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_04A428EC14_2_04A428EC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_04A3100214_2_04A31002
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_0497F90014_2_0497F900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_0499412014_2_04994120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_04A422AE14_2_04A422AE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049AEBB014_2_049AEBB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_04A3DBD214_2_04A3DBD2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_04A42B2814_2_04A42B28
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007CB8DB14_2_007CB8DB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007CC13614_2_007CC136
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007CD22914_2_007CD229
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007B8C7014_2_007B8C70
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007B8C6B14_2_007B8C6B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007B2D9014_2_007B2D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007B2D8714_2_007B2D87
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007B2FB014_2_007B2FB0
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: String function: 015FB150 appears 35 times
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 0497B150 appears 35 times
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_004185D0 NtCreateFile,5_2_004185D0
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_00418680 NtReadFile,5_2_00418680
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_00418700 NtClose,5_2_00418700
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_004187B0 NtAllocateVirtualMemory,5_2_004187B0
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_004185CA NtCreateFile,5_2_004185CA
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_0041867C NtReadFile,5_2_0041867C
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_004186FB NtClose,5_2_004186FB
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_004187AC NtAllocateVirtualMemory,5_2_004187AC
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_01639910
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016399A0 NtCreateSection,LdrInitializeThunk,5_2_016399A0
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639860 NtQuerySystemInformation,LdrInitializeThunk,5_2_01639860
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639840 NtDelayExecution,LdrInitializeThunk,5_2_01639840
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016398F0 NtReadVirtualMemory,LdrInitializeThunk,5_2_016398F0
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639A50 NtCreateFile,LdrInitializeThunk,5_2_01639A50
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639A20 NtResumeThread,LdrInitializeThunk,5_2_01639A20
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639A00 NtProtectVirtualMemory,LdrInitializeThunk,5_2_01639A00
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639540 NtReadFile,LdrInitializeThunk,5_2_01639540
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016395D0 NtClose,LdrInitializeThunk,5_2_016395D0
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639710 NtQueryInformationToken,LdrInitializeThunk,5_2_01639710
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639FE0 NtCreateMutant,LdrInitializeThunk,5_2_01639FE0
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016397A0 NtUnmapViewOfSection,LdrInitializeThunk,5_2_016397A0
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639780 NtMapViewOfSection,LdrInitializeThunk,5_2_01639780
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_01639660
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016396E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_016396E0
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639950 NtQueueApcThread,5_2_01639950
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016399D0 NtCreateProcessEx,5_2_016399D0
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_0163B040 NtSuspendThread,5_2_0163B040
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639820 NtEnumerateKey,5_2_01639820
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016398A0 NtWriteVirtualMemory,5_2_016398A0
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639B00 NtSetValueKey,5_2_01639B00
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_0163A3B0 NtGetContextThread,5_2_0163A3B0
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639A10 NtQuerySection,5_2_01639A10
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639A80 NtOpenDirectoryObject,5_2_01639A80
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639560 NtWriteFile,5_2_01639560
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639520 NtWaitForSingleObject,5_2_01639520
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_0163AD30 NtSetContextThread,5_2_0163AD30
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016395F0 NtQueryInformationFile,5_2_016395F0
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639760 NtOpenProcess,5_2_01639760
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_0163A770 NtOpenThread,5_2_0163A770
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639770 NtSetInformationFile,5_2_01639770
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639730 NtQueryVirtualMemory,5_2_01639730
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_0163A710 NtOpenProcessToken,5_2_0163A710
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639670 NtQueryInformationProcess,5_2_01639670
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639650 NtQueryValueKey,5_2_01639650
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_01639610 NtEnumerateValueKey,5_2_01639610
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_016396D0 NtCreateKey,5_2_016396D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B95D0 NtClose,LdrInitializeThunk,14_2_049B95D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9540 NtReadFile,LdrInitializeThunk,14_2_049B9540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B96D0 NtCreateKey,LdrInitializeThunk,14_2_049B96D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B96E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_049B96E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9650 NtQueryValueKey,LdrInitializeThunk,14_2_049B9650
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9660 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_049B9660
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9780 NtMapViewOfSection,LdrInitializeThunk,14_2_049B9780
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9FE0 NtCreateMutant,LdrInitializeThunk,14_2_049B9FE0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9710 NtQueryInformationToken,LdrInitializeThunk,14_2_049B9710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9840 NtDelayExecution,LdrInitializeThunk,14_2_049B9840
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9860 NtQuerySystemInformation,LdrInitializeThunk,14_2_049B9860
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B99A0 NtCreateSection,LdrInitializeThunk,14_2_049B99A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_049B9910
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9A50 NtCreateFile,LdrInitializeThunk,14_2_049B9A50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B95F0 NtQueryInformationFile,14_2_049B95F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049BAD30 NtSetContextThread,14_2_049BAD30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9520 NtWaitForSingleObject,14_2_049B9520
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9560 NtWriteFile,14_2_049B9560
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9610 NtEnumerateValueKey,14_2_049B9610
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9670 NtQueryInformationProcess,14_2_049B9670
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B97A0 NtUnmapViewOfSection,14_2_049B97A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049BA710 NtOpenProcessToken,14_2_049BA710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9730 NtQueryVirtualMemory,14_2_049B9730
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049BA770 NtOpenThread,14_2_049BA770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9770 NtSetInformationFile,14_2_049B9770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9760 NtOpenProcess,14_2_049B9760
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B98A0 NtWriteVirtualMemory,14_2_049B98A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B98F0 NtReadVirtualMemory,14_2_049B98F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9820 NtEnumerateKey,14_2_049B9820
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049BB040 NtSuspendThread,14_2_049BB040
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B99D0 NtCreateProcessEx,14_2_049B99D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9950 NtQueueApcThread,14_2_049B9950
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9A80 NtOpenDirectoryObject,14_2_049B9A80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9A10 NtQuerySection,14_2_049B9A10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9A00 NtProtectVirtualMemory,14_2_049B9A00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9A20 NtResumeThread,14_2_049B9A20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049BA3B0 NtGetContextThread,14_2_049BA3B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049B9B00 NtSetValueKey,14_2_049B9B00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007C85D0 NtCreateFile,14_2_007C85D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007C8680 NtReadFile,14_2_007C8680
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007C8700 NtClose,14_2_007C8700
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007C87B0 NtAllocateVirtualMemory,14_2_007C87B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007C85CA NtCreateFile,14_2_007C85CA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007C867C NtReadFile,14_2_007C867C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007C86FB NtClose,14_2_007C86FB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007C87AC NtAllocateVirtualMemory,14_2_007C87AC
          Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 98%
          Source: arrival notice.exe, 00000000.00000002.671032767.0000000000311000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFileSystemAccessRu.exe4 vs arrival notice.exe
          Source: arrival notice.exe, 00000000.00000002.672532960.00000000036F2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs arrival notice.exe
          Source: arrival notice.exe, 00000000.00000002.671468135.0000000000A00000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs arrival notice.exe
          Source: arrival notice.exe, 00000004.00000002.669288896.00000000003F1000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFileSystemAccessRu.exe4 vs arrival notice.exe
          Source: arrival notice.exe, 00000005.00000002.753082192.0000000000C11000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameFileSystemAccessRu.exe4 vs arrival notice.exe
          Source: arrival notice.exe, 00000005.00000003.750476475.0000000001341000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCMSTP.EXE` vs arrival notice.exe
          Source: arrival notice.exe, 00000005.00000002.754621837.000000000187F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs arrival notice.exe
          Source: arrival notice.exeBinary or memory string: OriginalFilenameFileSystemAccessRu.exe4 vs arrival notice.exe
          Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
          Source: arrival notice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: arrival notice.exeVirustotal: Detection: 29%
          Source: arrival notice.exeReversingLabs: Detection: 25%
          Source: arrival notice.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\arrival notice.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\arrival notice.exe 'C:\Users\user\Desktop\arrival notice.exe'
          Source: C:\Users\user\Desktop\arrival notice.exeProcess created: C:\Users\user\Desktop\arrival notice.exe C:\Users\user\Desktop\arrival notice.exe
          Source: C:\Users\user\Desktop\arrival notice.exeProcess created: C:\Users\user\Desktop\arrival notice.exe C:\Users\user\Desktop\arrival notice.exe
          Source: C:\Users\user\Desktop\arrival notice.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\arrival notice.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' /LOADSAVEDWINDOWS
          Source: C:\Users\user\Desktop\arrival notice.exeProcess created: C:\Users\user\Desktop\arrival notice.exe C:\Users\user\Desktop\arrival notice.exeJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess created: C:\Users\user\Desktop\arrival notice.exe C:\Users\user\Desktop\arrival notice.exeJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\arrival notice.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\arrival notice.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@11/1@0/0
          Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1260:120:WilError_01
          Source: C:\Users\user\Desktop\arrival notice.exeMutant created: \Sessions\1\BaseNamedObjects\RmVhorZfszBwlBtnIDjIbw
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\explorer.exe
          Source: arrival notice.exe, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 0.0.arrival notice.exe.250000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 0.2.arrival notice.exe.250000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 4.2.arrival notice.exe.330000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 4.0.arrival notice.exe.330000.0.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 5.2.arrival notice.exe.b50000.1.unpack, Forms/mainForm.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\arrival notice.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: arrival notice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: arrival notice.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: arrival notice.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: cmstp.pdbGCTL source: arrival notice.exe, 00000005.00000003.750476475.0000000001341000.00000004.00000001.sdmp
          Source: Binary string: \Registry\Machine\Software\Classes\SystemFileAssociations\.pdbsqrstuvwxyz{|}~ source: explorer.exe, 00000017.00000003.920395188.0000000007E54000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: arrival notice.exe, 00000005.00000002.753977107.00000000015D0000.00000040.00000001.sdmp, cmstp.exe, 0000000E.00000002.988607183.0000000004A6F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: arrival notice.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: arrival notice.exe, 00000005.00000003.750476475.0000000001341000.00000004.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: arrival notice.exe, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.arrival notice.exe.250000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.arrival notice.exe.250000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.arrival notice.exe.330000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.arrival notice.exe.330000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.2.arrival notice.exe.b50000.1.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.arrival notice.exe.b50000.0.unpack, Forms/mainForm.cs.Net Code: _X_X0FT_FT2 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 0_2_02440BCE push eax; ret 0_2_02440BCF
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 0_2_0244095D push cs; ret 0_2_0244095F
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 0_2_024DF932 push esp; iretd 0_2_024DF939
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_0041B87C push eax; ret 5_2_0041B882
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_0041B812 push eax; ret 5_2_0041B818
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_0041B81B push eax; ret 5_2_0041B882
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_00412A95 pushfd ; retf 5_2_00412A96
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_00415BB5 push eax; retf 5_2_00415BBB
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_004186CA push edx; retn 0076h5_2_004186CB
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_0040169B push es; iretd 5_2_0040169D
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_00414EA9 push es; ret 5_2_00414EAB
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_0041B7C5 push eax; ret 5_2_0041B818
          Source: C:\Users\user\Desktop\arrival notice.exeCode function: 5_2_0164D0D1 push ecx; ret 5_2_0164D0E4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_049CD0D1 push ecx; ret 14_2_049CD0E4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007CB87C push eax; ret 14_2_007CB882
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007CB81B push eax; ret 14_2_007CB882
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007CB812 push eax; ret 14_2_007CB818
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007C2A95 pushfd ; retf 14_2_007C2A96
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007C5BB5 push eax; retf 14_2_007C5BBB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007C86CA push edx; retn 0076h14_2_007C86CB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007C4EA9 push es; ret 14_2_007C4EAB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007B169B push es; iretd 14_2_007B169D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 14_2_007CB7C5 push eax; ret 14_2_007CB818
          Source: arrival notice.exeStatic PE information: 0xD983B25D [Wed Aug 22 02:45:49 2085 UTC]
          Source: initial sampleStatic PE information: section name: .text entropy: 7.21116196113

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: /c del 'C:\Users\user\Desktop\arrival notice.exe'
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: /c del 'C:\Users\user\Desktop\arrival notice.exe'Jump to behavior
          Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\arrival notice.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior</