Windows Analysis Report 3Wok4G7Goe

Overview

General Information

Sample Name: 3Wok4G7Goe (renamed file extension from none to exe)
Analysis ID: 552763
MD5: 1e14373563bcf10103f2850b17b100ea
SHA1: f19d6f0a506f86025ee25ab6ad9405e4bc297783
SHA256: 8d38be02ab71fba9115c3a645edf515c62ffe53a5a590f7b37f362ab117473a1
Tags: 32exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.topeasyip.company/i5nb/"], "decoy": ["integratedheartspsychology.com", "tappsis.land", "norfg.com", "1531700.win", "oneplusoneexperience.com", "circlessalaries.com", "tlcremodelingcompany.com", "susalud.info", "liyanghua.club", "pink-zemi.com", "orphe.biz", "themodelclarified.com", "candidate.tools", "morotrip.com", "d2dfms.com", "leisuresabah.com", "bjbwx114.com", "lz-fcaini1718-hw0917-bs.xyz", "at-commerce-co.net", "buymypolicy.net", "5151vip73.com", "rentglide.com", "louiecruzbeltran.info", "lanabasargina.com", "lakeforestparkapartments.com", "guangkaiyinwu.com", "bornthin.com", "restaurantkitchenbuilders.com", "ecommerceoptimise.com", "datahk99.com", "markfwalker.com", "granitowawarszawa.com", "theyouthwave.com", "iabg.xyz", "jholbrook.com", "bsc.promo", "xn--grlitzerseebhne-8sb7i.com", "cafeteriasula.com", "plushcrispies.com", "dedicatedvirtualassistance.com", "ventura-taxi.com", "thoethertb434-ocn.xyz", "ylhwcl.com", "bigsyncmusic.biz", "terapiaholisticaemformacao.com", "comidies.com", "171diproad.com", "07dgj.xyz", "vppaintllc.com", "thepatriottutor.com", "wxfive.com", "ceinpsico.com", "tuningelement.store", "asinment.com", "diafraz.xyz", "8crhnwh658ga.biz", "redwolf-tech.com", "ksherfan.com", "sensationalshroom.com", "buy-instagram-followers.net", "treeserviceconsulting.com", "vnln.space", "kate-films.com", "selfmeta.club"]}
Multi AV Scanner detection for submitted file
Source: 3Wok4G7Goe.exe Virustotal: Detection: 56% Perma Link
Source: 3Wok4G7Goe.exe ReversingLabs: Detection: 70%
Yara detected FormBook
Source: Yara match File source: 7.2.3Wok4G7Goe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.3Wok4G7Goe.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.3Wok4G7Goe.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.3Wok4G7Goe.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.3Wok4G7Goe.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.3Wok4G7Goe.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.3Wok4G7Goe.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3Wok4G7Goe.exe.4685b20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3Wok4G7Goe.exe.462ed00.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.514743460.0000000002130000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.346591920.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.347595779.0000000001490000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.517168088.0000000003F40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.329933036.0000000007FAD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.280991422.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.517434675.0000000003FA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.347386368.0000000001460000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.311709571.0000000007FAD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.284841170.00000000044E9000.00000004.00000001.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: www.topeasyip.company/i5nb/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe Virustotal: Detection: 56% Perma Link
Source: C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe ReversingLabs: Detection: 70%
Machine Learning detection for sample
Source: 3Wok4G7Goe.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.3Wok4G7Goe.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.0.3Wok4G7Goe.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.0.3Wok4G7Goe.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 7.0.3Wok4G7Goe.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: 3Wok4G7Goe.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: 3Wok4G7Goe.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: systray.pdb source: 3Wok4G7Goe.exe, 00000007.00000002.347994958.00000000019C0000.00000040.00020000.sdmp
Source: Binary string: systray.pdbGCTL source: 3Wok4G7Goe.exe, 00000007.00000002.347994958.00000000019C0000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: 3Wok4G7Goe.exe, 00000007.00000002.348027146.00000000019E0000.00000040.00000001.sdmp, 3Wok4G7Goe.exe, 00000007.00000002.348711608.0000000001AFF000.00000040.00000001.sdmp, systray.exe, 00000012.00000002.518438666.00000000043FF000.00000040.00000001.sdmp, systray.exe, 00000012.00000002.517963450.00000000042E0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: 3Wok4G7Goe.exe, 00000007.00000002.348027146.00000000019E0000.00000040.00000001.sdmp, 3Wok4G7Goe.exe, 00000007.00000002.348711608.0000000001AFF000.00000040.00000001.sdmp, systray.exe, systray.exe, 00000012.00000002.518438666.00000000043FF000.00000040.00000001.sdmp, systray.exe, 00000012.00000002.517963450.00000000042E0000.00000040.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 4x nop then pop esi 7_2_0041584D
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 4x nop then pop edi 7_2_004162F6
Source: C:\Windows\SysWOW64\systray.exe Code function: 4x nop then pop edi 18_2_021462F6
Source: C:\Windows\SysWOW64\systray.exe Code function: 4x nop then pop esi 18_2_0214584D

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.topeasyip.company/i5nb/
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: 3Wok4G7Goe.exe, 00000000.00000002.284483243.000000000352B000.00000004.00000001.sdmp, 3Wok4G7Goe.exe, 00000000.00000002.284413072.00000000034E1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000000B.00000000.327750963.0000000006840000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.290461857.0000000006840000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: 3Wok4G7Goe.exe, 00000000.00000002.283738800.0000000001769000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 7.2.3Wok4G7Goe.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.3Wok4G7Goe.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.3Wok4G7Goe.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.3Wok4G7Goe.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.3Wok4G7Goe.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.3Wok4G7Goe.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.0.3Wok4G7Goe.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3Wok4G7Goe.exe.4685b20.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3Wok4G7Goe.exe.462ed00.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.514743460.0000000002130000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.346591920.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.347595779.0000000001490000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.517168088.0000000003F40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.329933036.0000000007FAD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.280991422.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.517434675.0000000003FA0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.347386368.0000000001460000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.311709571.0000000007FAD000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.284841170.00000000044E9000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 7.2.3Wok4G7Goe.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.3Wok4G7Goe.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.3Wok4G7Goe.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.3Wok4G7Goe.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.2.3Wok4G7Goe.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.2.3Wok4G7Goe.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.3Wok4G7Goe.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.3Wok4G7Goe.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.3Wok4G7Goe.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.3Wok4G7Goe.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.3Wok4G7Goe.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.3Wok4G7Goe.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 7.0.3Wok4G7Goe.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 7.0.3Wok4G7Goe.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.3Wok4G7Goe.exe.4685b20.5.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.3Wok4G7Goe.exe.4685b20.5.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.3Wok4G7Goe.exe.462ed00.4.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.3Wok4G7Goe.exe.462ed00.4.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.514743460.0000000002130000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.514743460.0000000002130000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.346591920.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.346591920.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.347595779.0000000001490000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.347595779.0000000001490000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.517168088.0000000003F40000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.517168088.0000000003F40000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.329933036.0000000007FAD000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.329933036.0000000007FAD000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000000.280991422.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000000.280991422.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.517434675.0000000003FA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.517434675.0000000003FA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.347386368.0000000001460000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.347386368.0000000001460000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000000.311709571.0000000007FAD000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000000.311709571.0000000007FAD000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.284841170.00000000044E9000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.284841170.00000000044E9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: 3Wok4G7Goe.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 7.2.3Wok4G7Goe.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.3Wok4G7Goe.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.3Wok4G7Goe.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.3Wok4G7Goe.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.3Wok4G7Goe.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.2.3Wok4G7Goe.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.3Wok4G7Goe.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.3Wok4G7Goe.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.3Wok4G7Goe.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.3Wok4G7Goe.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.3Wok4G7Goe.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.3Wok4G7Goe.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 7.0.3Wok4G7Goe.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 7.0.3Wok4G7Goe.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.3Wok4G7Goe.exe.4685b20.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.3Wok4G7Goe.exe.4685b20.5.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.3Wok4G7Goe.exe.462ed00.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.3Wok4G7Goe.exe.462ed00.4.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.514743460.0000000002130000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.514743460.0000000002130000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.346591920.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.346591920.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.347595779.0000000001490000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.347595779.0000000001490000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.517168088.0000000003F40000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.517168088.0000000003F40000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.329933036.0000000007FAD000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.329933036.0000000007FAD000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000000.280991422.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000000.280991422.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.517434675.0000000003FA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.517434675.0000000003FA0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.347386368.0000000001460000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.347386368.0000000001460000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000000.311709571.0000000007FAD000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000000.311709571.0000000007FAD000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.284841170.00000000044E9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.284841170.00000000044E9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 0_2_019FC4BC 0_2_019FC4BC
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 0_2_019FE430 0_2_019FE430
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 0_2_019FE420 0_2_019FE420
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 0_2_058B0338 0_2_058B0338
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_00401030 7_2_00401030
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_0041C95A 7_2_0041C95A
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_0041C96E 7_2_0041C96E
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_0041D128 7_2_0041D128
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_0041C38D 7_2_0041C38D
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_0041BB9E 7_2_0041BB9E
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_00408C90 7_2_00408C90
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_00402D8A 7_2_00402D8A
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_00402D90 7_2_00402D90
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_0041BF8B 7_2_0041BF8B
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_00402FB0 7_2_00402FB0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0431841F 18_2_0431841F
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043C1002 18_2_043C1002
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0431B090 18_2_0431B090
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04300D20 18_2_04300D20
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04324120 18_2_04324120
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0430F900 18_2_0430F900
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043D1D55 18_2_043D1D55
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0431D5E0 18_2_0431D5E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04326E30 18_2_04326E30
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433EBB0 18_2_0433EBB0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0214BB9E 18_2_0214BB9E
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0214C38D 18_2_0214C38D
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0214D128 18_2_0214D128
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0214C95A 18_2_0214C95A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0214C96E 18_2_0214C96E
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_02132FB0 18_2_02132FB0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_02138C90 18_2_02138C90
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_02132D90 18_2_02132D90
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_02132D8A 18_2_02132D8A
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\systray.exe Code function: String function: 0430B150 appears 32 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_004185F0 NtCreateFile, 7_2_004185F0
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_004186A0 NtReadFile, 7_2_004186A0
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_00418720 NtClose, 7_2_00418720
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_004187D0 NtAllocateVirtualMemory, 7_2_004187D0
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_00418642 NtCreateFile, 7_2_00418642
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_0041869D NtReadFile, 7_2_0041869D
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_0041871A NtClose, 7_2_0041871A
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_004187CB NtAllocateVirtualMemory, 7_2_004187CB
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349860 NtQuerySystemInformation,LdrInitializeThunk, 18_2_04349860
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349910 NtAdjustPrivilegesToken,LdrInitializeThunk, 18_2_04349910
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349540 NtReadFile,LdrInitializeThunk, 18_2_04349540
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043499A0 NtCreateSection,LdrInitializeThunk, 18_2_043499A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043495D0 NtClose,LdrInitializeThunk, 18_2_043495D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349660 NtAllocateVirtualMemory,LdrInitializeThunk, 18_2_04349660
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349650 NtQueryValueKey,LdrInitializeThunk, 18_2_04349650
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349A50 NtCreateFile,LdrInitializeThunk, 18_2_04349A50
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043496E0 NtFreeVirtualMemory,LdrInitializeThunk, 18_2_043496E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043496D0 NtCreateKey,LdrInitializeThunk, 18_2_043496D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349710 NtQueryInformationToken,LdrInitializeThunk, 18_2_04349710
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349780 NtMapViewOfSection,LdrInitializeThunk, 18_2_04349780
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349FE0 NtCreateMutant,LdrInitializeThunk, 18_2_04349FE0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349820 NtEnumerateKey, 18_2_04349820
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0434B040 NtSuspendThread, 18_2_0434B040
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349840 NtDelayExecution, 18_2_04349840
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043498A0 NtWriteVirtualMemory, 18_2_043498A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043498F0 NtReadVirtualMemory, 18_2_043498F0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0434AD30 NtSetContextThread, 18_2_0434AD30
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349520 NtWaitForSingleObject, 18_2_04349520
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349560 NtWriteFile, 18_2_04349560
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349950 NtQueueApcThread, 18_2_04349950
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043495F0 NtQueryInformationFile, 18_2_043495F0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043499D0 NtCreateProcessEx, 18_2_043499D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349A20 NtResumeThread, 18_2_04349A20
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349610 NtEnumerateValueKey, 18_2_04349610
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349A10 NtQuerySection, 18_2_04349A10
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349A00 NtProtectVirtualMemory, 18_2_04349A00
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349670 NtQueryInformationProcess, 18_2_04349670
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349A80 NtOpenDirectoryObject, 18_2_04349A80
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349730 NtQueryVirtualMemory, 18_2_04349730
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0434A710 NtOpenProcessToken, 18_2_0434A710
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349B00 NtSetValueKey, 18_2_04349B00
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349770 NtSetInformationFile, 18_2_04349770
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0434A770 NtOpenThread, 18_2_0434A770
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04349760 NtOpenProcess, 18_2_04349760
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0434A3B0 NtGetContextThread, 18_2_0434A3B0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043497A0 NtUnmapViewOfSection, 18_2_043497A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_021486A0 NtReadFile, 18_2_021486A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_02148720 NtClose, 18_2_02148720
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_021487D0 NtAllocateVirtualMemory, 18_2_021487D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_021485F0 NtCreateFile, 18_2_021485F0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_02148642 NtCreateFile, 18_2_02148642
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0214869D NtReadFile, 18_2_0214869D
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0214871A NtClose, 18_2_0214871A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_021487CB NtAllocateVirtualMemory, 18_2_021487CB
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\systray.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: 3Wok4G7Goe.exe Binary or memory string: OriginalFilename vs 3Wok4G7Goe.exe
Source: 3Wok4G7Goe.exe, 00000000.00000002.288874331.00000000080E0000.00000004.00020000.sdmp Binary or memory string: OriginalFilenameUI.dllF vs 3Wok4G7Goe.exe
Source: 3Wok4G7Goe.exe, 00000000.00000002.284841170.00000000044E9000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameUI.dllF vs 3Wok4G7Goe.exe
Source: 3Wok4G7Goe.exe, 00000000.00000002.283738800.0000000001769000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs 3Wok4G7Goe.exe
Source: 3Wok4G7Goe.exe Binary or memory string: OriginalFilename vs 3Wok4G7Goe.exe
Source: 3Wok4G7Goe.exe, 00000007.00000002.348014030.00000000019C3000.00000040.00020000.sdmp Binary or memory string: OriginalFilenamesystray.exej% vs 3Wok4G7Goe.exe
Source: 3Wok4G7Goe.exe, 00000007.00000002.349185830.0000000001C8F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 3Wok4G7Goe.exe
Source: 3Wok4G7Goe.exe, 00000007.00000002.348711608.0000000001AFF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs 3Wok4G7Goe.exe
Source: 3Wok4G7Goe.exe Binary or memory string: OriginalFilenameEnumerableToBindableIterableAdapt.exeD vs 3Wok4G7Goe.exe
Source: 3Wok4G7Goe.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: eyFgpnfXIO.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 3Wok4G7Goe.exe Virustotal: Detection: 56%
Source: 3Wok4G7Goe.exe ReversingLabs: Detection: 70%
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe File read: C:\Users\user\Desktop\3Wok4G7Goe.exe Jump to behavior
Source: 3Wok4G7Goe.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\3Wok4G7Goe.exe "C:\Users\user\Desktop\3Wok4G7Goe.exe"
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyFgpnfXIO" /XML "C:\Users\user\AppData\Local\Temp\tmpDDB3.tmp
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process created: C:\Users\user\Desktop\3Wok4G7Goe.exe C:\Users\user\Desktop\3Wok4G7Goe.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyFgpnfXIO" /XML "C:\Users\user\AppData\Local\Temp\tmpDDB3.tmp Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process created: C:\Users\user\Desktop\3Wok4G7Goe.exe C:\Users\user\Desktop\3Wok4G7Goe.exe Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe File created: C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe File created: C:\Users\user\AppData\Local\Temp\tmpDDB3.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/8@0/0
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6888:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6756:120:WilError_01
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 3Wok4G7Goe.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 3Wok4G7Goe.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: systray.pdb source: 3Wok4G7Goe.exe, 00000007.00000002.347994958.00000000019C0000.00000040.00020000.sdmp
Source: Binary string: systray.pdbGCTL source: 3Wok4G7Goe.exe, 00000007.00000002.347994958.00000000019C0000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: 3Wok4G7Goe.exe, 00000007.00000002.348027146.00000000019E0000.00000040.00000001.sdmp, 3Wok4G7Goe.exe, 00000007.00000002.348711608.0000000001AFF000.00000040.00000001.sdmp, systray.exe, 00000012.00000002.518438666.00000000043FF000.00000040.00000001.sdmp, systray.exe, 00000012.00000002.517963450.00000000042E0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: 3Wok4G7Goe.exe, 00000007.00000002.348027146.00000000019E0000.00000040.00000001.sdmp, 3Wok4G7Goe.exe, 00000007.00000002.348711608.0000000001AFF000.00000040.00000001.sdmp, systray.exe, systray.exe, 00000012.00000002.518438666.00000000043FF000.00000040.00000001.sdmp, systray.exe, 00000012.00000002.517963450.00000000042E0000.00000040.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: 3Wok4G7Goe.exe, DaylightTimeStru/UnionCodeGro.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: eyFgpnfXIO.exe.0.dr, DaylightTimeStru/UnionCodeGro.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.3Wok4G7Goe.exe.ff0000.0.unpack, DaylightTimeStru/UnionCodeGro.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.3Wok4G7Goe.exe.ff0000.0.unpack, DaylightTimeStru/UnionCodeGro.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.3Wok4G7Goe.exe.f30000.5.unpack, DaylightTimeStru/UnionCodeGro.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.3Wok4G7Goe.exe.f30000.1.unpack, DaylightTimeStru/UnionCodeGro.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.3Wok4G7Goe.exe.f30000.1.unpack, DaylightTimeStru/UnionCodeGro.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.3Wok4G7Goe.exe.f30000.2.unpack, DaylightTimeStru/UnionCodeGro.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.3Wok4G7Goe.exe.f30000.0.unpack, DaylightTimeStru/UnionCodeGro.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.3Wok4G7Goe.exe.f30000.9.unpack, DaylightTimeStru/UnionCodeGro.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.3Wok4G7Goe.exe.f30000.7.unpack, DaylightTimeStru/UnionCodeGro.cs .Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 0_2_019FE338 push esp; ret 0_2_019FE339
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 0_2_058B8B61 push eax; retf 0_2_058B8B75
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 0_2_058B91B7 push C400055Eh; iretd 0_2_058B91D1
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_0041B842 push eax; ret 7_2_0041B848
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_0041B84B push eax; ret 7_2_0041B8B2
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_004188F2 push ds; ret 7_2_004188F3
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_0041B8AC push eax; ret 7_2_0041B8B2
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_00416109 push cs; iretd 7_2_0041610A
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_00415237 pushfd ; iretd 7_2_00415238
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_0041B7F5 push eax; ret 7_2_0041B848
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0435D0D1 push ecx; ret 18_2_0435D0E4
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_02145237 pushfd ; iretd 18_2_02145238
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0214B842 push eax; ret 18_2_0214B848
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0214B84B push eax; ret 18_2_0214B8B2
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0214B8AC push eax; ret 18_2_0214B8B2
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_021488F2 push ds; ret 18_2_021488F3
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_02146109 push cs; iretd 18_2_0214610A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0214B7F5 push eax; ret 18_2_0214B848
Source: initial sample Static PE information: section name: .text entropy: 7.93992024133
Source: initial sample Static PE information: section name: .text entropy: 7.93992024133

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe File created: C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyFgpnfXIO" /XML "C:\Users\user\AppData\Local\Temp\tmpDDB3.tmp
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.3Wok4G7Goe.exe.35177d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3Wok4G7Goe.exe.350f7c4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.3Wok4G7Goe.exe.3554590.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.284483243.000000000352B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.284413072.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 3Wok4G7Goe.exe PID: 6492, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 3Wok4G7Goe.exe, 00000000.00000002.284483243.000000000352B000.00000004.00000001.sdmp, 3Wok4G7Goe.exe, 00000000.00000002.284413072.00000000034E1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: 3Wok4G7Goe.exe, 00000000.00000002.284483243.000000000352B000.00000004.00000001.sdmp, 3Wok4G7Goe.exe, 00000000.00000002.284413072.00000000034E1000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe RDTSC instruction interceptor: First address: 0000000002138614 second address: 000000000213861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\systray.exe RDTSC instruction interceptor: First address: 00000000021389AE second address: 00000000021389B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe TID: 6496 Thread sleep time: -34414s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe TID: 6512 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6940 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6900 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_004088E0 rdtsc 7_2_004088E0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5263 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 608 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\systray.exe API coverage: 9.0 %
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Thread delayed: delay time: 34414 Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 3Wok4G7Goe.exe, 00000000.00000002.284413072.00000000034E1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 0000000B.00000000.325815302.00000000048E0000.00000004.00000001.sdmp Binary or memory string: a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000000.312349844.0000000008A32000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000000B.00000000.312349844.0000000008A32000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: 3Wok4G7Goe.exe, 00000000.00000002.284413072.00000000034E1000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000B.00000000.331559441.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 3Wok4G7Goe.exe, 00000000.00000002.284413072.00000000034E1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 0000000B.00000000.331559441.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 0000000B.00000000.325815302.00000000048E0000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000000.332023737.0000000008CEA000.00000004.00000001.sdmp Binary or memory string: 6e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000B.00000000.294241032.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 0000000B.00000000.331559441.0000000008B88000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 0000000B.00000000.294241032.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000000B.00000000.327940218.00000000069DA000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD002
Source: 3Wok4G7Goe.exe, 00000000.00000002.284413072.00000000034E1000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_004088E0 rdtsc 7_2_004088E0
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0431B02A mov eax, dword ptr fs:[00000030h] 18_2_0431B02A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0431B02A mov eax, dword ptr fs:[00000030h] 18_2_0431B02A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0431B02A mov eax, dword ptr fs:[00000030h] 18_2_0431B02A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0431B02A mov eax, dword ptr fs:[00000030h] 18_2_0431B02A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433002D mov eax, dword ptr fs:[00000030h] 18_2_0433002D
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433002D mov eax, dword ptr fs:[00000030h] 18_2_0433002D
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433002D mov eax, dword ptr fs:[00000030h] 18_2_0433002D
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433002D mov eax, dword ptr fs:[00000030h] 18_2_0433002D
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433002D mov eax, dword ptr fs:[00000030h] 18_2_0433002D
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433BC2C mov eax, dword ptr fs:[00000030h] 18_2_0433BC2C
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043D4015 mov eax, dword ptr fs:[00000030h] 18_2_043D4015
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043D4015 mov eax, dword ptr fs:[00000030h] 18_2_043D4015
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04387016 mov eax, dword ptr fs:[00000030h] 18_2_04387016
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04387016 mov eax, dword ptr fs:[00000030h] 18_2_04387016
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04387016 mov eax, dword ptr fs:[00000030h] 18_2_04387016
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043D740D mov eax, dword ptr fs:[00000030h] 18_2_043D740D
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043D740D mov eax, dword ptr fs:[00000030h] 18_2_043D740D
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043D740D mov eax, dword ptr fs:[00000030h] 18_2_043D740D
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04386C0A mov eax, dword ptr fs:[00000030h] 18_2_04386C0A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04386C0A mov eax, dword ptr fs:[00000030h] 18_2_04386C0A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04386C0A mov eax, dword ptr fs:[00000030h] 18_2_04386C0A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04386C0A mov eax, dword ptr fs:[00000030h] 18_2_04386C0A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h] 18_2_043C1C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h] 18_2_043C1C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h] 18_2_043C1C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h] 18_2_043C1C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h] 18_2_043C1C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h] 18_2_043C1C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h] 18_2_043C1C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h] 18_2_043C1C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h] 18_2_043C1C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h] 18_2_043C1C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h] 18_2_043C1C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h] 18_2_043C1C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h] 18_2_043C1C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h] 18_2_043C1C06
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043D1074 mov eax, dword ptr fs:[00000030h] 18_2_043D1074
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043C2073 mov eax, dword ptr fs:[00000030h] 18_2_043C2073
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0432746D mov eax, dword ptr fs:[00000030h] 18_2_0432746D
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04320050 mov eax, dword ptr fs:[00000030h] 18_2_04320050
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04320050 mov eax, dword ptr fs:[00000030h] 18_2_04320050
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0439C450 mov eax, dword ptr fs:[00000030h] 18_2_0439C450
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0439C450 mov eax, dword ptr fs:[00000030h] 18_2_0439C450
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433A44B mov eax, dword ptr fs:[00000030h] 18_2_0433A44B
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433F0BF mov ecx, dword ptr fs:[00000030h] 18_2_0433F0BF
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433F0BF mov eax, dword ptr fs:[00000030h] 18_2_0433F0BF
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433F0BF mov eax, dword ptr fs:[00000030h] 18_2_0433F0BF
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043490AF mov eax, dword ptr fs:[00000030h] 18_2_043490AF
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0431849B mov eax, dword ptr fs:[00000030h] 18_2_0431849B
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04309080 mov eax, dword ptr fs:[00000030h] 18_2_04309080
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04383884 mov eax, dword ptr fs:[00000030h] 18_2_04383884
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04383884 mov eax, dword ptr fs:[00000030h] 18_2_04383884
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043C14FB mov eax, dword ptr fs:[00000030h] 18_2_043C14FB
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04386CF0 mov eax, dword ptr fs:[00000030h] 18_2_04386CF0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04386CF0 mov eax, dword ptr fs:[00000030h] 18_2_04386CF0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04386CF0 mov eax, dword ptr fs:[00000030h] 18_2_04386CF0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0439B8D0 mov eax, dword ptr fs:[00000030h] 18_2_0439B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0439B8D0 mov ecx, dword ptr fs:[00000030h] 18_2_0439B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0439B8D0 mov eax, dword ptr fs:[00000030h] 18_2_0439B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0439B8D0 mov eax, dword ptr fs:[00000030h] 18_2_0439B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0439B8D0 mov eax, dword ptr fs:[00000030h] 18_2_0439B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0439B8D0 mov eax, dword ptr fs:[00000030h] 18_2_0439B8D0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043D8CD6 mov eax, dword ptr fs:[00000030h] 18_2_043D8CD6
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0430AD30 mov eax, dword ptr fs:[00000030h] 18_2_0430AD30
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h] 18_2_04313D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h] 18_2_04313D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h] 18_2_04313D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h] 18_2_04313D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h] 18_2_04313D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h] 18_2_04313D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h] 18_2_04313D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h] 18_2_04313D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h] 18_2_04313D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h] 18_2_04313D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h] 18_2_04313D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h] 18_2_04313D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h] 18_2_04313D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04334D3B mov eax, dword ptr fs:[00000030h] 18_2_04334D3B
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04334D3B mov eax, dword ptr fs:[00000030h] 18_2_04334D3B
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04334D3B mov eax, dword ptr fs:[00000030h] 18_2_04334D3B
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043D8D34 mov eax, dword ptr fs:[00000030h] 18_2_043D8D34
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433513A mov eax, dword ptr fs:[00000030h] 18_2_0433513A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433513A mov eax, dword ptr fs:[00000030h] 18_2_0433513A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0438A537 mov eax, dword ptr fs:[00000030h] 18_2_0438A537
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04324120 mov eax, dword ptr fs:[00000030h] 18_2_04324120
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04324120 mov eax, dword ptr fs:[00000030h] 18_2_04324120
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04324120 mov eax, dword ptr fs:[00000030h] 18_2_04324120
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04324120 mov eax, dword ptr fs:[00000030h] 18_2_04324120
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04324120 mov ecx, dword ptr fs:[00000030h] 18_2_04324120
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04309100 mov eax, dword ptr fs:[00000030h] 18_2_04309100
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04309100 mov eax, dword ptr fs:[00000030h] 18_2_04309100
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04309100 mov eax, dword ptr fs:[00000030h] 18_2_04309100
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0430B171 mov eax, dword ptr fs:[00000030h] 18_2_0430B171
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0430B171 mov eax, dword ptr fs:[00000030h] 18_2_0430B171
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0432C577 mov eax, dword ptr fs:[00000030h] 18_2_0432C577
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0432C577 mov eax, dword ptr fs:[00000030h] 18_2_0432C577
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0430C962 mov eax, dword ptr fs:[00000030h] 18_2_0430C962
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04327D50 mov eax, dword ptr fs:[00000030h] 18_2_04327D50
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0432B944 mov eax, dword ptr fs:[00000030h] 18_2_0432B944
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0432B944 mov eax, dword ptr fs:[00000030h] 18_2_0432B944
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04343D43 mov eax, dword ptr fs:[00000030h] 18_2_04343D43
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04383540 mov eax, dword ptr fs:[00000030h] 18_2_04383540
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04331DB5 mov eax, dword ptr fs:[00000030h] 18_2_04331DB5
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04331DB5 mov eax, dword ptr fs:[00000030h] 18_2_04331DB5
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04331DB5 mov eax, dword ptr fs:[00000030h] 18_2_04331DB5
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043851BE mov eax, dword ptr fs:[00000030h] 18_2_043851BE
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043851BE mov eax, dword ptr fs:[00000030h] 18_2_043851BE
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043851BE mov eax, dword ptr fs:[00000030h] 18_2_043851BE
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043851BE mov eax, dword ptr fs:[00000030h] 18_2_043851BE
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043335A1 mov eax, dword ptr fs:[00000030h] 18_2_043335A1
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043361A0 mov eax, dword ptr fs:[00000030h] 18_2_043361A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043361A0 mov eax, dword ptr fs:[00000030h] 18_2_043361A0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043869A6 mov eax, dword ptr fs:[00000030h] 18_2_043869A6
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04332990 mov eax, dword ptr fs:[00000030h] 18_2_04332990
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433FD9B mov eax, dword ptr fs:[00000030h] 18_2_0433FD9B
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433FD9B mov eax, dword ptr fs:[00000030h] 18_2_0433FD9B
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0432C182 mov eax, dword ptr fs:[00000030h] 18_2_0432C182
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433A185 mov eax, dword ptr fs:[00000030h] 18_2_0433A185
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04302D8A mov eax, dword ptr fs:[00000030h] 18_2_04302D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04302D8A mov eax, dword ptr fs:[00000030h] 18_2_04302D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04302D8A mov eax, dword ptr fs:[00000030h] 18_2_04302D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04302D8A mov eax, dword ptr fs:[00000030h] 18_2_04302D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04302D8A mov eax, dword ptr fs:[00000030h] 18_2_04302D8A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043B8DF1 mov eax, dword ptr fs:[00000030h] 18_2_043B8DF1
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0430B1E1 mov eax, dword ptr fs:[00000030h] 18_2_0430B1E1
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0430B1E1 mov eax, dword ptr fs:[00000030h] 18_2_0430B1E1
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0430B1E1 mov eax, dword ptr fs:[00000030h] 18_2_0430B1E1
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043941E8 mov eax, dword ptr fs:[00000030h] 18_2_043941E8
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0431D5E0 mov eax, dword ptr fs:[00000030h] 18_2_0431D5E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0431D5E0 mov eax, dword ptr fs:[00000030h] 18_2_0431D5E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043BFE3F mov eax, dword ptr fs:[00000030h] 18_2_043BFE3F
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0430E620 mov eax, dword ptr fs:[00000030h] 18_2_0430E620
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0430AA16 mov eax, dword ptr fs:[00000030h] 18_2_0430AA16
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0430AA16 mov eax, dword ptr fs:[00000030h] 18_2_0430AA16
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04323A1C mov eax, dword ptr fs:[00000030h] 18_2_04323A1C
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433A61C mov eax, dword ptr fs:[00000030h] 18_2_0433A61C
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433A61C mov eax, dword ptr fs:[00000030h] 18_2_0433A61C
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0430C600 mov eax, dword ptr fs:[00000030h] 18_2_0430C600
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0430C600 mov eax, dword ptr fs:[00000030h] 18_2_0430C600
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0430C600 mov eax, dword ptr fs:[00000030h] 18_2_0430C600
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04338E00 mov eax, dword ptr fs:[00000030h] 18_2_04338E00
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04318A0A mov eax, dword ptr fs:[00000030h] 18_2_04318A0A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0432AE73 mov eax, dword ptr fs:[00000030h] 18_2_0432AE73
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0432AE73 mov eax, dword ptr fs:[00000030h] 18_2_0432AE73
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0432AE73 mov eax, dword ptr fs:[00000030h] 18_2_0432AE73
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0432AE73 mov eax, dword ptr fs:[00000030h] 18_2_0432AE73
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0432AE73 mov eax, dword ptr fs:[00000030h] 18_2_0432AE73
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0434927A mov eax, dword ptr fs:[00000030h] 18_2_0434927A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043BB260 mov eax, dword ptr fs:[00000030h] 18_2_043BB260
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043BB260 mov eax, dword ptr fs:[00000030h] 18_2_043BB260
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0431766D mov eax, dword ptr fs:[00000030h] 18_2_0431766D
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043D8A62 mov eax, dword ptr fs:[00000030h] 18_2_043D8A62
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04394257 mov eax, dword ptr fs:[00000030h] 18_2_04394257
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04309240 mov eax, dword ptr fs:[00000030h] 18_2_04309240
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04309240 mov eax, dword ptr fs:[00000030h] 18_2_04309240
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04309240 mov eax, dword ptr fs:[00000030h] 18_2_04309240
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04309240 mov eax, dword ptr fs:[00000030h] 18_2_04309240
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04317E41 mov eax, dword ptr fs:[00000030h] 18_2_04317E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04317E41 mov eax, dword ptr fs:[00000030h] 18_2_04317E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04317E41 mov eax, dword ptr fs:[00000030h] 18_2_04317E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04317E41 mov eax, dword ptr fs:[00000030h] 18_2_04317E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04317E41 mov eax, dword ptr fs:[00000030h] 18_2_04317E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04317E41 mov eax, dword ptr fs:[00000030h] 18_2_04317E41
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0431AAB0 mov eax, dword ptr fs:[00000030h] 18_2_0431AAB0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0431AAB0 mov eax, dword ptr fs:[00000030h] 18_2_0431AAB0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433FAB0 mov eax, dword ptr fs:[00000030h] 18_2_0433FAB0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043052A5 mov eax, dword ptr fs:[00000030h] 18_2_043052A5
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043052A5 mov eax, dword ptr fs:[00000030h] 18_2_043052A5
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043052A5 mov eax, dword ptr fs:[00000030h] 18_2_043052A5
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043052A5 mov eax, dword ptr fs:[00000030h] 18_2_043052A5
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043052A5 mov eax, dword ptr fs:[00000030h] 18_2_043052A5
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043D0EA5 mov eax, dword ptr fs:[00000030h] 18_2_043D0EA5
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043D0EA5 mov eax, dword ptr fs:[00000030h] 18_2_043D0EA5
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043D0EA5 mov eax, dword ptr fs:[00000030h] 18_2_043D0EA5
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043846A7 mov eax, dword ptr fs:[00000030h] 18_2_043846A7
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433D294 mov eax, dword ptr fs:[00000030h] 18_2_0433D294
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433D294 mov eax, dword ptr fs:[00000030h] 18_2_0433D294
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0439FE87 mov eax, dword ptr fs:[00000030h] 18_2_0439FE87
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043316E0 mov ecx, dword ptr fs:[00000030h] 18_2_043316E0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043176E2 mov eax, dword ptr fs:[00000030h] 18_2_043176E2
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04332AE4 mov eax, dword ptr fs:[00000030h] 18_2_04332AE4
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043D8ED6 mov eax, dword ptr fs:[00000030h] 18_2_043D8ED6
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04348EC7 mov eax, dword ptr fs:[00000030h] 18_2_04348EC7
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04332ACB mov eax, dword ptr fs:[00000030h] 18_2_04332ACB
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043BFEC0 mov eax, dword ptr fs:[00000030h] 18_2_043BFEC0
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043336CC mov eax, dword ptr fs:[00000030h] 18_2_043336CC
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433E730 mov eax, dword ptr fs:[00000030h] 18_2_0433E730
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04304F2E mov eax, dword ptr fs:[00000030h] 18_2_04304F2E
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04304F2E mov eax, dword ptr fs:[00000030h] 18_2_04304F2E
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0432F716 mov eax, dword ptr fs:[00000030h] 18_2_0432F716
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043C131B mov eax, dword ptr fs:[00000030h] 18_2_043C131B
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0439FF10 mov eax, dword ptr fs:[00000030h] 18_2_0439FF10
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0439FF10 mov eax, dword ptr fs:[00000030h] 18_2_0439FF10
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043D070D mov eax, dword ptr fs:[00000030h] 18_2_043D070D
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043D070D mov eax, dword ptr fs:[00000030h] 18_2_043D070D
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433A70E mov eax, dword ptr fs:[00000030h] 18_2_0433A70E
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433A70E mov eax, dword ptr fs:[00000030h] 18_2_0433A70E
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04333B7A mov eax, dword ptr fs:[00000030h] 18_2_04333B7A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04333B7A mov eax, dword ptr fs:[00000030h] 18_2_04333B7A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0430DB60 mov ecx, dword ptr fs:[00000030h] 18_2_0430DB60
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0431FF60 mov eax, dword ptr fs:[00000030h] 18_2_0431FF60
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043D8F6A mov eax, dword ptr fs:[00000030h] 18_2_043D8F6A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043D8B58 mov eax, dword ptr fs:[00000030h] 18_2_043D8B58
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0430F358 mov eax, dword ptr fs:[00000030h] 18_2_0430F358
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0430DB40 mov eax, dword ptr fs:[00000030h] 18_2_0430DB40
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0431EF40 mov eax, dword ptr fs:[00000030h] 18_2_0431EF40
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043D5BA5 mov eax, dword ptr fs:[00000030h] 18_2_043D5BA5
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_0433B390 mov eax, dword ptr fs:[00000030h] 18_2_0433B390
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04318794 mov eax, dword ptr fs:[00000030h] 18_2_04318794
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04387794 mov eax, dword ptr fs:[00000030h] 18_2_04387794
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04387794 mov eax, dword ptr fs:[00000030h] 18_2_04387794
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04387794 mov eax, dword ptr fs:[00000030h] 18_2_04387794
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043C138A mov eax, dword ptr fs:[00000030h] 18_2_043C138A
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043BD380 mov ecx, dword ptr fs:[00000030h] 18_2_043BD380
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04311B8F mov eax, dword ptr fs:[00000030h] 18_2_04311B8F
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_04311B8F mov eax, dword ptr fs:[00000030h] 18_2_04311B8F
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043437F5 mov eax, dword ptr fs:[00000030h] 18_2_043437F5
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043303E2 mov eax, dword ptr fs:[00000030h] 18_2_043303E2
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043303E2 mov eax, dword ptr fs:[00000030h] 18_2_043303E2
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043303E2 mov eax, dword ptr fs:[00000030h] 18_2_043303E2
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043303E2 mov eax, dword ptr fs:[00000030h] 18_2_043303E2
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043303E2 mov eax, dword ptr fs:[00000030h] 18_2_043303E2
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043303E2 mov eax, dword ptr fs:[00000030h] 18_2_043303E2
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043853CA mov eax, dword ptr fs:[00000030h] 18_2_043853CA
Source: C:\Windows\SysWOW64\systray.exe Code function: 18_2_043853CA mov eax, dword ptr fs:[00000030h] 18_2_043853CA
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\systray.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Code function: 7_2_00409B50 LdrLoadDll, 7_2_00409B50
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Section unmapped: C:\Windows\SysWOW64\systray.exe base address: 100000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Section loaded: unknown target: C:\Windows\SysWOW64\systray.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Thread register set: target process: 3292 Jump to behavior
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyFgpnfXIO" /XML "C:\Users\user\AppData\Local\Temp\tmpDDB3.tmp Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Process created: C:\Users\user\Desktop\3Wok4G7Goe.exe C:\Users\user\Desktop\3Wok4G7Goe.exe Jump to behavior
Source: explorer.exe, 0000000B.00000000.286300102.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.304164195.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.324049165.0000000001400000.00000002.00020000.sdmp, systray.exe, 00000012.00000002.516650336.0000000002A30000.00000002.00020000.sdmp Binary or memory string: uProgram Manager
Source: explorer.exe, 0000000B.00000000.290447318.0000000005F40000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.286300102.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.304164195.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.324049165.0000000001400000.00000002.00020000.sdmp, systray.exe, 00000012.00000002.516650336.0000000002A30000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000B.00000000.286300102.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.304164195.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.324049165.0000000001400000.00000002.00020000.sdmp, systray.exe, 00000012.00000002.516650336.0000000002A30000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000B.00000000.286300102.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.304164195.0000000001400000.00000002.00020000.sdmp, explorer.exe, 0000000B.00000000.324049165.0000000001400000.00000002.00020000.sdmp, systray.exe, 00000012.00000002.516650336.0000000002A30000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000000B.00000000.323701813.0000000000EB8000.00000004.00000020.sdmp, explorer.exe, 0000000B.00000000.285633809.0000000000EB8000.00000004.00000020.sdmp, explorer.exe, 0000000B.00000000.303812570.0000000000EB8000.00000004.00000020.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 0000000B.00000000.331407402.0000000008ACF000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.294241032.0000000008ACF000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Users\user\Desktop\3Wok4G7Goe.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\3Wok4G7Goe.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation