Loading ...

Play interactive tourEdit tour

Windows Analysis Report 3Wok4G7Goe

Overview

General Information

Sample Name:3Wok4G7Goe (renamed file extension from none to exe)
Analysis ID:552763
MD5:1e14373563bcf10103f2850b17b100ea
SHA1:f19d6f0a506f86025ee25ab6ad9405e4bc297783
SHA256:8d38be02ab71fba9115c3a645edf515c62ffe53a5a590f7b37f362ab117473a1
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 3Wok4G7Goe.exe (PID: 6492 cmdline: "C:\Users\user\Desktop\3Wok4G7Goe.exe" MD5: 1E14373563BCF10103F2850B17B100EA)
    • powershell.exe (PID: 6748 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6784 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyFgpnfXIO" /XML "C:\Users\user\AppData\Local\Temp\tmpDDB3.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 3Wok4G7Goe.exe (PID: 6948 cmdline: C:\Users\user\Desktop\3Wok4G7Goe.exe MD5: 1E14373563BCF10103F2850B17B100EA)
      • explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • systray.exe (PID: 6552 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.topeasyip.company/i5nb/"], "decoy": ["integratedheartspsychology.com", "tappsis.land", "norfg.com", "1531700.win", "oneplusoneexperience.com", "circlessalaries.com", "tlcremodelingcompany.com", "susalud.info", "liyanghua.club", "pink-zemi.com", "orphe.biz", "themodelclarified.com", "candidate.tools", "morotrip.com", "d2dfms.com", "leisuresabah.com", "bjbwx114.com", "lz-fcaini1718-hw0917-bs.xyz", "at-commerce-co.net", "buymypolicy.net", "5151vip73.com", "rentglide.com", "louiecruzbeltran.info", "lanabasargina.com", "lakeforestparkapartments.com", "guangkaiyinwu.com", "bornthin.com", "restaurantkitchenbuilders.com", "ecommerceoptimise.com", "datahk99.com", "markfwalker.com", "granitowawarszawa.com", "theyouthwave.com", "iabg.xyz", "jholbrook.com", "bsc.promo", "xn--grlitzerseebhne-8sb7i.com", "cafeteriasula.com", "plushcrispies.com", "dedicatedvirtualassistance.com", "ventura-taxi.com", "thoethertb434-ocn.xyz", "ylhwcl.com", "bigsyncmusic.biz", "terapiaholisticaemformacao.com", "comidies.com", "171diproad.com", "07dgj.xyz", "vppaintllc.com", "thepatriottutor.com", "wxfive.com", "ceinpsico.com", "tuningelement.store", "asinment.com", "diafraz.xyz", "8crhnwh658ga.biz", "redwolf-tech.com", "ksherfan.com", "sensationalshroom.com", "buy-instagram-followers.net", "treeserviceconsulting.com", "vnln.space", "kate-films.com", "selfmeta.club"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    00000012.00000002.514743460.0000000002130000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000012.00000002.514743460.0000000002130000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.3Wok4G7Goe.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.3Wok4G7Goe.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.3Wok4G7Goe.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15ce9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dfc:$sqlite3step: 68 34 1C 7B E1
        • 0x15d18:$sqlite3text: 68 38 2A 90 C5
        • 0x15e3d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
        7.0.3Wok4G7Goe.exe.400000.8.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.0.3Wok4G7Goe.exe.400000.8.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 25 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspicius Add Task From User AppData TempShow sources
          Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyFgpnfXIO" /XML "C:\Users\user\AppData\Local\Temp\tmpDDB3.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyFgpnfXIO" /XML "C:\Users\user\AppData\Local\Temp\tmpDDB3.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\3Wok4G7Goe.exe" , ParentImage: C:\Users\user\Desktop\3Wok4G7Goe.exe, ParentProcessId: 6492, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyFgpnfXIO" /XML "C:\Users\user\AppData\Local\Temp\tmpDDB3.tmp, ProcessId: 6784
          Sigma detected: Powershell Defender ExclusionShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\3Wok4G7Goe.exe" , ParentImage: C:\Users\user\Desktop\3Wok4G7Goe.exe, ParentProcessId: 6492, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe, ProcessId: 6748
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\3Wok4G7Goe.exe" , ParentImage: C:\Users\user\Desktop\3Wok4G7Goe.exe, ParentProcessId: 6492, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe, ProcessId: 6748
          Sigma detected: T1086 PowerShell ExecutionShow sources
          Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132865989708799923.6748.DefaultAppDomain.powershell

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.topeasyip.company/i5nb/"], "decoy": ["integratedheartspsychology.com", "tappsis.land", "norfg.com", "1531700.win", "oneplusoneexperience.com", "circlessalaries.com", "tlcremodelingcompany.com", "susalud.info", "liyanghua.club", "pink-zemi.com", "orphe.biz", "themodelclarified.com", "candidate.tools", "morotrip.com", "d2dfms.com", "leisuresabah.com", "bjbwx114.com", "lz-fcaini1718-hw0917-bs.xyz", "at-commerce-co.net", "buymypolicy.net", "5151vip73.com", "rentglide.com", "louiecruzbeltran.info", "lanabasargina.com", "lakeforestparkapartments.com", "guangkaiyinwu.com", "bornthin.com", "restaurantkitchenbuilders.com", "ecommerceoptimise.com", "datahk99.com", "markfwalker.com", "granitowawarszawa.com", "theyouthwave.com", "iabg.xyz", "jholbrook.com", "bsc.promo", "xn--grlitzerseebhne-8sb7i.com", "cafeteriasula.com", "plushcrispies.com", "dedicatedvirtualassistance.com", "ventura-taxi.com", "thoethertb434-ocn.xyz", "ylhwcl.com", "bigsyncmusic.biz", "terapiaholisticaemformacao.com", "comidies.com", "171diproad.com", "07dgj.xyz", "vppaintllc.com", "thepatriottutor.com", "wxfive.com", "ceinpsico.com", "tuningelement.store", "asinment.com", "diafraz.xyz", "8crhnwh658ga.biz", "redwolf-tech.com", "ksherfan.com", "sensationalshroom.com", "buy-instagram-followers.net", "treeserviceconsulting.com", "vnln.space", "kate-films.com", "selfmeta.club"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 3Wok4G7Goe.exeVirustotal: Detection: 56%Perma Link
          Source: 3Wok4G7Goe.exeReversingLabs: Detection: 70%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.3Wok4G7Goe.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.3Wok4G7Goe.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.3Wok4G7Goe.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.3Wok4G7Goe.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.3Wok4G7Goe.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.3Wok4G7Goe.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.3Wok4G7Goe.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.3Wok4G7Goe.exe.4685b20.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.3Wok4G7Goe.exe.462ed00.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.514743460.0000000002130000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346591920.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.347595779.0000000001490000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.517168088.0000000003F40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.329933036.0000000007FAD000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.280991422.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.517434675.0000000003FA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.347386368.0000000001460000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.311709571.0000000007FAD000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.284841170.00000000044E9000.00000004.00000001.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: www.topeasyip.company/i5nb/Avira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\eyFgpnfXIO.exeVirustotal: Detection: 56%Perma Link
          Source: C:\Users\user\AppData\Roaming\eyFgpnfXIO.exeReversingLabs: Detection: 70%
          Machine Learning detection for sampleShow sources
          Source: 3Wok4G7Goe.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\eyFgpnfXIO.exeJoe Sandbox ML: detected
          Source: 7.2.3Wok4G7Goe.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.3Wok4G7Goe.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.3Wok4G7Goe.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.3Wok4G7Goe.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3Wok4G7Goe.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 3Wok4G7Goe.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: systray.pdb source: 3Wok4G7Goe.exe, 00000007.00000002.347994958.00000000019C0000.00000040.00020000.sdmp
          Source: Binary string: systray.pdbGCTL source: 3Wok4G7Goe.exe, 00000007.00000002.347994958.00000000019C0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: 3Wok4G7Goe.exe, 00000007.00000002.348027146.00000000019E0000.00000040.00000001.sdmp, 3Wok4G7Goe.exe, 00000007.00000002.348711608.0000000001AFF000.00000040.00000001.sdmp, systray.exe, 00000012.00000002.518438666.00000000043FF000.00000040.00000001.sdmp, systray.exe, 00000012.00000002.517963450.00000000042E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 3Wok4G7Goe.exe, 00000007.00000002.348027146.00000000019E0000.00000040.00000001.sdmp, 3Wok4G7Goe.exe, 00000007.00000002.348711608.0000000001AFF000.00000040.00000001.sdmp, systray.exe, systray.exe, 00000012.00000002.518438666.00000000043FF000.00000040.00000001.sdmp, systray.exe, 00000012.00000002.517963450.00000000042E0000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 4x nop then pop esi7_2_0041584D
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 4x nop then pop edi7_2_004162F6
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop edi18_2_021462F6
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop esi18_2_0214584D

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.topeasyip.company/i5nb/
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 3Wok4G7Goe.exe, 00000000.00000002.284483243.000000000352B000.00000004.00000001.sdmp, 3Wok4G7Goe.exe, 00000000.00000002.284413072.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 0000000B.00000000.327750963.0000000006840000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.290461857.0000000006840000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: 3Wok4G7Goe.exe, 00000000.00000002.283738800.0000000001769000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.3Wok4G7Goe.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.3Wok4G7Goe.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.3Wok4G7Goe.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.3Wok4G7Goe.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.3Wok4G7Goe.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.3Wok4G7Goe.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.3Wok4G7Goe.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.3Wok4G7Goe.exe.4685b20.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.3Wok4G7Goe.exe.462ed00.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.514743460.0000000002130000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346591920.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.347595779.0000000001490000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.517168088.0000000003F40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.329933036.0000000007FAD000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.280991422.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.517434675.0000000003FA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.347386368.0000000001460000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.311709571.0000000007FAD000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.284841170.00000000044E9000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.2.3Wok4G7Goe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.3Wok4G7Goe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.3Wok4G7Goe.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.3Wok4G7Goe.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.3Wok4G7Goe.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.3Wok4G7Goe.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.3Wok4G7Goe.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.3Wok4G7Goe.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.3Wok4G7Goe.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.3Wok4G7Goe.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.3Wok4G7Goe.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.3Wok4G7Goe.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.3Wok4G7Goe.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.3Wok4G7Goe.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.3Wok4G7Goe.exe.4685b20.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.3Wok4G7Goe.exe.4685b20.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.3Wok4G7Goe.exe.462ed00.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.3Wok4G7Goe.exe.462ed00.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.514743460.0000000002130000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.514743460.0000000002130000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.346591920.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.346591920.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.347595779.0000000001490000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.347595779.0000000001490000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.517168088.0000000003F40000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.517168088.0000000003F40000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000000.329933036.0000000007FAD000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000000.329933036.0000000007FAD000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.280991422.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.280991422.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.517434675.0000000003FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.517434675.0000000003FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.347386368.0000000001460000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.347386368.0000000001460000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000000.311709571.0000000007FAD000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000000.311709571.0000000007FAD000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.284841170.00000000044E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.284841170.00000000044E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3Wok4G7Goe.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 7.2.3Wok4G7Goe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.3Wok4G7Goe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.3Wok4G7Goe.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.3Wok4G7Goe.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.3Wok4G7Goe.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.3Wok4G7Goe.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.3Wok4G7Goe.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.3Wok4G7Goe.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.3Wok4G7Goe.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.3Wok4G7Goe.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.3Wok4G7Goe.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.3Wok4G7Goe.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.3Wok4G7Goe.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.3Wok4G7Goe.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.3Wok4G7Goe.exe.4685b20.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.3Wok4G7Goe.exe.4685b20.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.3Wok4G7Goe.exe.462ed00.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.3Wok4G7Goe.exe.462ed00.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.514743460.0000000002130000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.514743460.0000000002130000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.346591920.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.346591920.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.347595779.0000000001490000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.347595779.0000000001490000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.517168088.0000000003F40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.517168088.0000000003F40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000000.329933036.0000000007FAD000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000000.329933036.0000000007FAD000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.280991422.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.280991422.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.517434675.0000000003FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.517434675.0000000003FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.347386368.0000000001460000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.347386368.0000000001460000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000000.311709571.0000000007FAD000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000000.311709571.0000000007FAD000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.284841170.00000000044E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.284841170.00000000044E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 0_2_019FC4BC0_2_019FC4BC
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 0_2_019FE4300_2_019FE430
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 0_2_019FE4200_2_019FE420
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 0_2_058B03380_2_058B0338
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_004010307_2_00401030
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041C95A7_2_0041C95A
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041C96E7_2_0041C96E
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041D1287_2_0041D128
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041C38D7_2_0041C38D
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041BB9E7_2_0041BB9E
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_00408C907_2_00408C90
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_00402D8A7_2_00402D8A
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_00402D907_2_00402D90
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041BF8B7_2_0041BF8B
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_00402FB07_2_00402FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0431841F18_2_0431841F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043C100218_2_043C1002
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0431B09018_2_0431B090
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04300D2018_2_04300D20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0432412018_2_04324120
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0430F90018_2_0430F900
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043D1D5518_2_043D1D55
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0431D5E018_2_0431D5E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04326E3018_2_04326E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0433EBB018_2_0433EBB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0214BB9E18_2_0214BB9E
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0214C38D18_2_0214C38D
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0214D12818_2_0214D128
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0214C95A18_2_0214C95A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0214C96E18_2_0214C96E
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_02132FB018_2_02132FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_02138C9018_2_02138C90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_02132D9018_2_02132D90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_02132D8A18_2_02132D8A
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 0430B150 appears 32 times
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_004185F0 NtCreateFile,7_2_004185F0
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_004186A0 NtReadFile,7_2_004186A0
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_00418720 NtClose,7_2_00418720
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_004187D0 NtAllocateVirtualMemory,7_2_004187D0
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_00418642 NtCreateFile,7_2_00418642
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041869D NtReadFile,7_2_0041869D
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041871A NtClose,7_2_0041871A
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_004187CB NtAllocateVirtualMemory,7_2_004187CB
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349860 NtQuerySystemInformation,LdrInitializeThunk,18_2_04349860
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349910 NtAdjustPrivilegesToken,LdrInitializeThunk,18_2_04349910
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349540 NtReadFile,LdrInitializeThunk,18_2_04349540
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043499A0 NtCreateSection,LdrInitializeThunk,18_2_043499A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043495D0 NtClose,LdrInitializeThunk,18_2_043495D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349660 NtAllocateVirtualMemory,LdrInitializeThunk,18_2_04349660
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349650 NtQueryValueKey,LdrInitializeThunk,18_2_04349650
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349A50 NtCreateFile,LdrInitializeThunk,18_2_04349A50
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043496E0 NtFreeVirtualMemory,LdrInitializeThunk,18_2_043496E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043496D0 NtCreateKey,LdrInitializeThunk,18_2_043496D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349710 NtQueryInformationToken,LdrInitializeThunk,18_2_04349710
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349780 NtMapViewOfSection,LdrInitializeThunk,18_2_04349780
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349FE0 NtCreateMutant,LdrInitializeThunk,18_2_04349FE0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349820 NtEnumerateKey,18_2_04349820
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0434B040 NtSuspendThread,18_2_0434B040
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349840 NtDelayExecution,18_2_04349840
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043498A0 NtWriteVirtualMemory,18_2_043498A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043498F0 NtReadVirtualMemory,18_2_043498F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0434AD30 NtSetContextThread,18_2_0434AD30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349520 NtWaitForSingleObject,18_2_04349520
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349560 NtWriteFile,18_2_04349560
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349950 NtQueueApcThread,18_2_04349950
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043495F0 NtQueryInformationFile,18_2_043495F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043499D0 NtCreateProcessEx,18_2_043499D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349A20 NtResumeThread,18_2_04349A20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349610 NtEnumerateValueKey,18_2_04349610
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349A10 NtQuerySection,18_2_04349A10
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349A00 NtProtectVirtualMemory,18_2_04349A00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349670 NtQueryInformationProcess,18_2_04349670
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349A80 NtOpenDirectoryObject,18_2_04349A80
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349730 NtQueryVirtualMemory,18_2_04349730
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0434A710 NtOpenProcessToken,18_2_0434A710
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349B00 NtSetValueKey,18_2_04349B00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349770 NtSetInformationFile,18_2_04349770
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0434A770 NtOpenThread,18_2_0434A770
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349760 NtOpenProcess,18_2_04349760
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0434A3B0 NtGetContextThread,18_2_0434A3B0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043497A0 NtUnmapViewOfSection,18_2_043497A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_021486A0 NtReadFile,18_2_021486A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_02148720 NtClose,18_2_02148720
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_021487D0 NtAllocateVirtualMemory,18_2_021487D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_021485F0 NtCreateFile,18_2_021485F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_02148642 NtCreateFile,18_2_02148642
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0214869D NtReadFile,18_2_0214869D
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0214871A NtClose,18_2_0214871A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_021487CB NtAllocateVirtualMemory,18_2_021487CB
          Source: C:\Windows\SysWOW64\systray.exeProcess Stats: CPU usage > 98%
          Source: 3Wok4G7Goe.exeBinary or memory string: OriginalFilename vs 3Wok4G7Goe.exe
          Source: 3Wok4G7Goe.exe, 00000000.00000002.288874331.00000000080E0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs 3Wok4G7Goe.exe
          Source: 3Wok4G7Goe.exe, 00000000.00000002.284841170.00000000044E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs 3Wok4G7Goe.exe
          Source: 3Wok4G7Goe.exe, 00000000.00000002.283738800.0000000001769000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 3Wok4G7Goe.exe
          Source: 3Wok4G7Goe.exeBinary or memory string: OriginalFilename vs 3Wok4G7Goe.exe
          Source: 3Wok4G7Goe.exe, 00000007.00000002.348014030.00000000019C3000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamesystray.exej% vs 3Wok4G7Goe.exe
          Source: 3Wok4G7Goe.exe, 00000007.00000002.349185830.0000000001C8F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 3Wok4G7Goe.exe
          Source: 3Wok4G7Goe.exe, 00000007.00000002.348711608.0000000001AFF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 3Wok4G7Goe.exe
          Source: 3Wok4G7Goe.exeBinary or memory string: OriginalFilenameEnumerableToBindableIterableAdapt.exeD vs 3Wok4G7Goe.exe
          Source: 3Wok4G7Goe.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: eyFgpnfXIO.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 3Wok4G7Goe.exeVirustotal: Detection: 56%
          Source: 3Wok4G7Goe.exeReversingLabs: Detection: 70%
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeFile read: C:\Users\user\Desktop\3Wok4G7Goe.exeJump to behavior
          Source: 3Wok4G7Goe.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\3Wok4G7Goe.exe "C:\Users\user\Desktop\3Wok4G7Goe.exe"
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyFgpnfXIO" /XML "C:\Users\user\AppData\Local\Temp\tmpDDB3.tmp
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess created: C:\Users\user\Desktop\3Wok4G7Goe.exe C:\Users\user\Desktop\3Wok4G7Goe.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exeJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyFgpnfXIO" /XML "C:\Users\user\AppData\Local\Temp\tmpDDB3.tmpJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess created: C:\Users\user\Desktop\3Wok4G7Goe.exe C:\Users\user\Desktop\3Wok4G7Goe.exeJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeFile created: C:\Users\user\AppData\Roaming\eyFgpnfXIO.exeJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeFile created: C:\Users\user\AppData\Local\Temp\tmpDDB3.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/8@0/0
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6888:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6756:120:WilError_01
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: 3Wok4G7Goe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 3Wok4G7Goe.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: systray.pdb source: 3Wok4G7Goe.exe, 00000007.00000002.347994958.00000000019C0000.00000040.00020000.sdmp
          Source: Binary string: systray.pdbGCTL source: 3Wok4G7Goe.exe, 00000007.00000002.347994958.00000000019C0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: 3Wok4G7Goe.exe, 00000007.00000002.348027146.00000000019E0000.00000040.00000001.sdmp, 3Wok4G7Goe.exe, 00000007.00000002.348711608.0000000001AFF000.00000040.00000001.sdmp, systray.exe, 00000012.00000002.518438666.00000000043FF000.00000040.00000001.sdmp, systray.exe, 00000012.00000002.517963450.00000000042E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 3Wok4G7Goe.exe, 00000007.00000002.348027146.00000000019E0000.00000040.00000001.sdmp, 3Wok4G7Goe.exe, 00000007.00000002.348711608.0000000001AFF000.00000040.00000001.sdmp, systray.exe, systray.exe, 00000012.00000002.518438666.00000000043FF000.00000040.00000001.sdmp, systray.exe, 00000012.00000002.517963450.00000000042E0000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 3Wok4G7Goe.exe, DaylightTimeStru/UnionCodeGro.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: eyFgpnfXIO.exe.0.dr, DaylightTimeStru/UnionCodeGro.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.3Wok4G7Goe.exe.ff0000.0.unpack, DaylightTimeStru/UnionCodeGro.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.3Wok4G7Goe.exe.ff0000.0.unpack, DaylightTimeStru/UnionCodeGro.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.3Wok4G7Goe.exe.f30000.5.unpack, DaylightTimeStru/UnionCodeGro.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.2.3Wok4G7Goe.exe.f30000.1.unpack, DaylightTimeStru/UnionCodeGro.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.3Wok4G7Goe.exe.f30000.1.unpack, DaylightTimeStru/UnionCodeGro.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.3Wok4G7Goe.exe.f30000.2.unpack, DaylightTimeStru/UnionCodeGro.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.3Wok4G7Goe.exe.f30000.0.unpack, DaylightTimeStru/UnionCodeGro.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.3Wok4G7Goe.exe.f30000.9.unpack, DaylightTimeStru/UnionCodeGro.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.3Wok4G7Goe.exe.f30000.7.unpack, DaylightTimeStru/UnionCodeGro.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 0_2_019FE338 push esp; ret 0_2_019FE339
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 0_2_058B8B61 push eax; retf 0_2_058B8B75
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 0_2_058B91B7 push C400055Eh; iretd 0_2_058B91D1
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041B842 push eax; ret 7_2_0041B848
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041B84B push eax; ret 7_2_0041B8B2
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_004188F2 push ds; ret 7_2_004188F3
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041B8AC push eax; ret 7_2_0041B8B2
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_00416109 push cs; iretd 7_2_0041610A
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_00415237 pushfd ; iretd 7_2_00415238
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041B7F5 push eax; ret 7_2_0041B848
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0435D0D1 push ecx; ret 18_2_0435D0E4
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_02145237 pushfd ; iretd 18_2_02145238
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0214B842 push eax; ret 18_2_0214B848
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0214B84B push eax; ret 18_2_0214B8B2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0214B8AC push eax; ret 18_2_0214B8B2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_021488F2 push ds; ret 18_2_021488F3
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_02146109 push cs; iretd 18_2_0214610A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0214B7F5 push eax; ret 18_2_0214B848
          Source: initial sampleStatic PE information: section name: .text entropy: 7.93992024133
          Source: initial sampleStatic PE information: section name: .text entropy: 7.93992024133
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeFile created: C:\Users\user\AppData\Roaming\eyFgpnfXIO.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyFgpnfXIO" /XML "C:\Users\user\AppData\Local\Temp\tmpDDB3.tmp
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          bar