Loading ...

Play interactive tourEdit tour

Windows Analysis Report 3Wok4G7Goe

Overview

General Information

Sample Name:3Wok4G7Goe (renamed file extension from none to exe)
Analysis ID:552763
MD5:1e14373563bcf10103f2850b17b100ea
SHA1:f19d6f0a506f86025ee25ab6ad9405e4bc297783
SHA256:8d38be02ab71fba9115c3a645edf515c62ffe53a5a590f7b37f362ab117473a1
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Sigma detected: Suspicius Add Task From User AppData Temp
Machine Learning detection for sample
.NET source code contains potential unpacker
Sigma detected: Powershell Defender Exclusion
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Adds a directory exclusion to Windows Defender
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 3Wok4G7Goe.exe (PID: 6492 cmdline: "C:\Users\user\Desktop\3Wok4G7Goe.exe" MD5: 1E14373563BCF10103F2850B17B100EA)
    • powershell.exe (PID: 6748 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 6756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • schtasks.exe (PID: 6784 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyFgpnfXIO" /XML "C:\Users\user\AppData\Local\Temp\tmpDDB3.tmp MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 3Wok4G7Goe.exe (PID: 6948 cmdline: C:\Users\user\Desktop\3Wok4G7Goe.exe MD5: 1E14373563BCF10103F2850B17B100EA)
      • explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • systray.exe (PID: 6552 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.topeasyip.company/i5nb/"], "decoy": ["integratedheartspsychology.com", "tappsis.land", "norfg.com", "1531700.win", "oneplusoneexperience.com", "circlessalaries.com", "tlcremodelingcompany.com", "susalud.info", "liyanghua.club", "pink-zemi.com", "orphe.biz", "themodelclarified.com", "candidate.tools", "morotrip.com", "d2dfms.com", "leisuresabah.com", "bjbwx114.com", "lz-fcaini1718-hw0917-bs.xyz", "at-commerce-co.net", "buymypolicy.net", "5151vip73.com", "rentglide.com", "louiecruzbeltran.info", "lanabasargina.com", "lakeforestparkapartments.com", "guangkaiyinwu.com", "bornthin.com", "restaurantkitchenbuilders.com", "ecommerceoptimise.com", "datahk99.com", "markfwalker.com", "granitowawarszawa.com", "theyouthwave.com", "iabg.xyz", "jholbrook.com", "bsc.promo", "xn--grlitzerseebhne-8sb7i.com", "cafeteriasula.com", "plushcrispies.com", "dedicatedvirtualassistance.com", "ventura-taxi.com", "thoethertb434-ocn.xyz", "ylhwcl.com", "bigsyncmusic.biz", "terapiaholisticaemformacao.com", "comidies.com", "171diproad.com", "07dgj.xyz", "vppaintllc.com", "thepatriottutor.com", "wxfive.com", "ceinpsico.com", "tuningelement.store", "asinment.com", "diafraz.xyz", "8crhnwh658ga.biz", "redwolf-tech.com", "ksherfan.com", "sensationalshroom.com", "buy-instagram-followers.net", "treeserviceconsulting.com", "vnln.space", "kate-films.com", "selfmeta.club"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    00000012.00000002.514743460.0000000002130000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000012.00000002.514743460.0000000002130000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.3Wok4G7Goe.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.3Wok4G7Goe.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.3Wok4G7Goe.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15ce9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dfc:$sqlite3step: 68 34 1C 7B E1
        • 0x15d18:$sqlite3text: 68 38 2A 90 C5
        • 0x15e3d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
        7.0.3Wok4G7Goe.exe.400000.8.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.0.3Wok4G7Goe.exe.400000.8.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac6a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 25 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspicius Add Task From User AppData TempShow sources
          Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyFgpnfXIO" /XML "C:\Users\user\AppData\Local\Temp\tmpDDB3.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyFgpnfXIO" /XML "C:\Users\user\AppData\Local\Temp\tmpDDB3.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\3Wok4G7Goe.exe" , ParentImage: C:\Users\user\Desktop\3Wok4G7Goe.exe, ParentProcessId: 6492, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyFgpnfXIO" /XML "C:\Users\user\AppData\Local\Temp\tmpDDB3.tmp, ProcessId: 6784
          Sigma detected: Powershell Defender ExclusionShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\3Wok4G7Goe.exe" , ParentImage: C:\Users\user\Desktop\3Wok4G7Goe.exe, ParentProcessId: 6492, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe, ProcessId: 6748
          Sigma detected: Non Interactive PowerShellShow sources
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\3Wok4G7Goe.exe" , ParentImage: C:\Users\user\Desktop\3Wok4G7Goe.exe, ParentProcessId: 6492, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe, ProcessId: 6748
          Sigma detected: T1086 PowerShell ExecutionShow sources
          Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132865989708799923.6748.DefaultAppDomain.powershell

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.topeasyip.company/i5nb/"], "decoy": ["integratedheartspsychology.com", "tappsis.land", "norfg.com", "1531700.win", "oneplusoneexperience.com", "circlessalaries.com", "tlcremodelingcompany.com", "susalud.info", "liyanghua.club", "pink-zemi.com", "orphe.biz", "themodelclarified.com", "candidate.tools", "morotrip.com", "d2dfms.com", "leisuresabah.com", "bjbwx114.com", "lz-fcaini1718-hw0917-bs.xyz", "at-commerce-co.net", "buymypolicy.net", "5151vip73.com", "rentglide.com", "louiecruzbeltran.info", "lanabasargina.com", "lakeforestparkapartments.com", "guangkaiyinwu.com", "bornthin.com", "restaurantkitchenbuilders.com", "ecommerceoptimise.com", "datahk99.com", "markfwalker.com", "granitowawarszawa.com", "theyouthwave.com", "iabg.xyz", "jholbrook.com", "bsc.promo", "xn--grlitzerseebhne-8sb7i.com", "cafeteriasula.com", "plushcrispies.com", "dedicatedvirtualassistance.com", "ventura-taxi.com", "thoethertb434-ocn.xyz", "ylhwcl.com", "bigsyncmusic.biz", "terapiaholisticaemformacao.com", "comidies.com", "171diproad.com", "07dgj.xyz", "vppaintllc.com", "thepatriottutor.com", "wxfive.com", "ceinpsico.com", "tuningelement.store", "asinment.com", "diafraz.xyz", "8crhnwh658ga.biz", "redwolf-tech.com", "ksherfan.com", "sensationalshroom.com", "buy-instagram-followers.net", "treeserviceconsulting.com", "vnln.space", "kate-films.com", "selfmeta.club"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 3Wok4G7Goe.exeVirustotal: Detection: 56%Perma Link
          Source: 3Wok4G7Goe.exeReversingLabs: Detection: 70%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.3Wok4G7Goe.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.3Wok4G7Goe.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.3Wok4G7Goe.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.3Wok4G7Goe.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.3Wok4G7Goe.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.3Wok4G7Goe.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.3Wok4G7Goe.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.3Wok4G7Goe.exe.4685b20.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.3Wok4G7Goe.exe.462ed00.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.514743460.0000000002130000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346591920.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.347595779.0000000001490000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.517168088.0000000003F40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.329933036.0000000007FAD000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.280991422.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.517434675.0000000003FA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.347386368.0000000001460000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.311709571.0000000007FAD000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.284841170.00000000044E9000.00000004.00000001.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: www.topeasyip.company/i5nb/Avira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\eyFgpnfXIO.exeVirustotal: Detection: 56%Perma Link
          Source: C:\Users\user\AppData\Roaming\eyFgpnfXIO.exeReversingLabs: Detection: 70%
          Machine Learning detection for sampleShow sources
          Source: 3Wok4G7Goe.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\eyFgpnfXIO.exeJoe Sandbox ML: detected
          Source: 7.2.3Wok4G7Goe.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.3Wok4G7Goe.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.3Wok4G7Goe.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.3Wok4G7Goe.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3Wok4G7Goe.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 3Wok4G7Goe.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: systray.pdb source: 3Wok4G7Goe.exe, 00000007.00000002.347994958.00000000019C0000.00000040.00020000.sdmp
          Source: Binary string: systray.pdbGCTL source: 3Wok4G7Goe.exe, 00000007.00000002.347994958.00000000019C0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: 3Wok4G7Goe.exe, 00000007.00000002.348027146.00000000019E0000.00000040.00000001.sdmp, 3Wok4G7Goe.exe, 00000007.00000002.348711608.0000000001AFF000.00000040.00000001.sdmp, systray.exe, 00000012.00000002.518438666.00000000043FF000.00000040.00000001.sdmp, systray.exe, 00000012.00000002.517963450.00000000042E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 3Wok4G7Goe.exe, 00000007.00000002.348027146.00000000019E0000.00000040.00000001.sdmp, 3Wok4G7Goe.exe, 00000007.00000002.348711608.0000000001AFF000.00000040.00000001.sdmp, systray.exe, systray.exe, 00000012.00000002.518438666.00000000043FF000.00000040.00000001.sdmp, systray.exe, 00000012.00000002.517963450.00000000042E0000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop esi

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.topeasyip.company/i5nb/
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 3Wok4G7Goe.exe, 00000000.00000002.284483243.000000000352B000.00000004.00000001.sdmp, 3Wok4G7Goe.exe, 00000000.00000002.284413072.00000000034E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 0000000B.00000000.327750963.0000000006840000.00000004.00000001.sdmp, explorer.exe, 0000000B.00000000.290461857.0000000006840000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 3Wok4G7Goe.exe, 00000000.00000002.287709066.00000000073F2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: 3Wok4G7Goe.exe, 00000000.00000002.283738800.0000000001769000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.3Wok4G7Goe.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.3Wok4G7Goe.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.3Wok4G7Goe.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.3Wok4G7Goe.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.3Wok4G7Goe.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.3Wok4G7Goe.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.3Wok4G7Goe.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.3Wok4G7Goe.exe.4685b20.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.3Wok4G7Goe.exe.462ed00.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.514743460.0000000002130000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346591920.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.347595779.0000000001490000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.517168088.0000000003F40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.329933036.0000000007FAD000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.280991422.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.517434675.0000000003FA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.347386368.0000000001460000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000000.311709571.0000000007FAD000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.284841170.00000000044E9000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.2.3Wok4G7Goe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.3Wok4G7Goe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.3Wok4G7Goe.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.3Wok4G7Goe.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.3Wok4G7Goe.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.3Wok4G7Goe.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.3Wok4G7Goe.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.3Wok4G7Goe.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.3Wok4G7Goe.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.3Wok4G7Goe.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.3Wok4G7Goe.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.3Wok4G7Goe.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.3Wok4G7Goe.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.3Wok4G7Goe.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.3Wok4G7Goe.exe.4685b20.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.3Wok4G7Goe.exe.4685b20.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.3Wok4G7Goe.exe.462ed00.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.3Wok4G7Goe.exe.462ed00.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.514743460.0000000002130000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.514743460.0000000002130000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.346591920.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.346591920.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.347595779.0000000001490000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.347595779.0000000001490000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.517168088.0000000003F40000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.517168088.0000000003F40000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000000.329933036.0000000007FAD000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000000.329933036.0000000007FAD000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.280991422.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.280991422.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.517434675.0000000003FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.517434675.0000000003FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.347386368.0000000001460000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.347386368.0000000001460000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000000.311709571.0000000007FAD000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000000.311709571.0000000007FAD000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.284841170.00000000044E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.284841170.00000000044E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3Wok4G7Goe.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 7.2.3Wok4G7Goe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.3Wok4G7Goe.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.3Wok4G7Goe.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.3Wok4G7Goe.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.3Wok4G7Goe.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.3Wok4G7Goe.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.3Wok4G7Goe.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.3Wok4G7Goe.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.3Wok4G7Goe.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.3Wok4G7Goe.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.3Wok4G7Goe.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.3Wok4G7Goe.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.3Wok4G7Goe.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.3Wok4G7Goe.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.3Wok4G7Goe.exe.4685b20.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.3Wok4G7Goe.exe.4685b20.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.3Wok4G7Goe.exe.462ed00.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.3Wok4G7Goe.exe.462ed00.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.281378639.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.514743460.0000000002130000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.514743460.0000000002130000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.346591920.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.346591920.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.347595779.0000000001490000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.347595779.0000000001490000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.517168088.0000000003F40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.517168088.0000000003F40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000000.329933036.0000000007FAD000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000000.329933036.0000000007FAD000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.280991422.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.280991422.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.517434675.0000000003FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.517434675.0000000003FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.347386368.0000000001460000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.347386368.0000000001460000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000000.311709571.0000000007FAD000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000000.311709571.0000000007FAD000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.284841170.00000000044E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.284841170.00000000044E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 0_2_019FC4BC
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 0_2_019FE430
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 0_2_019FE420
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 0_2_058B0338
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_00401030
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041C95A
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041C96E
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041D128
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041C38D
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041BB9E
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_00408C90
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_00402D8A
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_00402D90
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041BF8B
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_00402FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0431841F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043C1002
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0431B090
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04300D20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04324120
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0430F900
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043D1D55
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0431D5E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04326E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0433EBB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0214BB9E
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0214C38D
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0214D128
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0214C95A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0214C96E
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_02132FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_02138C90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_02132D90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_02132D8A
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 0430B150 appears 32 times
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_004185F0 NtCreateFile,
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_004186A0 NtReadFile,
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_00418720 NtClose,
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_004187D0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_00418642 NtCreateFile,
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041869D NtReadFile,
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041871A NtClose,
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_004187CB NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043499A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043495D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043496E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043496D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0434B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349840 NtDelayExecution,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043498A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043498F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0434AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349560 NtWriteFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043495F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043499D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0434A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0434A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04349760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0434A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043497A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_021486A0 NtReadFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_02148720 NtClose,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_021487D0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_021485F0 NtCreateFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_02148642 NtCreateFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0214869D NtReadFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0214871A NtClose,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_021487CB NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeProcess Stats: CPU usage > 98%
          Source: 3Wok4G7Goe.exeBinary or memory string: OriginalFilename vs 3Wok4G7Goe.exe
          Source: 3Wok4G7Goe.exe, 00000000.00000002.288874331.00000000080E0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs 3Wok4G7Goe.exe
          Source: 3Wok4G7Goe.exe, 00000000.00000002.284841170.00000000044E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs 3Wok4G7Goe.exe
          Source: 3Wok4G7Goe.exe, 00000000.00000002.283738800.0000000001769000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 3Wok4G7Goe.exe
          Source: 3Wok4G7Goe.exeBinary or memory string: OriginalFilename vs 3Wok4G7Goe.exe
          Source: 3Wok4G7Goe.exe, 00000007.00000002.348014030.00000000019C3000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamesystray.exej% vs 3Wok4G7Goe.exe
          Source: 3Wok4G7Goe.exe, 00000007.00000002.349185830.0000000001C8F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 3Wok4G7Goe.exe
          Source: 3Wok4G7Goe.exe, 00000007.00000002.348711608.0000000001AFF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 3Wok4G7Goe.exe
          Source: 3Wok4G7Goe.exeBinary or memory string: OriginalFilenameEnumerableToBindableIterableAdapt.exeD vs 3Wok4G7Goe.exe
          Source: 3Wok4G7Goe.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: eyFgpnfXIO.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 3Wok4G7Goe.exeVirustotal: Detection: 56%
          Source: 3Wok4G7Goe.exeReversingLabs: Detection: 70%
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeFile read: C:\Users\user\Desktop\3Wok4G7Goe.exeJump to behavior
          Source: 3Wok4G7Goe.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\3Wok4G7Goe.exe "C:\Users\user\Desktop\3Wok4G7Goe.exe"
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyFgpnfXIO" /XML "C:\Users\user\AppData\Local\Temp\tmpDDB3.tmp
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess created: C:\Users\user\Desktop\3Wok4G7Goe.exe C:\Users\user\Desktop\3Wok4G7Goe.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eyFgpnfXIO.exe
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyFgpnfXIO" /XML "C:\Users\user\AppData\Local\Temp\tmpDDB3.tmp
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess created: C:\Users\user\Desktop\3Wok4G7Goe.exe C:\Users\user\Desktop\3Wok4G7Goe.exe
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeFile created: C:\Users\user\AppData\Roaming\eyFgpnfXIO.exeJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeFile created: C:\Users\user\AppData\Local\Temp\tmpDDB3.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/8@0/0
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6888:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6756:120:WilError_01
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: 3Wok4G7Goe.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 3Wok4G7Goe.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: systray.pdb source: 3Wok4G7Goe.exe, 00000007.00000002.347994958.00000000019C0000.00000040.00020000.sdmp
          Source: Binary string: systray.pdbGCTL source: 3Wok4G7Goe.exe, 00000007.00000002.347994958.00000000019C0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: 3Wok4G7Goe.exe, 00000007.00000002.348027146.00000000019E0000.00000040.00000001.sdmp, 3Wok4G7Goe.exe, 00000007.00000002.348711608.0000000001AFF000.00000040.00000001.sdmp, systray.exe, 00000012.00000002.518438666.00000000043FF000.00000040.00000001.sdmp, systray.exe, 00000012.00000002.517963450.00000000042E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 3Wok4G7Goe.exe, 00000007.00000002.348027146.00000000019E0000.00000040.00000001.sdmp, 3Wok4G7Goe.exe, 00000007.00000002.348711608.0000000001AFF000.00000040.00000001.sdmp, systray.exe, systray.exe, 00000012.00000002.518438666.00000000043FF000.00000040.00000001.sdmp, systray.exe, 00000012.00000002.517963450.00000000042E0000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 3Wok4G7Goe.exe, DaylightTimeStru/UnionCodeGro.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: eyFgpnfXIO.exe.0.dr, DaylightTimeStru/UnionCodeGro.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.3Wok4G7Goe.exe.ff0000.0.unpack, DaylightTimeStru/UnionCodeGro.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.3Wok4G7Goe.exe.ff0000.0.unpack, DaylightTimeStru/UnionCodeGro.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.3Wok4G7Goe.exe.f30000.5.unpack, DaylightTimeStru/UnionCodeGro.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.2.3Wok4G7Goe.exe.f30000.1.unpack, DaylightTimeStru/UnionCodeGro.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.3Wok4G7Goe.exe.f30000.1.unpack, DaylightTimeStru/UnionCodeGro.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.3Wok4G7Goe.exe.f30000.2.unpack, DaylightTimeStru/UnionCodeGro.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.3Wok4G7Goe.exe.f30000.0.unpack, DaylightTimeStru/UnionCodeGro.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.3Wok4G7Goe.exe.f30000.9.unpack, DaylightTimeStru/UnionCodeGro.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 7.0.3Wok4G7Goe.exe.f30000.7.unpack, DaylightTimeStru/UnionCodeGro.cs.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 0_2_019FE338 push esp; ret
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 0_2_058B8B61 push eax; retf
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 0_2_058B91B7 push C400055Eh; iretd
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041B842 push eax; ret
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041B84B push eax; ret
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_004188F2 push ds; ret
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041B8AC push eax; ret
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_00416109 push cs; iretd
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_00415237 pushfd ; iretd
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_0041B7F5 push eax; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0435D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_02145237 pushfd ; iretd
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0214B842 push eax; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0214B84B push eax; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0214B8AC push eax; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_021488F2 push ds; ret
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_02146109 push cs; iretd
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0214B7F5 push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.93992024133
          Source: initial sampleStatic PE information: section name: .text entropy: 7.93992024133
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeFile created: C:\Users\user\AppData\Roaming\eyFgpnfXIO.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eyFgpnfXIO" /XML "C:\Users\user\AppData\Local\Temp\tmpDDB3.tmp
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\systray.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.3Wok4G7Goe.exe.35177d0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.3Wok4G7Goe.exe.350f7c4.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.3Wok4G7Goe.exe.3554590.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.284483243.000000000352B000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.284413072.00000000034E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: 3Wok4G7Goe.exe PID: 6492, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: 3Wok4G7Goe.exe, 00000000.00000002.284483243.000000000352B000.00000004.00000001.sdmp, 3Wok4G7Goe.exe, 00000000.00000002.284413072.00000000034E1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: 3Wok4G7Goe.exe, 00000000.00000002.284483243.000000000352B000.00000004.00000001.sdmp, 3Wok4G7Goe.exe, 00000000.00000002.284413072.00000000034E1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 0000000002138614 second address: 000000000213861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\systray.exeRDTSC instruction interceptor: First address: 00000000021389AE second address: 00000000021389B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exe TID: 6496Thread sleep time: -34414s >= -30000s
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exe TID: 6512Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6940Thread sleep time: -11068046444225724s >= -30000s
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6900Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_004088E0 rdtsc
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5263
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 608
          Source: C:\Windows\SysWOW64\systray.exeAPI coverage: 9.0 %
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeThread delayed: delay time: 34414
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
          Source: 3Wok4G7Goe.exe, 00000000.00000002.284413072.00000000034E1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 0000000B.00000000.325815302.00000000048E0000.00000004.00000001.sdmpBinary or memory string: a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000B.00000000.312349844.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 0000000B.00000000.312349844.0000000008A32000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: 3Wok4G7Goe.exe, 00000000.00000002.284413072.00000000034E1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000000B.00000000.331559441.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: 3Wok4G7Goe.exe, 00000000.00000002.284413072.00000000034E1000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 0000000B.00000000.331559441.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: explorer.exe, 0000000B.00000000.325815302.00000000048E0000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000B.00000000.332023737.0000000008CEA000.00000004.00000001.sdmpBinary or memory string: 6e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000B.00000000.294241032.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: explorer.exe, 0000000B.00000000.331559441.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: explorer.exe, 0000000B.00000000.294241032.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 0000000B.00000000.327940218.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
          Source: 3Wok4G7Goe.exe, 00000000.00000002.284413072.00000000034E1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeCode function: 7_2_004088E0 rdtsc
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\3Wok4G7Goe.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\systray.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0431B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0431B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0431B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0431B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0433002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0433002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0433002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0433002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0433002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0433BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043D4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043D4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04387016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04387016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04387016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043D740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04386C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04386C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04386C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04386C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043C1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043D1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043C2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0432746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04320050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04320050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0439C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0439C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0433A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0433F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0433F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0433F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043490AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0431849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04309080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04383884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04383884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043C14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04386CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04386CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04386CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0439B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0439B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0439B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0439B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0439B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0439B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043D8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0430AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04313D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04334D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04334D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04334D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043D8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0433513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0433513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0438A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04324120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04324120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04324120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04324120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04324120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04309100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04309100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04309100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0430B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0430B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0432C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0432C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0430C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04327D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0432B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_0432B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04343D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04383540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04331DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04331DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_04331DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043851BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043335A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exeCode function: 18_2_043361A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\systray.exe