Loading ...

Play interactive tourEdit tour

Windows Analysis Report F63V4i8eZU.exe

Overview

General Information

Sample Name:F63V4i8eZU.exe
Analysis ID:450884
MD5:08730cdd286a4c9d46b38bb6545ac311
SHA1:001bb7b5b8d63e505661d7e4a178d08abe6bbad7
SHA256:cb2a2537987e45c8461d40a0ec6c24215920519257134db91dd1369ff5abf342
Tags:32exe
Infos:

Most interesting Screenshot:

Detection

GuLoader FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
GuLoader behavior detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Potentially malicious time measurement code found
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • F63V4i8eZU.exe (PID: 1288 cmdline: 'C:\Users\user\Desktop\F63V4i8eZU.exe' MD5: 08730CDD286A4C9D46B38BB6545AC311)
    • F63V4i8eZU.exe (PID: 772 cmdline: 'C:\Users\user\Desktop\F63V4i8eZU.exe' MD5: 08730CDD286A4C9D46B38BB6545AC311)
      • explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • chkdsk.exe (PID: 5756 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
          • cmd.exe (PID: 6112 cmdline: /c del 'C:\Users\user\Desktop\F63V4i8eZU.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.yellow-wink.com/nff/"], "decoy": ["shinseikai.site", "creditmystartup.com", "howtovvbucks.com", "betterfromthebeginning.com", "oubacm.com", "stonalogov.com", "gentrypartyof8.com", "cuesticksandsupplies.com", "joelsavestheday.com", "llanobnb.com", "ecclogic.com", "miempaque.com", "cai23668.com", "miscdr.net", "twzhhq.com", "bloomandbrewcafe.com", "angcomleisure.com", "mafeeboutique.com", "300coin.club", "brooksranchhomes.com", "konversiondigital.com", "dominivision.com", "superiorshinedetailing.net", "thehomechef.global", "dating-web.site", "gcbsclubc.com", "mothererph.com", "pacleanfuel.com", "jerseryshorenflflagfootball.com", "roberthyatt.com", "wwwmacsports.com", "tearor.com", "american-ai.com", "mkyiyuan.com", "gempharmatechllc.com", "verdijvtc.com", "zimnik-bibo.one", "heatherdarkauthor.net", "dunn-labs.com", "automotivevita.com", "bersatubagaidulu.com", "gorillarecruiting.com", "mikecdmusic.com", "femuveewedre.com", "onyxmodsllc.com", "ooweesports.com", "dezeren.com", "foeweifgoor73dz.com", "sorchaashe.com", "jamiitulivu.com", "jifengshijie.com", "ranchfiberglas.com", "glendalesocialmediaagency.com", "icuvietnam.com", "404hapgood.com", "planetturmeric.com", "danfrem.com", "amazonautomationbusiness.com", "switchfinder.com", "diversifiedforest.com", "findnehomes.com", "rsyueda.com", "colombianmatrimony.com", "evan-dawson.info"]}

Threatname: GuLoader

{"Payload URL": "https://kinmirai.org/wp-content/bin_QVwo"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001F.00000002.1285459135.0000000004FC5000.00000004.00000020.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x32c6c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 18 entries

      Sigma Overview

      No Sigma rule has matched

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: F63V4i8eZU.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_QVwo"}
      Source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.yellow-wink.com/nff/"], "decoy": ["shinseikai.site", "creditmystartup.com", "howtovvbucks.com", "betterfromthebeginning.com", "oubacm.com", "stonalogov.com", "gentrypartyof8.com", "cuesticksandsupplies.com", "joelsavestheday.com", "llanobnb.com", "ecclogic.com", "miempaque.com", "cai23668.com", "miscdr.net", "twzhhq.com", "bloomandbrewcafe.com", "angcomleisure.com", "mafeeboutique.com", "300coin.club", "brooksranchhomes.com", "konversiondigital.com", "dominivision.com", "superiorshinedetailing.net", "thehomechef.global", "dating-web.site", "gcbsclubc.com", "mothererph.com", "pacleanfuel.com", "jerseryshorenflflagfootball.com", "roberthyatt.com", "wwwmacsports.com", "tearor.com", "american-ai.com", "mkyiyuan.com", "gempharmatechllc.com", "verdijvtc.com", "zimnik-bibo.one", "heatherdarkauthor.net", "dunn-labs.com", "automotivevita.com", "bersatubagaidulu.com", "gorillarecruiting.com", "mikecdmusic.com", "femuveewedre.com", "onyxmodsllc.com", "ooweesports.com", "dezeren.com", "foeweifgoor73dz.com", "sorchaashe.com", "jamiitulivu.com", "jifengshijie.com", "ranchfiberglas.com", "glendalesocialmediaagency.com", "icuvietnam.com", "404hapgood.com", "planetturmeric.com", "danfrem.com", "amazonautomationbusiness.com", "switchfinder.com", "diversifiedforest.com", "findnehomes.com", "rsyueda.com", "colombianmatrimony.com", "evan-dawson.info"]}
      Multi AV Scanner detection for submitted fileShow sources
      Source: F63V4i8eZU.exeVirustotal: Detection: 10%Perma Link
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY
      Source: F63V4i8eZU.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: unknownHTTPS traffic detected: 133.130.104.18:443 -> 192.168.2.3:49746 version: TLS 1.2
      Source: Binary string: chkdsk.pdbGCTL source: F63V4i8eZU.exe, 00000012.00000002.475302278.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000001D.00000000.448678814.0000000009B40000.00000002.00000001.sdmp
      Source: Binary string: chkdsk.pdb source: F63V4i8eZU.exe, 00000012.00000002.475302278.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ISOL.pdb source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exe
      Source: Binary string: wntdll.pdbUGP source: F63V4i8eZU.exe, 00000012.00000002.480375309.000000001E390000.00000040.00000001.sdmp, chkdsk.exe, 0000001F.00000002.1285968735.0000000005440000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: F63V4i8eZU.exe, chkdsk.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 0000001D.00000000.448678814.0000000009B40000.00000002.00000001.sdmp
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop edi31_2_00C2E442

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorURLs: www.yellow-wink.com/nff/
      Source: Malware configuration extractorURLs: https://kinmirai.org/wp-content/bin_QVwo
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=kOxlMsEjtzqi35JKXOQvqY0Z9Dr8MJKVGpcl7uHZUSc/duxdP9tVlajaQyGMVspbd71z&-ZgX=tR-DSFa8o HTTP/1.1Host: www.oubacm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=1Xxx+qd8pBTLA+WTXKo7XaXaUaa/vtHv40sNd0BzbA6K7Qnc9Dw7+srX/AipaLaYNVgg HTTP/1.1Host: www.mothererph.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=t6POCtyEK9WeI3wHMDqVXFf1P6NZVFBUQrx3hzUMeWhQO7zB8dJJWUZafBhAs6NE8fvj HTTP/1.1Host: www.howtovvbucks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=A3r1GoCxq8luIa6nCE3Ske6N+BTFMgq1N1qJ/FMsH45BCQO39yS3uoKBERul6QoZrrZt&-ZgX=tR-DSFa8o HTTP/1.1Host: www.mikecdmusic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=hj2zxdGwTxg/Oy5I2ijyN0fTICzPxcwPRfXb7vTf2tNSz2x0IcDR494UQaPw8xmFi6Rl HTTP/1.1Host: www.pacleanfuel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=yLp+OGFnl0jg7pOzvTf//aMS5CTocG0VRGMnH1GHhYzZCkZUh0GgSDI2xq5DNsTFnZjT&-ZgX=tR-DSFa8o HTTP/1.1Host: www.foeweifgoor73dz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=27rvRn0KmepyxD8tf0kCiU4ghUW26GTZLquNc10L5JocjkBpiI2ubcvHzFDqc++aW5sB HTTP/1.1Host: www.thehomechef.globalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=BYCicstSjiimYQeLhOM2IfVFUU5xkRxUW/ddRKXtK0U5B2C8EeMnAtCjd12GxjTXIZnB&-ZgX=tR-DSFa8o HTTP/1.1Host: www.yellow-wink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=CcVDHNb77dcNdWY2oqs0Q3cJ+rSEYLRnUCyMOMN+TEyN4HUBsnEuVHzuIckGNGmzeXmd HTTP/1.1Host: www.amazonautomationbusiness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=cRGxEbCxtxOklbCQDq2naIaOwJUFKZbTk/bYH1mjDoD5ciZshsmVa8jbK15SYwAvUHmE HTTP/1.1Host: www.ooweesports.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=oo8PZR09GamqRkCLHSTg5AKJvm44C+19X1uEOPW4zTuWS3c9RrL+Vx+B8Ikvp/Bi1Hxc&-ZgX=tR-DSFa8o HTTP/1.1Host: www.gentrypartyof8.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=23vdk0INmHdYoMyjDJpAXxw5aErMVqufSgZPm4X7AcKozm0yVvV2ivtCtqAjwFsJpdV9 HTTP/1.1Host: www.dunn-labs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=4F7AytNRxG9Okht4XRBjCmtmhOo761MGK9UHRz2K68ko8sG2VRn93GfHKNzVTrlp6vls&-ZgX=tR-DSFa8o HTTP/1.1Host: www.tearor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 198.50.252.64 198.50.252.64
      Source: Joe Sandbox ViewIP Address: 212.32.237.90 212.32.237.90
      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
      Source: Joe Sandbox ViewASN Name: GOOGLE-2US GOOGLE-2US
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=kOxlMsEjtzqi35JKXOQvqY0Z9Dr8MJKVGpcl7uHZUSc/duxdP9tVlajaQyGMVspbd71z&-ZgX=tR-DSFa8o HTTP/1.1Host: www.oubacm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=1Xxx+qd8pBTLA+WTXKo7XaXaUaa/vtHv40sNd0BzbA6K7Qnc9Dw7+srX/AipaLaYNVgg HTTP/1.1Host: www.mothererph.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=t6POCtyEK9WeI3wHMDqVXFf1P6NZVFBUQrx3hzUMeWhQO7zB8dJJWUZafBhAs6NE8fvj HTTP/1.1Host: www.howtovvbucks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=A3r1GoCxq8luIa6nCE3Ske6N+BTFMgq1N1qJ/FMsH45BCQO39yS3uoKBERul6QoZrrZt&-ZgX=tR-DSFa8o HTTP/1.1Host: www.mikecdmusic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=hj2zxdGwTxg/Oy5I2ijyN0fTICzPxcwPRfXb7vTf2tNSz2x0IcDR494UQaPw8xmFi6Rl HTTP/1.1Host: www.pacleanfuel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=yLp+OGFnl0jg7pOzvTf//aMS5CTocG0VRGMnH1GHhYzZCkZUh0GgSDI2xq5DNsTFnZjT&-ZgX=tR-DSFa8o HTTP/1.1Host: www.foeweifgoor73dz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=27rvRn0KmepyxD8tf0kCiU4ghUW26GTZLquNc10L5JocjkBpiI2ubcvHzFDqc++aW5sB HTTP/1.1Host: www.thehomechef.globalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=BYCicstSjiimYQeLhOM2IfVFUU5xkRxUW/ddRKXtK0U5B2C8EeMnAtCjd12GxjTXIZnB&-ZgX=tR-DSFa8o HTTP/1.1Host: www.yellow-wink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=CcVDHNb77dcNdWY2oqs0Q3cJ+rSEYLRnUCyMOMN+TEyN4HUBsnEuVHzuIckGNGmzeXmd HTTP/1.1Host: www.amazonautomationbusiness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=cRGxEbCxtxOklbCQDq2naIaOwJUFKZbTk/bYH1mjDoD5ciZshsmVa8jbK15SYwAvUHmE HTTP/1.1Host: www.ooweesports.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=oo8PZR09GamqRkCLHSTg5AKJvm44C+19X1uEOPW4zTuWS3c9RrL+Vx+B8Ikvp/Bi1Hxc&-ZgX=tR-DSFa8o HTTP/1.1Host: www.gentrypartyof8.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?-ZgX=tR-DSFa8o&D48p=23vdk0INmHdYoMyjDJpAXxw5aErMVqufSgZPm4X7AcKozm0yVvV2ivtCtqAjwFsJpdV9 HTTP/1.1Host: www.dunn-labs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /nff/?D48p=4F7AytNRxG9Okht4XRBjCmtmhOo761MGK9UHRz2K68ko8sG2VRn93GfHKNzVTrlp6vls&-ZgX=tR-DSFa8o HTTP/1.1Host: www.tearor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: chkdsk.exe, 0000001F.00000002.1287294288.0000000005E5F000.00000004.00000001.sdmpString found in binary or memory: <a href="https://www.facebook.com/InstraCorp" target="_blank" rel="nofollow"><i class="fa fa-facebook"></i></a> equals www.facebook.com (Facebook)
      Source: unknownDNS traffic detected: queries for: kinmirai.org
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 19 Jul 2021 18:23:41 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
      Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
      Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
      Source: explorer.exe, 0000001D.00000000.448268826.00000000089F9000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
      Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
      Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
      Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
      Source: F63V4i8eZU.exe, 00000012.00000002.475431458.00000000006F0000.00000004.00000001.sdmpString found in binary or memory: http://farmersschool.ge/bin_QVwEr224.bin
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exeString found in binary or memory: http://ocsp.digicert.com0C
      Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exeString found in binary or memory: http://ocsp.digicert.com0O
      Source: chkdsk.exe, 0000001F.00000002.1287294288.0000000005E5F000.00000004.00000001.sdmpString found in binary or memory: http://survey-smiles.com
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exeString found in binary or memory: http://www.digicert.com/CPS0
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 0000001D.00000000.448303771.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: chkdsk.exe, 0000001F.00000002.1287294288.0000000005E5F000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Lato:300
      Source: F63V4i8eZU.exe, 00000012.00000002.475431458.00000000006F0000.00000004.00000001.sdmpString found in binary or memory: https://kinmirai.org/wp-content/bin_QVwEr224.bin
      Source: F63V4i8eZU.exe, 00000012.00000002.475431458.00000000006F0000.00000004.00000001.sdmpString found in binary or memory: https://kinmirai.org/wp-content/bin_QVwEr224.binhttp://farmersschool.ge/bin_QVwEr224.binwininet.dllM
      Source: chkdsk.exe, 0000001F.00000002.1287294288.0000000005E5F000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/instra
      Source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exeString found in binary or memory: https://www.digicert.com/CPS0
      Source: chkdsk.exe, 0000001F.00000002.1287294288.0000000005E5F000.00000004.00000001.sdmpString found in binary or memory: https://www.instra.com/?utm_medium=free_parking&utm_source=thehomechef.global
      Source: chkdsk.exe, 0000001F.00000002.1287294288.0000000005E5F000.00000004.00000001.sdmpString found in binary or memory: https://www.instra.com/en/hosting/web-hosting-packages/?utm_medium=free_parking&utm_source=thehomech
      Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
      Source: unknownHTTPS traffic detected: 133.130.104.18:443 -> 192.168.2.3:49746 version: TLS 1.2

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000001F.00000002.1285459135.0000000004FC5000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000001F.00000002.1287054375.000000000596F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A5852 NtWriteVirtualMemory,LoadLibraryA,0_2_022A5852
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A88E2 NtProtectVirtualMemory,0_2_022A88E2
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A08DC NtWriteVirtualMemory,TerminateProcess,0_2_022A08DC
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A045E EnumWindows,NtWriteVirtualMemory,0_2_022A045E
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A8DB4 NtWriteVirtualMemory,CreateProcessInternalW,0_2_022A8DB4
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A55EC NtAllocateVirtualMemory,0_2_022A55EC
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A423F NtWriteVirtualMemory,0_2_022A423F
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4263 NtWriteVirtualMemory,0_2_022A4263
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4277 NtWriteVirtualMemory,0_2_022A4277
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A5A46 NtWriteVirtualMemory,LoadLibraryA,0_2_022A5A46
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A33A7 NtWriteVirtualMemory,0_2_022A33A7
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A48E8 NtWriteVirtualMemory,0_2_022A48E8
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A28E2 NtWriteVirtualMemory,LoadLibraryA,0_2_022A28E2
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4128 NtWriteVirtualMemory,0_2_022A4128
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A513E NtWriteVirtualMemory,0_2_022A513E
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A46E4 NtWriteVirtualMemory,0_2_022A46E4
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A5724 NtAllocateVirtualMemory,0_2_022A5724
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A1FD9 NtWriteVirtualMemory,0_2_022A1FD9
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4C2B NtWriteVirtualMemory,0_2_022A4C2B
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4C21 NtWriteVirtualMemory,0_2_022A4C21
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A2470 NtWriteVirtualMemory,LoadLibraryA,0_2_022A2470
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A3C4D NtWriteVirtualMemory,0_2_022A3C4D
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4C45 NtWriteVirtualMemory,0_2_022A4C45
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A7CA5 NtWriteVirtualMemory,0_2_022A7CA5
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4CBE NtWriteVirtualMemory,0_2_022A4CBE
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4CB4 NtWriteVirtualMemory,0_2_022A4CB4
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A7488 NtWriteVirtualMemory,0_2_022A7488
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4CD8 NtWriteVirtualMemory,0_2_022A4CD8
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A4D4C NtWriteVirtualMemory,0_2_022A4D4C
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9A20 NtResumeThread,LdrInitializeThunk,18_2_1E3F9A20
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9A00 NtProtectVirtualMemory,LdrInitializeThunk,18_2_1E3F9A00
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9660 NtAllocateVirtualMemory,LdrInitializeThunk,18_2_1E3F9660
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9A50 NtCreateFile,LdrInitializeThunk,18_2_1E3F9A50
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F96E0 NtFreeVirtualMemory,LdrInitializeThunk,18_2_1E3F96E0
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9710 NtQueryInformationToken,LdrInitializeThunk,18_2_1E3F9710
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F97A0 NtUnmapViewOfSection,LdrInitializeThunk,18_2_1E3F97A0
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9780 NtMapViewOfSection,LdrInitializeThunk,18_2_1E3F9780
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9860 NtQuerySystemInformation,LdrInitializeThunk,18_2_1E3F9860
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9840 NtDelayExecution,LdrInitializeThunk,18_2_1E3F9840
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F98F0 NtReadVirtualMemory,LdrInitializeThunk,18_2_1E3F98F0
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,18_2_1E3F9910
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9540 NtReadFile,LdrInitializeThunk,18_2_1E3F9540
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F99A0 NtCreateSection,LdrInitializeThunk,18_2_1E3F99A0
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F95D0 NtClose,LdrInitializeThunk,18_2_1E3F95D0
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9610 NtEnumerateValueKey,18_2_1E3F9610
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9A10 NtQuerySection,18_2_1E3F9A10
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9670 NtQueryInformationProcess,18_2_1E3F9670
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9650 NtQueryValueKey,18_2_1E3F9650
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9A80 NtOpenDirectoryObject,18_2_1E3F9A80
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F96D0 NtCreateKey,18_2_1E3F96D0
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9730 NtQueryVirtualMemory,18_2_1E3F9730
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3FA710 NtOpenProcessToken,18_2_1E3FA710
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9B00 NtSetValueKey,18_2_1E3F9B00
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9770 NtSetInformationFile,18_2_1E3F9770
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3FA770 NtOpenThread,18_2_1E3FA770
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9760 NtOpenProcess,18_2_1E3F9760
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3FA3B0 NtGetContextThread,18_2_1E3FA3B0
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9FE0 NtCreateMutant,18_2_1E3F9FE0
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9820 NtEnumerateKey,18_2_1E3F9820
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3FB040 NtSuspendThread,18_2_1E3FB040
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F98A0 NtWriteVirtualMemory,18_2_1E3F98A0
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3FAD30 NtSetContextThread,18_2_1E3FAD30
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9520 NtWaitForSingleObject,18_2_1E3F9520
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9560 NtWriteFile,18_2_1E3F9560
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F9950 NtQueueApcThread,18_2_1E3F9950
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F95F0 NtQueryInformationFile,18_2_1E3F95F0
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3F99D0 NtCreateProcessEx,18_2_1E3F99D0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9540 NtReadFile,LdrInitializeThunk,31_2_054A9540
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A95D0 NtClose,LdrInitializeThunk,31_2_054A95D0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9710 NtQueryInformationToken,LdrInitializeThunk,31_2_054A9710
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9FE0 NtCreateMutant,LdrInitializeThunk,31_2_054A9FE0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9780 NtMapViewOfSection,LdrInitializeThunk,31_2_054A9780
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9650 NtQueryValueKey,LdrInitializeThunk,31_2_054A9650
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9660 NtAllocateVirtualMemory,LdrInitializeThunk,31_2_054A9660
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A96D0 NtCreateKey,LdrInitializeThunk,31_2_054A96D0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A96E0 NtFreeVirtualMemory,LdrInitializeThunk,31_2_054A96E0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,31_2_054A9910
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A99A0 NtCreateSection,LdrInitializeThunk,31_2_054A99A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9840 NtDelayExecution,LdrInitializeThunk,31_2_054A9840
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9860 NtQuerySystemInformation,LdrInitializeThunk,31_2_054A9860
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9A50 NtCreateFile,LdrInitializeThunk,31_2_054A9A50
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9560 NtWriteFile,31_2_054A9560
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9520 NtWaitForSingleObject,31_2_054A9520
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054AAD30 NtSetContextThread,31_2_054AAD30
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A95F0 NtQueryInformationFile,31_2_054A95F0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9760 NtOpenProcess,31_2_054A9760
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054AA770 NtOpenThread,31_2_054AA770
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9770 NtSetInformationFile,31_2_054A9770
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054AA710 NtOpenProcessToken,31_2_054AA710
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9730 NtQueryVirtualMemory,31_2_054A9730
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A97A0 NtUnmapViewOfSection,31_2_054A97A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9670 NtQueryInformationProcess,31_2_054A9670
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9610 NtEnumerateValueKey,31_2_054A9610
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9950 NtQueueApcThread,31_2_054A9950
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A99D0 NtCreateProcessEx,31_2_054A99D0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054AB040 NtSuspendThread,31_2_054AB040
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9820 NtEnumerateKey,31_2_054A9820
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A98F0 NtReadVirtualMemory,31_2_054A98F0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A98A0 NtWriteVirtualMemory,31_2_054A98A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9B00 NtSetValueKey,31_2_054A9B00
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054AA3B0 NtGetContextThread,31_2_054AA3B0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9A00 NtProtectVirtualMemory,31_2_054A9A00
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9A10 NtQuerySection,31_2_054A9A10
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9A20 NtResumeThread,31_2_054A9A20
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054A9A80 NtOpenDirectoryObject,31_2_054A9A80
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C39D50 NtCreateFile,31_2_00C39D50
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C39E80 NtClose,31_2_00C39E80
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C39E00 NtReadFile,31_2_00C39E00
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C39F30 NtAllocateVirtualMemory,31_2_00C39F30
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C39DA9 NtReadFile,31_2_00C39DA9
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C39E7A NtClose,31_2_00C39E7A
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C39F2D NtAllocateVirtualMemory,31_2_00C39F2D
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A53590_2_022A5359
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A58520_2_022A5852
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A08DC0_2_022A08DC
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A045E0_2_022A045E
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A8DB40_2_022A8DB4
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A55EC0_2_022A55EC
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A423F0_2_022A423F
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A42630_2_022A4263
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A42770_2_022A4277
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A5A460_2_022A5A46
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A82540_2_022A8254
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A5A840_2_022A5A84
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A2AFD0_2_022A2AFD
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A2AD60_2_022A2AD6
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A22D50_2_022A22D5
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A0B2B0_2_022A0B2B
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A0B730_2_022A0B73
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A33A70_2_022A33A7
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A0B9B0_2_022A0B9B
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A33EC0_2_022A33EC
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A103C0_2_022A103C
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A781E0_2_022A781E
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A78B20_2_022A78B2
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A48E80_2_022A48E8
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A28E20_2_022A28E2
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A41280_2_022A4128
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A39200_2_022A3920
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A81380_2_022A8138
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A513E0_2_022A513E
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A09A80_2_022A09A8
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A19CC0_2_022A19CC
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A2E2F0_2_022A2E2F
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A06180_2_022A0618
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A8E7C0_2_022A8E7C
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A968F0_2_022A968F
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A46E40_2_022A46E4
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A7EFC0_2_022A7EFC
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A8ED80_2_022A8ED8
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A8F400_2_022A8F40
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A7FF50_2_022A7FF5
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A1FD90_2_022A1FD9
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A24700_2_022A2470
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A3C4D0_2_022A3C4D
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A2C5C0_2_022A2C5C
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A84A60_2_022A84A6
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A7CA50_2_022A7CA5
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A348A0_2_022A348A
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A74880_2_022A7488
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A34EA0_2_022A34EA
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A84E90_2_022A84E9
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A35680_2_022A3568
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A0D500_2_022A0D50
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A2DA00_2_022A2DA0
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A35B00_2_022A35B0
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A05840_2_022A0584
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_022A25D40_2_022A25D4
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3D6E3018_2_1E3D6E30
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E482EF718_2_1E482EF7
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E4822AE18_2_1E4822AE
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E482B2818_2_1E482B28
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3EEBB018_2_1E3EEBB0
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E47DBD218_2_1E47DBD2
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E481FF118_2_1E481FF1
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E47D46618_2_1E47D466
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3C841F18_2_1E3C841F
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E47100218_2_1E471002
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E20A018_2_1E3E20A0
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E4828EC18_2_1E4828EC
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3CB09018_2_1E3CB090
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E4820A818_2_1E4820A8
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3B0D2018_2_1E3B0D20
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E481D5518_2_1E481D55
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3D412018_2_1E3D4120
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3BF90018_2_1E3BF900
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E482D0718_2_1E482D07
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E4825DD18_2_1E4825DD
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3E258118_2_1E3E2581
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_1E3CD5E018_2_1E3CD5E0
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 18_2_0056968F18_2_0056968F
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05531D5531_2_05531D55
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05532D0731_2_05532D07
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05460D2031_2_05460D20
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_055325DD31_2_055325DD
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0547D5E031_2_0547D5E0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0549258131_2_05492581
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0552D46631_2_0552D466
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0547841F31_2_0547841F
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0553DFCE31_2_0553DFCE
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05531FF131_2_05531FF1
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0552D61631_2_0552D616
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05486E3031_2_05486E30
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05532EF731_2_05532EF7
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0546F90031_2_0546F900
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548412031_2_05484120
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054899BF31_2_054899BF
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0552100231_2_05521002
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0553E82431_2_0553E824
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548A83031_2_0548A830
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_055328EC31_2_055328EC
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0547B09031_2_0547B090
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_054920A031_2_054920A0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_055320A831_2_055320A8
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0548AB4031_2_0548AB40
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_05532B2831_2_05532B28
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0552DBD231_2_0552DBD2
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_055203DA31_2_055203DA
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0549EBB031_2_0549EBB0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_0551FA2B31_2_0551FA2B
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_055322AE31_2_055322AE
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C3D06931_2_00C3D069
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C2103031_2_00C21030
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C3DA9731_2_00C3DA97
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C22D8D31_2_00C22D8D
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C22D9031_2_00C22D90
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C29E2B31_2_00C29E2B
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C29E3031_2_00C29E30
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C22FB031_2_00C22FB0
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 31_2_00C3DF7931_2_00C3DF79
      Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 0546B150 appears 69 times
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: String function: 1E3BB150 appears 35 times
      Source: F63V4i8eZU.exeStatic PE information: invalid certificate
      Source: F63V4i8eZU.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: F63V4i8eZU.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: F63V4i8eZU.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: F63V4i8eZU.exe, 00000000.00000002.316213281.0000000000438000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameISOL.exe vs F63V4i8eZU.exe
      Source: F63V4i8eZU.exe, 00000012.00000002.481559175.000000001E63F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs F63V4i8eZU.exe
      Source: F63V4i8eZU.exe, 00000012.00000002.476842708.00000000023E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs F63V4i8eZU.exe
      Source: F63V4i8eZU.exe, 00000012.00000002.476803523.0000000000AF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs F63V4i8eZU.exe
      Source: F63V4i8eZU.exe, 00000012.00000000.315529096.0000000000438000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameISOL.exe vs F63V4i8eZU.exe
      Source: F63V4i8eZU.exe, 00000012.00000002.475313264.00000000000D6000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCHKDSK.EXEj% vs F63V4i8eZU.exe
      Source: F63V4i8eZU.exeBinary or memory string: OriginalFilenameISOL.exe vs F63V4i8eZU.exe
      Source: F63V4i8eZU.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: 0000001F.00000002.1285459135.0000000004FC5000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000012.00000002.475233799.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001F.00000002.1285321494.0000000004EF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001F.00000002.1284276742.0000000000C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000012.00000002.480114894.000000001E160000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001D.00000000.464429746.000000000618B000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000001F.00000002.1285203514.0000000004EC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000001F.00000002.1287054375.000000000596F000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/0@17/13
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_01
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeFile created: C:\Users\user\AppData\Local\Temp\~DFC9489ADE652B7AA1.TMPJump to behavior
      Source: F63V4i8eZU.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: F63V4i8eZU.exeVirustotal: Detection: 10%
      Source: unknownProcess created: C:\Users\user\Desktop\F63V4i8eZU.exe 'C:\Users\user\Desktop\F63V4i8eZU.exe'
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess created: C:\Users\user\Desktop\F63V4i8eZU.exe 'C:\Users\user\Desktop\F63V4i8eZU.exe'
      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\F63V4i8eZU.exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess created: C:\Users\user\Desktop\F63V4i8eZU.exe 'C:\Users\user\Desktop\F63V4i8eZU.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\F63V4i8eZU.exe'Jump to behavior
      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
      Source: F63V4i8eZU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
      Source: Binary string: chkdsk.pdbGCTL source: F63V4i8eZU.exe, 00000012.00000002.475302278.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000001D.00000000.448678814.0000000009B40000.00000002.00000001.sdmp
      Source: Binary string: chkdsk.pdb source: F63V4i8eZU.exe, 00000012.00000002.475302278.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ISOL.pdb source: chkdsk.exe, 0000001F.00000002.1285611475.0000000004FFD000.00000004.00000020.sdmp, F63V4i8eZU.exe
      Source: Binary string: wntdll.pdbUGP source: F63V4i8eZU.exe, 00000012.00000002.480375309.000000001E390000.00000040.00000001.sdmp, chkdsk.exe, 0000001F.00000002.1285968735.0000000005440000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: F63V4i8eZU.exe, chkdsk.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 0000001D.00000000.448678814.0000000009B40000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: 00000000.00000002.316460586.00000000022A0000.00000040.00000001.sdmp, type: MEMORY
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_00406408 push es; ret 0_2_0040640F
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_00405D8C push es; ret 0_2_00405D8B
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B1833 push edx; ret 0_2_021B1861
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B0218 push edx; ret 0_2_021B0241
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B4A13 push edx; ret 0_2_021B4A41
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B3213 push edx; ret 0_2_021B3241
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B1A13 push edx; ret 0_2_021B1A41
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B6214 push edx; ret 0_2_021B6241
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B5A03 push edx; ret 0_2_021B5A31
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B4205 push edx; ret 0_2_021B4231
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B2A05 push edx; ret 0_2_021B2A31
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B1205 push edx; ret 0_2_021B1231
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B4233 push edx; ret 0_2_021B4261
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B2A33 push edx; ret 0_2_021B2A61
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B1233 push edx; ret 0_2_021B1261
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B5A33 push edx; ret 0_2_021B5A61
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B5225 push edx; ret 0_2_021B5251
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B3A24 push edx; ret 0_2_021B3A51
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B2224 push edx; ret 0_2_021B2251
      Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021B0A24 push edx; ret