Loading ...

Play interactive tourEdit tour

Windows Analysis Report SRMETALINDUSTRIES.exe

Overview

General Information

Sample Name:SRMETALINDUSTRIES.exe
Analysis ID:483595
MD5:51fb6f484b4bc554a7fddb7dc24c994e
SHA1:6548d2e4c988457deb2a3435220f3252367462f3
SHA256:4b9ec9143ae2471c8cf540f5e3815c4ca4bb5e073d5c45e6bd934cc0350e8546
Tags:exexloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sigma detected: Suspect Svchost Activity
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Sigma detected: Suspicious Svchost Process
Queues an APC in another process (thread injection)
.NET source code contains very large strings
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • SRMETALINDUSTRIES.exe (PID: 6164 cmdline: 'C:\Users\user\Desktop\SRMETALINDUSTRIES.exe' MD5: 51FB6F484B4BC554A7FDDB7DC24C994E)
    • SRMETALINDUSTRIES.exe (PID: 1260 cmdline: C:\Users\user\Desktop\SRMETALINDUSTRIES.exe MD5: 51FB6F484B4BC554A7FDDB7DC24C994E)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • svchost.exe (PID: 1972 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
          • cmd.exe (PID: 2456 cmdline: /c del 'C:\Users\user\Desktop\SRMETALINDUSTRIES.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nordicbatterybelt.net/n58i/"], "decoy": ["southerncircumstance.com", "mcsasco.com", "ifbrick.com", "societe-anonyme.net", "bantank.xyz", "dogecoin.beauty", "aboutacoffee.com", "babalandlordrealestate.com", "tintgta.com", "integrity.directory", "parwnr.icu", "poltishof.online", "stayandstyle.com", "ickjeame.xyz", "currentmotors.ca", "pond.fund", "petrosterzis.com", "deadbydaylightpoints.com", "hotel-balzac.paris", "focusmaintainance.com", "odeonmarket.com", "voeran.net", "lookailpop.xyz", "sashaignatenko.com", "royalgreenvillage.com", "airbhouse.com", "zl-dz.com", "fuwuxz.com", "wugupihuhepop.xyz", "zmdhysm.com", "luchin.site", "rnchaincvkbip.xyz", "fffddfrfqffrtgthhhbhffgfr.com", "goabbasoon.info", "booyahbucks.com", "ilovecoventry.com", "components-electronics.com", "advindustry.com", "browandline.com", "hotnspicy.site", "marlonj26.com", "holidays24.net", "starworks.online", "mbchaindogbbc.xyz", "3wouqg.com", "evnfreesx.com", "baureihe51.com", "hycelassetmanagement.space", "photostickomni-trendyfinds.com", "singisa4letterword.com", "thklw.online", "menramen.com", "highspeedinternetinc.com", "beerenhunger.info", "hisensor.world", "lassurancevalence.com", "clementchanlab.com", "customia.xyz", "alysvera-centroestetico.com", "cx-xiezuo.com", "index-mp3.com", "mybenefits51.com", "vyhozoi.site", "lingerista.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
    • 0x16af8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.422353517.0000000000F00000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.422353517.0000000000F00000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.SRMETALINDUSTRIES.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.SRMETALINDUSTRIES.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.SRMETALINDUSTRIES.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
        • 0x16af8:$sqlite3text: 68 38 2A 90 C5
        • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
        4.2.SRMETALINDUSTRIES.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.SRMETALINDUSTRIES.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspect Svchost ActivityShow sources
          Source: Process startedAuthor: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 1972
          Sigma detected: Suspicious Svchost ProcessShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 1972
          Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 1972

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.nordicbatterybelt.net/n58i/"], "decoy": ["southerncircumstance.com", "mcsasco.com", "ifbrick.com", "societe-anonyme.net", "bantank.xyz", "dogecoin.beauty", "aboutacoffee.com", "babalandlordrealestate.com", "tintgta.com", "integrity.directory", "parwnr.icu", "poltishof.online", "stayandstyle.com", "ickjeame.xyz", "currentmotors.ca", "pond.fund", "petrosterzis.com", "deadbydaylightpoints.com", "hotel-balzac.paris", "focusmaintainance.com", "odeonmarket.com", "voeran.net", "lookailpop.xyz", "sashaignatenko.com", "royalgreenvillage.com", "airbhouse.com", "zl-dz.com", "fuwuxz.com", "wugupihuhepop.xyz", "zmdhysm.com", "luchin.site", "rnchaincvkbip.xyz", "fffddfrfqffrtgthhhbhffgfr.com", "goabbasoon.info", "booyahbucks.com", "ilovecoventry.com", "components-electronics.com", "advindustry.com", "browandline.com", "hotnspicy.site", "marlonj26.com", "holidays24.net", "starworks.online", "mbchaindogbbc.xyz", "3wouqg.com", "evnfreesx.com", "baureihe51.com", "hycelassetmanagement.space", "photostickomni-trendyfinds.com", "singisa4letterword.com", "thklw.online", "menramen.com", "highspeedinternetinc.com", "beerenhunger.info", "hisensor.world", "lassurancevalence.com", "clementchanlab.com", "customia.xyz", "alysvera-centroestetico.com", "cx-xiezuo.com", "index-mp3.com", "mybenefits51.com", "vyhozoi.site", "lingerista.net"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: SRMETALINDUSTRIES.exeReversingLabs: Detection: 20%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.SRMETALINDUSTRIES.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.SRMETALINDUSTRIES.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.422353517.0000000000F00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.610962252.0000000000E00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.386735863.0000000007648000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.401938701.0000000007648000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.422322216.0000000000ED0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.357083874.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: SRMETALINDUSTRIES.exeJoe Sandbox ML: detected
          Source: 4.2.SRMETALINDUSTRIES.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: SRMETALINDUSTRIES.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: SRMETALINDUSTRIES.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: SRMETALINDUSTRIES.exe, 00000004.00000002.423283417.000000000149F000.00000040.00000001.sdmp, svchost.exe, 00000009.00000002.612928123.000000000351F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: SRMETALINDUSTRIES.exe, 00000004.00000002.423283417.000000000149F000.00000040.00000001.sdmp, svchost.exe
          Source: Binary string: svchost.pdb source: SRMETALINDUSTRIES.exe, 00000004.00000002.424002139.0000000001800000.00000040.00020000.sdmp
          Source: Binary string: svchost.pdbUGP source: SRMETALINDUSTRIES.exe, 00000004.00000002.424002139.0000000001800000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 4x nop then pop edi4_2_0041625A
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 4x nop then pop edi4_2_0040C3D2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi9_2_005A625A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi9_2_0059C3D2

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49815 -> 44.227.65.245:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49815 -> 44.227.65.245:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49815 -> 44.227.65.245:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.hisensor.world
          Source: C:\Windows\explorer.exeDomain query: www.integrity.directory
          Source: C:\Windows\explorer.exeNetwork Connect: 13.250.255.10 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.sashaignatenko.com
          Source: C:\Windows\explorer.exeDomain query: www.ifbrick.com
          Source: C:\Windows\explorer.exeNetwork Connect: 44.227.65.245 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.nordicbatterybelt.net
          Source: C:\Windows\explorer.exeNetwork Connect: 185.215.4.13 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 165.73.84.33 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.advindustry.com
          Source: C:\Windows\explorer.exeNetwork Connect: 185.134.245.113 80Jump to behavior
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.nordicbatterybelt.net/n58i/
          Source: Joe Sandbox ViewASN Name: AfrihostZA AfrihostZA
          Source: global trafficHTTP traffic detected: GET /n58i/?fD=F+G31dedRh6HLTd+ecIv/qGaPc+OF0rVpdWlg5lJjBXzRtzoveZeEYo5TUAR7GVYQJUOwMAABw==&7nVT9d=P6AhC8Yh4LuLMhK0 HTTP/1.1Host: www.ifbrick.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n58i/?7nVT9d=P6AhC8Yh4LuLMhK0&fD=unnhyE6s8wGaSGOfJAqqywl5AWsKat8KABC8TJyOz0JlXUzqDPtAwNp8gBEuIS9Csn5pfDFizQ== HTTP/1.1Host: www.integrity.directoryConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n58i/?7nVT9d=P6AhC8Yh4LuLMhK0&fD=M2+dNbjF68Ecx6/kG0IjEvERphPYwrhl5ASQUZVNwgXuLMQcMfVPa3ABQDdZS66N8pSyWuXUWw== HTTP/1.1Host: www.nordicbatterybelt.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n58i/?fD=PUNHIxjtOSFwkEXuacN/093UMB3LWAmrPV2Rldw+lO4ozANnbCtjpuKVlOTMjGDvzMsTPi3I2g==&7nVT9d=P6AhC8Yh4LuLMhK0 HTTP/1.1Host: www.starworks.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n58i/?7nVT9d=P6AhC8Yh4LuLMhK0&fD=IQPyE+VrRvak8LK8nAdRdA+GXS2RT8iR9v4gvsbeLz4LfgOhT+qf8KqQA9G0pMp8GxoQ9RLGrw== HTTP/1.1Host: www.sashaignatenko.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 185.134.245.113 185.134.245.113
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 15 Sep 2021 07:44:35 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 315Connection: closeVary: Accept-EncodingX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: explorer.exe, 00000005.00000000.441229219.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: svchost.exe, 00000009.00000002.614986708.0000000003AB2000.00000004.00020000.sdmpString found in binary or memory: https://tilda.cc
          Source: svchost.exe, 00000009.00000002.614986708.0000000003AB2000.00000004.00020000.sdmpString found in binary or memory: https://www.domainnameshop.com/
          Source: svchost.exe, 00000009.00000002.614986708.0000000003AB2000.00000004.00020000.sdmpString found in binary or memory: https://www.domainnameshop.com/whois
          Source: svchost.exe, 00000009.00000002.614986708.0000000003AB2000.00000004.00020000.sdmpString found in binary or memory: https://www.domainnameshop.com/whois?currency=SEK&lang=sv
          Source: svchost.exe, 00000009.00000002.614986708.0000000003AB2000.00000004.00020000.sdmpString found in binary or memory: https://www.domeneshop.no/whois
          Source: unknownDNS traffic detected: queries for: www.hisensor.world
          Source: global trafficHTTP traffic detected: GET /n58i/?fD=F+G31dedRh6HLTd+ecIv/qGaPc+OF0rVpdWlg5lJjBXzRtzoveZeEYo5TUAR7GVYQJUOwMAABw==&7nVT9d=P6AhC8Yh4LuLMhK0 HTTP/1.1Host: www.ifbrick.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n58i/?7nVT9d=P6AhC8Yh4LuLMhK0&fD=unnhyE6s8wGaSGOfJAqqywl5AWsKat8KABC8TJyOz0JlXUzqDPtAwNp8gBEuIS9Csn5pfDFizQ== HTTP/1.1Host: www.integrity.directoryConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n58i/?7nVT9d=P6AhC8Yh4LuLMhK0&fD=M2+dNbjF68Ecx6/kG0IjEvERphPYwrhl5ASQUZVNwgXuLMQcMfVPa3ABQDdZS66N8pSyWuXUWw== HTTP/1.1Host: www.nordicbatterybelt.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n58i/?fD=PUNHIxjtOSFwkEXuacN/093UMB3LWAmrPV2Rldw+lO4ozANnbCtjpuKVlOTMjGDvzMsTPi3I2g==&7nVT9d=P6AhC8Yh4LuLMhK0 HTTP/1.1Host: www.starworks.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /n58i/?7nVT9d=P6AhC8Yh4LuLMhK0&fD=IQPyE+VrRvak8LK8nAdRdA+GXS2RT8iR9v4gvsbeLz4LfgOhT+qf8KqQA9G0pMp8GxoQ9RLGrw== HTTP/1.1Host: www.sashaignatenko.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: SRMETALINDUSTRIES.exe, 00000000.00000002.356349661.0000000000B58000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.SRMETALINDUSTRIES.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.SRMETALINDUSTRIES.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.422353517.0000000000F00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.610962252.0000000000E00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.386735863.0000000007648000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.401938701.0000000007648000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.422322216.0000000000ED0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.357083874.00000000037F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 4.2.SRMETALINDUSTRIES.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.SRMETALINDUSTRIES.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.SRMETALINDUSTRIES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.SRMETALINDUSTRIES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.422353517.0000000000F00000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.422353517.0000000000F00000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.610962252.0000000000E00000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.610962252.0000000000E00000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.386735863.0000000007648000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.386735863.0000000007648000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.401938701.0000000007648000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.401938701.0000000007648000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.422322216.0000000000ED0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.422322216.0000000000ED0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.357083874.00000000037F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.357083874.00000000037F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large stringsShow sources
          Source: SRMETALINDUSTRIES.exe, Forms/mainForm.csLong String: Length: 38272
          Source: 0.0.SRMETALINDUSTRIES.exe.3f0000.0.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: 0.2.SRMETALINDUSTRIES.exe.3f0000.0.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: 4.2.SRMETALINDUSTRIES.exe.8d0000.1.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: 4.0.SRMETALINDUSTRIES.exe.8d0000.0.unpack, Forms/mainForm.csLong String: Length: 38272
          Source: SRMETALINDUSTRIES.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 4.2.SRMETALINDUSTRIES.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.SRMETALINDUSTRIES.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.SRMETALINDUSTRIES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.SRMETALINDUSTRIES.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.611035350.0000000000E30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.422353517.0000000000F00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.422353517.0000000000F00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.610962252.0000000000E00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.610962252.0000000000E00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.386735863.0000000007648000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.386735863.0000000007648000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.401938701.0000000007648000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.401938701.0000000007648000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.610457709.0000000000590000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.422322216.0000000000ED0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.422322216.0000000000ED0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.357083874.00000000037F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.357083874.00000000037F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.421818321.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 0_2_048031980_2_04803198
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 0_2_0480342F0_2_0480342F
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 0_2_048031880_2_04803188
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 0_2_048061B80_2_048061B8
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 0_2_04802EC80_2_04802EC8
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 0_2_04802ED80_2_04802ED8
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 0_2_048033EC0_2_048033EC
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 0_2_048033F80_2_048033F8
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 4_2_0041B8DB4_2_0041B8DB
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 4_2_0041C1364_2_0041C136
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 4_2_0041D2294_2_0041D229
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 4_2_00408C6B4_2_00408C6B
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 4_2_00408C704_2_00408C70
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 4_2_00402D874_2_00402D87
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034F2B289_2_034F2B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034F1FF19_2_034F1FF1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0345EBB09_2_0345EBB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03446E309_2_03446E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034F2EF79_2_034F2EF7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034F22AE9_2_034F22AE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034F1D559_2_034F1D55
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0342F9009_2_0342F900
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034F2D079_2_034F2D07
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03420D209_2_03420D20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034441209_2_03444120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0343D5E09_2_0343D5E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034525819_2_03452581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034E10029_2_034E1002
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0343841F9_2_0343841F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0343B0909_2_0343B090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034520A09_2_034520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034F20A89_2_034F20A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_005AB8DB9_2_005AB8DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_005AC1369_2_005AC136
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_005AD2299_2_005AD229
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00598C709_2_00598C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00598C6B9_2_00598C6B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00592D909_2_00592D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00592D879_2_00592D87
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_00592FB09_2_00592FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B150 appears 35 times
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 4_2_004185D0 NtCreateFile,4_2_004185D0
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 4_2_00418680 NtReadFile,4_2_00418680
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 4_2_00418700 NtClose,4_2_00418700
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 4_2_004187B0 NtAllocateVirtualMemory,4_2_004187B0
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 4_2_004185CA NtCreateFile,4_2_004185CA
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 4_2_0041867C NtReadFile,4_2_0041867C
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 4_2_004186FB NtClose,4_2_004186FB
          Source: C:\Users\user\Desktop\SRMETALINDUSTRIES.exeCode function: 4_2_004187AC NtAllocateVirtualMemory,4_2_004187AC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469710 NtQueryInformationToken,LdrInitializeThunk,9_2_03469710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469FE0 NtCreateMutant,LdrInitializeThunk,9_2_03469FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469780 NtMapViewOfSection,LdrInitializeThunk,9_2_03469780
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469650 NtQueryValueKey,LdrInitializeThunk,9_2_03469650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469A50 NtCreateFile,LdrInitializeThunk,9_2_03469A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_03469660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034696D0 NtCreateKey,LdrInitializeThunk,9_2_034696D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034696E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_034696E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469540 NtReadFile,LdrInitializeThunk,9_2_03469540
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_03469910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034695D0 NtClose,LdrInitializeThunk,9_2_034695D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034699A0 NtCreateSection,LdrInitializeThunk,9_2_034699A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469840 NtDelayExecution,LdrInitializeThunk,9_2_03469840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469860 NtQuerySystemInformation,LdrInitializeThunk,9_2_03469860
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469760 NtOpenProcess,9_2_03469760
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469770 NtSetInformationFile,9_2_03469770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0346A770 NtOpenThread,9_2_0346A770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469B00 NtSetValueKey,9_2_03469B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0346A710 NtOpenProcessToken,9_2_0346A710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469730 NtQueryVirtualMemory,9_2_03469730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034697A0 NtUnmapViewOfSection,9_2_034697A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0346A3B0 NtGetContextThread,9_2_0346A3B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469670 NtQueryInformationProcess,9_2_03469670
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469A00 NtProtectVirtualMemory,9_2_03469A00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469610 NtEnumerateValueKey,9_2_03469610
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469A10 NtQuerySection,9_2_03469A10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469A20 NtResumeThread,9_2_03469A20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469A80 NtOpenDirectoryObject,9_2_03469A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469950 NtQueueApcThread,9_2_03469950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469560 NtWriteFile,9_2_03469560
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469520 NtWaitForSingleObject,9_2_03469520
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0346AD30 NtSetContextThread,9_2_0346AD30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034699D0 NtCreateProcessEx,9_2_034699D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034695F0 NtQueryInformationFile,9_2_034695F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_0346B040 NtSuspendThread,9_2_0346B040
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_03469820 NtEnumerateKey,9_2_03469820
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034698F0 NtReadVirtualMemory,9_2_034698F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_034698A0 NtWriteVirtualMemory,9_2_034698A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_005A85D0 NtCreateFile,9_2_005A85D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_005A8680 NtReadFile,9_2_005A8680
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_005A8700 NtClose,9_2_005A8700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_005A87B0 NtAllocateVirtualMemory,9_2_005A87B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_005A85CA NtCreateFile,9_2_005A85CA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_005A867C NtReadFile,9_2_005A867C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_005A86FB NtClose,9_2_005A86FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 9_2_005A87AC NtAllocateVirtualMemory,9_2_005A87AC
          Source: SRMETALINDUSTRIES.exeBinary or memory string: OriginalFilename vs SRMETALINDUSTRIES.exe
          Source: SRMETALINDUSTRIES.exe, 00000000.00000000.343837964.00000000003F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMemberIn.exe4 vs SRMETALINDUSTRIES.exe
          Source: SRMETALINDUSTRIES.exe, 00000000.00000002.357083874.00000000037F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs SRMETALINDUSTRIES.exe
          Source: SRMETALINDUSTRIES.exe, 00000000.00000002.356818988.0000000002807000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEnvoySinks.dll6 vs SRMETALINDUSTRIES.exe
          Source: SRMETALINDUSTRIES.exeBinary or memory string: OriginalFilename vs SRMETALINDUSTRIES.exe
          Source: SRMETALINDUSTRIES.exe, 00000004.00000002.421916752.00000000008D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMemberIn.exe4 vs SRMETALINDUSTRIES.exe
          Source: SRMETALINDUSTRIES.exe, 00000004.00000002.423597861.000000000162F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SRMETALINDUSTRIES.exe
          Source: SRMETALINDUSTRIES.exe, 00000004.00000002.422684210.0000000000F66000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamesvchost.exej% vs SRMETALINDUSTRIES.exe
          Source: SRMETALINDUSTRIES.exeBinary or memory string: OriginalFilenameMemberIn.exe4 vs SRMETALINDUSTRIES.exe
          Source: SRMETALINDUSTRIES.exe