Loading ...

Play interactive tourEdit tour

Analysis Report hvEop8Y70Y.exe

Overview

General Information

Sample Name:hvEop8Y70Y.exe
Analysis ID:383848
MD5:bd7e988ed1d92f9faf32f6a817d89329
SHA1:4ab28bec26ad120653ca060a4c735befded7551e
SHA256:94b77677478f890b5f9e0561aebc0f66b1b2fc4494d016e9b5a70ed0ba20980b
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • hvEop8Y70Y.exe (PID: 6364 cmdline: 'C:\Users\user\Desktop\hvEop8Y70Y.exe' MD5: BD7E988ED1D92F9FAF32F6A817D89329)
    • hvEop8Y70Y.exe (PID: 6668 cmdline: C:\Users\user\Desktop\hvEop8Y70Y.exe MD5: BD7E988ED1D92F9FAF32F6A817D89329)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • raserver.exe (PID: 3536 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 6776 cmdline: /c del 'C:\Users\user\Desktop\hvEop8Y70Y.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.okitmall.com/iu4d/"], "decoy": ["abbottdigitalhealthpass.com", "peridot.website", "emmajanetracy.com", "arewedoingenough.com", "mvprunning.com", "xn--939au40bijas7ab2a93s.com", "thehouseofchiron.com", "sqzffn.com", "moretuantired.com", "rosewoodcibubur.com", "warungjitu.com", "armylord.net", "rideequihome.com", "girasol.zone", "getboostphlo.com", "bilradioplaza.com", "japannxt.com", "figulco.com", "insershop.com", "loktantratvnews.com", "healthdatamonitoring.com", "gmopanama.com", "miguelchulia.com", "appexivo.com", "weluvweb.com", "qqcaotv.com", "aleyalifestyle.com", "aratssycosmetics.com", "chestfreezersale.xyz", "gyanumbrella.com", "betbonusuk.com", "dostforimpact.net", "lestlondon.com", "theartsutra.com", "finegiant.com", "zacharypelletier.com", "ux300e.com", "wiglous.club", "adamspartnership.com", "contex33.xyz", "appearwood.club", "3m-mat.com", "runcouver.com", "cqsjny.com", "totubemp3.net", "imagecloudhost.com", "appleadayjuice.com", "energyoutline.com", "yashaerotech.com", "mcleancosmeticgynecology.com", "georgicarealty.com", "sellbulkweed.com", "kardosystems.com", "hubsnewz.com", "ekstrafordunyasi.com", "cymentor.com", "morrealeestates.com", "mumbaihotgirls.club", "beaulaser.com", "aa29996.com", "ankaramasozlerburada.xyz", "otmcleaningservice.com", "rosaandray.com", "omxpro.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.hvEop8Y70Y.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.hvEop8Y70Y.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.hvEop8Y70Y.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        0.2.hvEop8Y70Y.exe.2f43d44.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          4.2.hvEop8Y70Y.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 2 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: hvEop8Y70Y.exeAvira: detected
            Found malware configurationShow sources
            Source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.okitmall.com/iu4d/"], "decoy": ["abbottdigitalhealthpass.com", "peridot.website", "emmajanetracy.com", "arewedoingenough.com", "mvprunning.com", "xn--939au40bijas7ab2a93s.com", "thehouseofchiron.com", "sqzffn.com", "moretuantired.com", "rosewoodcibubur.com", "warungjitu.com", "armylord.net", "rideequihome.com", "girasol.zone", "getboostphlo.com", "bilradioplaza.com", "japannxt.com", "figulco.com", "insershop.com", "loktantratvnews.com", "healthdatamonitoring.com", "gmopanama.com", "miguelchulia.com", "appexivo.com", "weluvweb.com", "qqcaotv.com", "aleyalifestyle.com", "aratssycosmetics.com", "chestfreezersale.xyz", "gyanumbrella.com", "betbonusuk.com", "dostforimpact.net", "lestlondon.com", "theartsutra.com", "finegiant.com", "zacharypelletier.com", "ux300e.com", "wiglous.club", "adamspartnership.com", "contex33.xyz", "appearwood.club", "3m-mat.com", "runcouver.com", "cqsjny.com", "totubemp3.net", "imagecloudhost.com", "appleadayjuice.com", "energyoutline.com", "yashaerotech.com", "mcleancosmeticgynecology.com", "georgicarealty.com", "sellbulkweed.com", "kardosystems.com", "hubsnewz.com", "ekstrafordunyasi.com", "cymentor.com", "morrealeestates.com", "mumbaihotgirls.club", "beaulaser.com", "aa29996.com", "ankaramasozlerburada.xyz", "otmcleaningservice.com", "rosaandray.com", "omxpro.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: hvEop8Y70Y.exeVirustotal: Detection: 25%Perma Link
            Source: hvEop8Y70Y.exeReversingLabs: Detection: 29%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 4.2.hvEop8Y70Y.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.hvEop8Y70Y.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Machine Learning detection for sampleShow sources
            Source: hvEop8Y70Y.exeJoe Sandbox ML: detected
            Source: 4.2.hvEop8Y70Y.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: hvEop8Y70Y.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: hvEop8Y70Y.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wntdll.pdbUGP source: hvEop8Y70Y.exe, 00000004.00000002.312279182.00000000014B0000.00000040.00000001.sdmp, raserver.exe, 0000000E.00000002.509423103.000000000459F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: hvEop8Y70Y.exe, raserver.exe
            Source: Binary string: RAServer.pdb source: hvEop8Y70Y.exe, 00000004.00000002.312209416.0000000001440000.00000040.00000001.sdmp
            Source: Binary string: RAServer.pdbGCTL source: hvEop8Y70Y.exe, 00000004.00000002.312209416.0000000001440000.00000040.00000001.sdmp
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02D6158F
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02D615A0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_075DFA88
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4x nop then pop edi4_2_00416277
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi14_2_00396277

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 52.58.78.16:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 52.58.78.16:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49727 -> 52.58.78.16:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49732 -> 198.148.114.222:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49732 -> 198.148.114.222:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49732 -> 198.148.114.222:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49735 -> 172.67.187.138:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49735 -> 172.67.187.138:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49735 -> 172.67.187.138:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49736 -> 34.102.136.180:80
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.okitmall.com/iu4d/
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=C3lw6nN8/wjOPd8oaAysox0kMoLppKhEiaq8wux9+N+u3aHHhZKc4gso1l+tbzGLEbBg&nflLiT=xPJxAxbPf HTTP/1.1Host: www.runcouver.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=uttTwOCOH1jEV+6/PDkH2rgXUcJbpZgk8NMf80qhjrLzhrhL9Yums4YmXY+CUKk4Lsjl&nflLiT=xPJxAxbPf HTTP/1.1Host: www.aa29996.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=JvjSk9WUlBdgONG69H9sib5J4SPt/vPlwOmf1A06UqzVvRJVghpTE97et7kDme6aF6nY&nflLiT=xPJxAxbPf HTTP/1.1Host: www.ux300e.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=7Tv9DsBa2x/9+7rHtb45a2p9TOUpHuLwXvGhoZyRj+FM5Jpy0KtmokI2zSCU3HKaraDa&nflLiT=xPJxAxbPf HTTP/1.1Host: www.mvprunning.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=dTiXV4CFE3yVJbJPtbi4kS8L9e4gDLsfvJEyPJQwpK+wIZV6SF5bJNAnffOAlybNEFfC&nflLiT=xPJxAxbPf HTTP/1.1Host: www.getboostphlo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=aMD/FfTIFdO3dQr6MUn+t3qhrpMUQuV8ueOBsAqsCPdFlO5Mvx0OM51UzrA3L99pwBOY&nflLiT=xPJxAxbPf HTTP/1.1Host: www.okitmall.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=y4JxQtggtXVUGlOHrdhsWpYE5Q5QdQRqM5s9avj6g1ZOxqioacxcZohZ3CHAJSRBFHfe&nflLiT=xPJxAxbPf HTTP/1.1Host: www.cqsjny.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=FEKq/YHm5wXdiXZSfMYU5a3fJJzC9VYlasV/QaqgSPDk7XU2aTMqxEbJbT09VD1VuWTt&nflLiT=xPJxAxbPf HTTP/1.1Host: www.betbonusuk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=a4TwvNFJUHZfYjxmJDGfKucvC3Kvi9GvZt2BYG7bsK78eAq1dsPAQngdGmiuB14d735P&nflLiT=xPJxAxbPf HTTP/1.1Host: www.yashaerotech.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
            Source: Joe Sandbox ViewIP Address: 15.165.26.252 15.165.26.252
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-LAX-11US LEASEWEB-USA-LAX-11US
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=C3lw6nN8/wjOPd8oaAysox0kMoLppKhEiaq8wux9+N+u3aHHhZKc4gso1l+tbzGLEbBg&nflLiT=xPJxAxbPf HTTP/1.1Host: www.runcouver.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=uttTwOCOH1jEV+6/PDkH2rgXUcJbpZgk8NMf80qhjrLzhrhL9Yums4YmXY+CUKk4Lsjl&nflLiT=xPJxAxbPf HTTP/1.1Host: www.aa29996.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=JvjSk9WUlBdgONG69H9sib5J4SPt/vPlwOmf1A06UqzVvRJVghpTE97et7kDme6aF6nY&nflLiT=xPJxAxbPf HTTP/1.1Host: www.ux300e.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=7Tv9DsBa2x/9+7rHtb45a2p9TOUpHuLwXvGhoZyRj+FM5Jpy0KtmokI2zSCU3HKaraDa&nflLiT=xPJxAxbPf HTTP/1.1Host: www.mvprunning.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=dTiXV4CFE3yVJbJPtbi4kS8L9e4gDLsfvJEyPJQwpK+wIZV6SF5bJNAnffOAlybNEFfC&nflLiT=xPJxAxbPf HTTP/1.1Host: www.getboostphlo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=aMD/FfTIFdO3dQr6MUn+t3qhrpMUQuV8ueOBsAqsCPdFlO5Mvx0OM51UzrA3L99pwBOY&nflLiT=xPJxAxbPf HTTP/1.1Host: www.okitmall.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=y4JxQtggtXVUGlOHrdhsWpYE5Q5QdQRqM5s9avj6g1ZOxqioacxcZohZ3CHAJSRBFHfe&nflLiT=xPJxAxbPf HTTP/1.1Host: www.cqsjny.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=FEKq/YHm5wXdiXZSfMYU5a3fJJzC9VYlasV/QaqgSPDk7XU2aTMqxEbJbT09VD1VuWTt&nflLiT=xPJxAxbPf HTTP/1.1Host: www.betbonusuk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /iu4d/?AR6=a4TwvNFJUHZfYjxmJDGfKucvC3Kvi9GvZt2BYG7bsK78eAq1dsPAQngdGmiuB14d735P&nflLiT=xPJxAxbPf HTTP/1.1Host: www.yashaerotech.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: www.runcouver.com
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 09:05:22 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeSet-Cookie: __cfduid=dfb3971d4184d632d73a1908cbee311771617872722; expires=Sat, 08-May-21 09:05:22 GMT; path=/; domain=.getboostphlo.com; HttpOnly; SameSite=LaxCF-Cache-Status: DYNAMICcf-request-id: 095253b1640000a8c13d238000000001Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=%2F802H7kHqNcGEaM19LIsT0HTjHrjpPBTypNS7vtOf80a0axYnOpC46oJeo%2FijRhoiKFT5as3D5%2FwxLegLD2FcS%2FMFN%2BWUhKGAQQySsVBK6%2BbwWISsw%3D%3D"}],"group":"cf-nel"}NEL: {"max_age":604800,"report_to":"cf-nel"}Server: cloudflareCF-RAY: 63ca55623926a8c1-CDGalt-svc: h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400Data Raw: 63 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 75 34 64 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a Data Ascii: cb<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /iu4d/ was not found on this server.</p></body></html>
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: hvEop8Y70Y.exeString found in binary or memory: http://tempuri.org/GridOneHSDataSet.xsd
            Source: hvEop8Y70Y.exeString found in binary or memory: http://tempuri.org/HighScoresDataSet.xsd
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, hvEop8Y70Y.exe, 00000000.00000003.246364868.0000000005DCD000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: hvEop8Y70Y.exe, 00000000.00000002.266638944.0000000005DC0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
            Source: hvEop8Y70Y.exe, 00000000.00000003.238351604.0000000005DDB000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: hvEop8Y70Y.exe, 00000000.00000003.238351604.0000000005DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comX
            Source: hvEop8Y70Y.exe, 00000000.00000003.238351604.0000000005DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comcj
            Source: hvEop8Y70Y.exe, 00000000.00000003.238491766.0000000005DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic
            Source: hvEop8Y70Y.exe, 00000000.00000003.238413554.0000000005DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: hvEop8Y70Y.exe, 00000000.00000003.240959056.0000000005DC4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/Li
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: hvEop8Y70Y.exe, 00000000.00000003.240959056.0000000005DC4000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/omh#?oy
            Source: hvEop8Y70Y.exe, 00000000.00000003.240642231.0000000005DFD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
            Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/6#
            Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/G#Por
            Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/L#Ko
            Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/
            Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/aali
            Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ana
            Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h#wo0
            Source: hvEop8Y70Y.exe, 00000000.00000003.242909574.0000000005DC4000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/rpor
            Source: hvEop8Y70Y.exe, 00000000.00000003.238351604.0000000005DDB000.00000004.00000001.sdmp, hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: hvEop8Y70Y.exe, 00000000.00000003.238351604.0000000005DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comte
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: hvEop8Y70Y.exe, 00000000.00000003.240127889.0000000005DC9000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krndo
            Source: explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: hvEop8Y70Y.exe, 00000000.00000003.239195731.0000000005DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com2
            Source: hvEop8Y70Y.exe, 00000000.00000003.238931392.0000000005DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comI
            Source: hvEop8Y70Y.exe, 00000000.00000003.239146242.0000000005DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comc
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: hvEop8Y70Y.exe, 00000000.00000002.266687829.0000000005EB0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.289221602.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 4.2.hvEop8Y70Y.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.hvEop8Y70Y.exe.400000.0.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.hvEop8Y70Y.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.hvEop8Y70Y.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.hvEop8Y70Y.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.hvEop8Y70Y.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D6D78 NtQueryInformationProcess,0_2_075D6D78
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D6D70 NtQueryInformationProcess,0_2_075D6D70
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_004181B0 NtCreateFile,4_2_004181B0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_00418260 NtReadFile,4_2_00418260
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_004182E0 NtClose,4_2_004182E0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_00418390 NtAllocateVirtualMemory,4_2_00418390
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_01519910
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015199A0 NtCreateSection,LdrInitializeThunk,4_2_015199A0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519840 NtDelayExecution,LdrInitializeThunk,4_2_01519840
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519860 NtQuerySystemInformation,LdrInitializeThunk,4_2_01519860
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015198F0 NtReadVirtualMemory,LdrInitializeThunk,4_2_015198F0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519A50 NtCreateFile,LdrInitializeThunk,4_2_01519A50
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519A00 NtProtectVirtualMemory,LdrInitializeThunk,4_2_01519A00
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519A20 NtResumeThread,LdrInitializeThunk,4_2_01519A20
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519540 NtReadFile,LdrInitializeThunk,4_2_01519540
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015195D0 NtClose,LdrInitializeThunk,4_2_015195D0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519710 NtQueryInformationToken,LdrInitializeThunk,4_2_01519710
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519FE0 NtCreateMutant,LdrInitializeThunk,4_2_01519FE0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519780 NtMapViewOfSection,LdrInitializeThunk,4_2_01519780
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015197A0 NtUnmapViewOfSection,LdrInitializeThunk,4_2_015197A0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_01519660
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015196E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_015196E0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519950 NtQueueApcThread,4_2_01519950
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015199D0 NtCreateProcessEx,4_2_015199D0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0151B040 NtSuspendThread,4_2_0151B040
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519820 NtEnumerateKey,4_2_01519820
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015198A0 NtWriteVirtualMemory,4_2_015198A0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519B00 NtSetValueKey,4_2_01519B00
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0151A3B0 NtGetContextThread,4_2_0151A3B0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519A10 NtQuerySection,4_2_01519A10
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519A80 NtOpenDirectoryObject,4_2_01519A80
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519560 NtWriteFile,4_2_01519560
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0151AD30 NtSetContextThread,4_2_0151AD30
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519520 NtWaitForSingleObject,4_2_01519520
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015195F0 NtQueryInformationFile,4_2_015195F0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0151A770 NtOpenThread,4_2_0151A770
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519770 NtSetInformationFile,4_2_01519770
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519760 NtOpenProcess,4_2_01519760
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0151A710 NtOpenProcessToken,4_2_0151A710
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519730 NtQueryVirtualMemory,4_2_01519730
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519650 NtQueryValueKey,4_2_01519650
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519670 NtQueryInformationProcess,4_2_01519670
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_01519610 NtEnumerateValueKey,4_2_01519610
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015196D0 NtCreateKey,4_2_015196D0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9840 NtDelayExecution,LdrInitializeThunk,14_2_044E9840
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9860 NtQuerySystemInformation,LdrInitializeThunk,14_2_044E9860
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9540 NtReadFile,LdrInitializeThunk,14_2_044E9540
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_044E9910
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E95D0 NtClose,LdrInitializeThunk,14_2_044E95D0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E99A0 NtCreateSection,LdrInitializeThunk,14_2_044E99A0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9650 NtQueryValueKey,LdrInitializeThunk,14_2_044E9650
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9A50 NtCreateFile,LdrInitializeThunk,14_2_044E9A50
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9660 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_044E9660
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E96D0 NtCreateKey,LdrInitializeThunk,14_2_044E96D0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E96E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_044E96E0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9710 NtQueryInformationToken,LdrInitializeThunk,14_2_044E9710
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9FE0 NtCreateMutant,LdrInitializeThunk,14_2_044E9FE0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9780 NtMapViewOfSection,LdrInitializeThunk,14_2_044E9780
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044EB040 NtSuspendThread,14_2_044EB040
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9820 NtEnumerateKey,14_2_044E9820
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E98F0 NtReadVirtualMemory,14_2_044E98F0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E98A0 NtWriteVirtualMemory,14_2_044E98A0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9950 NtQueueApcThread,14_2_044E9950
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9560 NtWriteFile,14_2_044E9560
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9520 NtWaitForSingleObject,14_2_044E9520
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044EAD30 NtSetContextThread,14_2_044EAD30
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E99D0 NtCreateProcessEx,14_2_044E99D0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E95F0 NtQueryInformationFile,14_2_044E95F0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9670 NtQueryInformationProcess,14_2_044E9670
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9A00 NtProtectVirtualMemory,14_2_044E9A00
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9610 NtEnumerateValueKey,14_2_044E9610
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9A10 NtQuerySection,14_2_044E9A10
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9A20 NtResumeThread,14_2_044E9A20
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9A80 NtOpenDirectoryObject,14_2_044E9A80
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9760 NtOpenProcess,14_2_044E9760
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9770 NtSetInformationFile,14_2_044E9770
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044EA770 NtOpenThread,14_2_044EA770
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9B00 NtSetValueKey,14_2_044E9B00
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044EA710 NtOpenProcessToken,14_2_044EA710
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E9730 NtQueryVirtualMemory,14_2_044E9730
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044E97A0 NtUnmapViewOfSection,14_2_044E97A0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044EA3B0 NtGetContextThread,14_2_044EA3B0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_003981B0 NtCreateFile,14_2_003981B0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_00398260 NtReadFile,14_2_00398260
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_003982E0 NtClose,14_2_003982E0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_00398390 NtAllocateVirtualMemory,14_2_00398390
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_008BA9EA0_2_008BA9EA
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_008BDCE70_2_008BDCE7
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_008BE0780_2_008BE078
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_02CFC2B00_2_02CFC2B0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_02CF99900_2_02CF9990
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_02D618300_2_02D61830
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_02D604480_2_02D60448
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D53600_2_075D5360
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075DBF980_2_075DBF98
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D20600_2_075D2060
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D78F80_2_075D78F8
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D534F0_2_075D534F
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D13780_2_075D1378
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D2B600_2_075D2B60
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D8B100_2_075D8B10
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D2B290_2_075D2B29
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D8B200_2_075D8B20
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D1BD80_2_075D1BD8
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D8FF20_2_075D8FF2
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D1BE80_2_075D1BE8
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D13880_2_075D1388
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D1E480_2_075D1E48
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D1E380_2_075D1E38
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D7E300_2_075D7E30
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D19B00_2_075D19B0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D19A00_2_075D19A0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D20500_2_075D2050
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D08100_2_075D0810
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D08010_2_075D0801
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D90000_2_075D9000
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D78F40_2_075D78F4
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_075D78AA0_2_075D78AA
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_008BAAC70_2_008BAAC7
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 0_2_008BAA540_2_008BAA54
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_004010304_2_00401030
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0041B9604_2_0041B960
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0041C2124_2_0041C212
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0041CB214_2_0041CB21
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_00408C504_2_00408C50
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0041B4934_2_0041B493
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_00402D884_2_00402D88
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_00402D904_2_00402D90
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0041CE0C4_2_0041CE0C
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0041CF164_2_0041CF16
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_00402FB04_2_00402FB0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_009AE0784_2_009AE078
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_009AA9EA4_2_009AA9EA
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_009ADCE74_2_009ADCE7
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014DF9004_2_014DF900
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014F41204_2_014F4120
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015910024_2_01591002
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A28EC4_2_015A28EC
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014EB0904_2_014EB090
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015020A04_2_015020A0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A20A84_2_015A20A8
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A2B284_2_015A2B28
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0159DBD24_2_0159DBD2
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0150EBB04_2_0150EBB0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A22AE4_2_015A22AE
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A1D554_2_015A1D55
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A2D074_2_015A2D07
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014D0D204_2_014D0D20
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A25DD4_2_015A25DD
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014ED5E04_2_014ED5E0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015025814_2_01502581
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0159D4664_2_0159D466
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014E841F4_2_014E841F
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A1FF14_2_015A1FF1
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_0159D6164_2_0159D616
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_014F6E304_2_014F6E30
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_015A2EF74_2_015A2EF7
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_009AAA544_2_009AAA54
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: 4_2_009AAAC74_2_009AAAC7
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0456D46614_2_0456D466
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0456100214_2_04561002
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044B841F14_2_044B841F
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_045728EC14_2_045728EC
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044BB09014_2_044BB090
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D20A014_2_044D20A0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_045720A814_2_045720A8
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04571D5514_2_04571D55
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044AF90014_2_044AF900
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04572D0714_2_04572D07
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044A0D2014_2_044A0D20
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044C412014_2_044C4120
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_045725DD14_2_045725DD
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044BD5E014_2_044BD5E0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044D258114_2_044D2581
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044C6E3014_2_044C6E30
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04572EF714_2_04572EF7
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_045722AE14_2_045722AE
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04572B2814_2_04572B28
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0456DBD214_2_0456DBD2
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_04571FF114_2_04571FF1
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_044DEBB014_2_044DEBB0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0039CB2114_2_0039CB21
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_00388C5014_2_00388C50
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_00382D9014_2_00382D90
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_00382D8814_2_00382D88
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0039CE0C14_2_0039CE0C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_0039CF1614_2_0039CF16
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 14_2_00382FB014_2_00382FB0
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeCode function: String function: 014DB150 appears 35 times
            Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 044AB150 appears 35 times
            Source: hvEop8Y70Y.exe, 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs hvEop8Y70Y.exe
            Source: hvEop8Y70Y.exe, 00000000.00000000.234604097.0000000000952000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHebrewValue.exe4 vs hvEop8Y70Y.exe
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs hvEop8Y70Y.exe
            Source: hvEop8Y70Y.exe, 00000000.00000002.272029106.0000000008BE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs hvEop8Y70Y.exe
            Source: hvEop8Y70Y.exe, 00000004.00000002.310678097.0000000000A42000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHebrewValue.exe4 vs hvEop8Y70Y.exe
            Source: hvEop8Y70Y.exe, 00000004.00000002.311914487.0000000001253000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameraserver.exej% vs hvEop8Y70Y.exe
            Source: hvEop8Y70Y.exe, 00000004.00000002.312736573.000000000175F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs hvEop8Y70Y.exe
            Source: hvEop8Y70Y.exeBinary or memory string: OriginalFilenameHebrewValue.exe4 vs hvEop8Y70Y.exe
            Source: hvEop8Y70Y.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000E.00000002.505716758.0000000000730000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.311261604.00000000011B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.311590903.00000000011E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.262152823.0000000003FD3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.310331740.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000E.00000002.504377982.0000000000380000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000E.00000002.507153893.0000000000C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.hvEop8Y70Y.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.hvEop8Y70Y.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.hvEop8Y70Y.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.hvEop8Y70Y.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: hvEop8Y70Y.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@12/7
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hvEop8Y70Y.exe.logJump to behavior
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeMutant created: \Sessions\1\BaseNamedObjects\TItEGneTqYuzerdV
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_01
            Source: hvEop8Y70Y.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
            Source: hvEop8Y70Y.exe, 00000000.00000002.261538858.0000000002F11000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
            Source: hvEop8Y70Y.exeVirustotal: Detection: 25%
            Source: hvEop8Y70Y.exeReversingLabs: Detection: 29%
            Source: unknownProcess created: C:\Users\user\Desktop\hvEop8Y70Y.exe 'C:\Users\user\Desktop\hvEop8Y70Y.exe'
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess created: C:\Users\user\Desktop\hvEop8Y70Y.exe C:\Users\user\Desktop\hvEop8Y70Y.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
            Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\hvEop8Y70Y.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeProcess created: C:\Users\user\Desktop\hvEop8Y70Y.exe C:\Users\user\Desktop\hvEop8Y70Y.exeJump to behavior
            Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\hvEop8Y70Y.exe'Jump to behavior
            Source: C:\Users\user\Desktop\hvEop8Y70Y.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: hvEop8Y70Y.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: hvEop8Y70Y.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wntdll.pdbUGP source: hvEop8Y70Y.exe, 00000004.00000002.312279182.00000000014B0000.00000040.00000001.sdmp, raserver.exe, 0000000E.00000002.509423103.000000000459F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: hvEop8Y70Y.exe, raserver.exe
            Source: Binary string: RAServer.pdb source: hvEop8Y70Y.exe, 00000004.00000002.312209416.0000000001440000.00000040.00000001.sdmp
            Source: Binary string: RAServer.pdbGCTL source: hvEop8Y70Y.exe, 00000004.00000002.312209416.0000000001440000.00000040.00000001.sdmp